Password archives - Open Source Software and Linux
Home > IT Blogs > Open Source Software and Linux >

Open Source Software and Linux:

password

Feb 19 2009   7:01PM GMT

Using SSL and a password to connect Sendmail to your ISP



Posted by: John Little
sendmail, ssl, isp, password, sasl, starttls, openssl, centos

Many ISPs are requiring SSL and a password to connect and send mail. This how to shows how to set up your sendmail server to use SSL with a password for connecting and sending mail through your ISP.

I set this up on a CentOS 5.2 virtual machine. You should have the following packages installed:
sendmail
sendmail-cf
cyrus-sasl
cyrus-sasl-lib
cyrus-sasl-plain
openssl

First let’s generate our self signed certificate. Be sure and use the FQDN of your server for the machine name.

cd /etc/pki/tls/certs
make sendmail.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > test.pem ; \
echo “” >> test.pem ; \
cat $PEM2 >> test.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
……..++++++
…………………………++++++
writing new private key to ‘/tmp/openssl.wc3819′
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:AZ
Locality Name (eg, city) [Newbury]:Tempe
Organization Name (eg, company) [My Company Ltd]:Self
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.home.local
Email Address []:myself@yahoo.com

Next we need to make some edits to the sendmail.mc file. cd to /etc/mail and open the file with your favourite editor. The following lines should be edited or added to match your configuration and/or connection information to your ISP. Note that dnl at the front of a line indicates a comment. This should be removed from the beginning of any lines that are edited.

define(`SMART_HOST’, `smtp.att.yahoo.com’)dnl <==put your ISP’s smtp server here

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl <==uncomment the next two lines and add the third line
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
FEATURE(`authinfo’,`hash /etc/mail/auth/client-info’)dnl

define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl <==uncomment these 4 lines
define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl
define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl
define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl <==Remove the loopback address from this line

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl <==uncomment this line

Now we need to set up the login information for your ISP’s smtp server. In the /etc/mail directory perform the following:

mkdir auth
chmod 700 auth
cd auth
vi client-info

Add the following line to the client-info file:

AuthInfo:your.isp.net “U:root” “I:user” “P:password”

Repace user with your ISP username and password with your smtp password. Save and close the file and perform the following:

makemap hash client-info < client-info
chmod 600 client-info*
cd ..

Now issue the following command so that everything is compile as sendmail likes it:

make -C /etc/mail

Last edit the following file and make sure that it contains the following two lines:

vi /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd <==make sure that these two lines are in the file
mech_list: plain login

If you are using tcpwrappers as I have suggested in the past add the following line to hosts.allow. Change the ip configuration to match your setup:

vi /etc/hosts.allow
sendmail: 172.16.

Now it’s time to test. Make sure that the correct services are running:

/etc/init.d/sendmail start
/etc/init.d/saslauthd start

After starting check the log at /var/log/maillog. If you find any errors that contain `starttls’ then either something is wrong with the sendmail.pem file that you created or the saslauth daemon is not started. I had a situation once where something happened to the sendmail.pem file and recreating it solved the problem. Beyond that check your firewall, syntax in the sendmail.mc and hosts.allow and hosts.deny files.

Once everything is started cleanly open up your mail client. I used evolution for testing. Edit the preferences and use the settings for your sendmail server. For mine I used the IP address of the sendmail server, check “Server requires authentication”, set “Use secure connection” to SSL encryption and entered the user name that I use to login to the sendmail server. Note that this is not your ISP username.

Now you should be able to send a test message out through the internet and receive it back through your ISP’s pop server.

Enjoy!

-j

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

Nov 8 2008   2:59PM GMT

Help! root can’t login



Posted by: John Little
Linux, password, /root, chage, passwd

I occasionally see the post Help! root can’t login on some of the discussion boards around the net. Generally this is for two reasons. Either the account has expired or a forgotten password.

The forgotten password is straightforward to fix. When booting the machine enter the grub menu. Your default kernel should already be highlighted. Press e which will bring you to a screen with the three lines for that kernel that are in the grub.conf. Highlight the one titled kernel and press e again.

This will open up that line for editing. Move to the end of the line and type s and then hit enter. Now type b for that kernel to boot. This will put you into single user mode.

Once the machine has booted into single user mode you may change root’s password using the normal passwd command.

Having root’s account account expired is a little more complicatedb is still straightforward. Once again boot into single user mode as describe above. We will use the chage command to fix root’s account.

If you issue:

[root@centos5-lt ~]# chage –help
Usage: chage [options] user

Options:
-d, –lastday LAST_DAY set last password change to LAST_DAY
-E, –expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, –help display this help message and exit
-I, –inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, –list show account aging information
-m, –mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, –maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-W, –warndays WARN_DAYS set expiration warning days to WARN_DAYS

[root@centos5-lt ~]#

The two comands that we are interested in here are

chage -l
chage -E
chage -l root will list root’s user account so that we can confirm that it is expired. We want to set the account so that it will not expire. use chage -E -1 root to accomplish this.

chage -l root
Account expires : Nov 07, 2008 #The account expires line is what you want to check
chage -E -1 root
chage -l root
Account expires : never # Now we have solved our problem of the root account expiring

There you go. Now you should be able to fix root’s account if you accidentally make a mistake with it.

-j

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend