You have to recompile sendmail with the SASL library linked into it.
There are 2 major versions, SASL1 and SASL2. I'm using SASL2 and have no
problems, so the following stuff handles only SASL2.
The easiest way on FreeBSD is, to install the cyrus-sasl2 port from
/usr/ports/security/cyrus-sasl2 and activate the SASL2 support for sendmail in /etc/make.conf by adding the following lines:
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=/usr/local/lib/libsasl2.soAfter having installed the port and added the SENDMAIL-lines above you can recompile sendmail and reinstall it:
cd /usr/src/usr.sbin/sendmail make clean depend all installIf you get errors compiling sendmail about missing libsmutil and libsm libraries, clean you obj directory first and rebuild those libraries and try again, eg.
rm -rf /usr/obj/* cd /usr/src/lib/libsmutil ; make depend all cd /usr/src/lib/libsm ; make depend all cd /usr/src/usr.sbin/sendmail make clean depend all installMake sure sendmail gets started by setting sendmail_enable="YES" in /etc/rc.conf and don't forget to (re-)start it after that:
sh /etc/rc.sendmail stop sh /etc/rc.sendmail start(No, restart won't do it, run stop and start)
Setup your smart host (default mail server with smtp auth) in your sendmail config either by adding
define(`SMART_HOST', `your_smart_host')dnlor adding the smart host in your other favorite way.
AuthInfo:your_smart_host "U:user" "P:password" "R:realm" "M:auth-method"where of course user should be substituted with the user, password with the real password, realm with the corresponding realm on the server side and auth-method with the preferred authorisation method(s). So an example could look like:
AuthInfo:srelay.snake.de "U:snake" "P:secret" "R:snake.de" "M:DIGEST-MD5 LOGIN"The your_smart_host entry must match the entry of your smart host or mailertable entry in your sendmail configuration. Then activate it:
cd /etc/mail make
You need to edit the file /usr/local/lib/sasl2/Sendmail.conf and add the line
pwcheck_method: auxpropThis tells sendmail which authentication method it should use from the SASL library. In this case it takes the users from the local SASL db. There are many other methods like using passwd, PAM, LDAP, NTLM, Database connections (PostgreSQL, MySQL) etc.
Then enter the users into this SASL db:
saslpasswd2 -c -a Sendmail -u realm userWhere user have to match the entries on the client side.
Finally you have to adjust your sendmail configuration on the server side to provide the list of mechanisms, eg. add them to your senmail .mc file:
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 LOGIN')dnlNote: Don't use LOGIN if you don't have to as it provides no security. It's only good for testing or if you absolutely need to support such crap like Microsoft Outlook which can only do LOGIN method.
Links for this topic:
SMTP AUTH in sendmail 8.10-8.13 (from sendmail.org)
The corresponding chapter of the FreeBSD manual (contains description for using system passwords instead of sasl only users)
Last update for FreeBSD 12+ : Oct 2021