SMTP Authorisation with sendmail

1. Required steps on either side:

   You have to recompile sendmail with the SASL library linked into it. There are 2 major versions, SASL1 and SASL2. I'm using SASL2 and have no problems, so the following stuff handles only SASL2.
   The easiest way on FreeBSD is, to install the cyrus-sasl2 port from /usr/ports/security/cyrus-sasl2 and activate the SASL2 support for sendmail in /etc/make.conf by adding the following lines:
   

   SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
   SENDMAIL_LDFLAGS=-L/usr/local/lib
   SENDMAIL_LDADD=/usr/local/lib/libsasl2.so
   

   After having installed the port and added the SENDMAIL-lines above you can recompile sendmail and reinstall it:

   cd /usr/src/usr.sbin/sendmail
   make clean depend all install
   

   If you get errors compiling sendmail about missing libsmutil and libsm libraries, clean you obj directory first and rebuild those libraries and try again, eg.

   rm -rf /usr/obj/*
   cd /usr/src/lib/libsmutil ; make depend all
   cd /usr/src/lib/libsm ; make depend all
   cd /usr/src/usr.sbin/sendmail
   make clean depend all install
   

   Make sure sendmail gets started by setting sendmail_enable="YES" in /etc/rc.conf and don't forget to (re-)start it after that:
   

   sh /etc/rc.sendmail stop
   sh /etc/rc.sendmail start
   

   (No, restart won't do it, run stop and start)

2. Required steps on client side:

   Setup your smart host (default mail server with smtp auth) in your sendmail config either by adding

   define(`SMART_HOST', `your_smart_host')dnl
   

   or adding the smart host in your other favorite way.
   Of course this also works with mailertable instead of a smart host. Don't forget to restart your sendmail , if you have changed the config. Finally add the necessary auth information to /etc/mail/access and rebuild your access.db . The entry in the access table is the most complex step on the client side. It should like this:

   AuthInfo:your_smart_host      "U:user" "P:password" "R:realm" "M:auth-method"
   

   where of course user should be substituted with the user, password with the real password, realm with the corresponding realm on the server side and auth-method with the preferred authorisation method(s). So an example could look like:

   AuthInfo:srelay.snake.de    "U:snake" "P:secret" "R:snake.de" "M:DIGEST-MD5 LOGIN"
   

   The your_smart_host entry must match the entry of your smart host or mailertable entry in your sendmail configuration. Then activate it:

   cd /etc/mail
   make
   

3. Required steps on server side:

   You need to edit the file /usr/local/lib/sasl2/Sendmail.conf and add the line

   pwcheck_method: auxprop
   

   This tells sendmail which authentication method it should use from the SASL library. In this case it takes the users from the local SASL db. There are many other methods like using passwd, PAM, LDAP, NTLM, Database connections (PostgreSQL, MySQL) etc.

   Then enter the users into this SASL db:

   saslpasswd2 -c -a Sendmail -u realm user
   

   Where user have to match the entries on the client side.
   NOTE: It's important that you create the users with the realm (-u) matching your server's hostname eg. my server's gethostname(3) returns srelay.snake.de so the realms must also be srelay.snake.de.

   Finally you have to adjust your sendmail configuration on the server side to provide the list of mechanisms, eg. add them to your senmail .mc file:

   TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 LOGIN')dnl
   define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 LOGIN')dnl
   

   Note: Don't use LOGIN if you don't have to as it provides no security. It's only good for testing or if you absolutely need to support such crap like Microsoft Outlook which can only do LOGIN method.

Links for this topic:

SMTP AUTH in sendmail 8.10-8.13 (from sendmail.org)
The corresponding chapter of the FreeBSD manual (contains description for using system passwords instead of sasl only users)

Last update for FreeBSD 12+ : Oct 2021