2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 9 months ago
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server. For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc:include(`/etc/mail/sasl/sasl.m4')dnl define(`confAUTH_OPTIONS', `A p')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnlAnd now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password. And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.auth required pam_succeed_if.so quiet user ingroup users auth [success=1 default=ignore] pam_unix.so nullok_secure auth sufficient pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.soNow I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard. Update: This doesn't work with newer versions of pam, failing with libpam-modules 1.1.8-3.6 from Devuan ascii.