How To
Summary
Starting with AIX 7.3, SASL authentication support is added to sendmail. Use the following steps as a guide to setting this up.
Steps
On the relay server side
Assuming you are starting with a default /etc/mail/sendmail.cf file, make a backup of it, and make the following changes to it.
Search for this section:
# Hosts for which relaying is permitted ($=R)
# FR-o /etc/mail/relay-domainsUncomment the FR-o line:
# Hosts for which relaying is permitted ($=R)
FR-o /etc/mail/relay-domainsSearch for this section:
# SMTP daemon options
# Name used for error messages and logging
O DaemonPortOptions=Name=MTAModify it:
# SMTP daemon options
# Name used for error messages and logging
O DaemonPortOptions=Name=MTA, M=EaSearch for this section:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5Leave the existing line commented, and add these lines:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
C{TrustAuthMech}EXTERNAL GSSAPI OTP DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 LOGIN PLAINAfter that is done, save the sendmail.cf file. Next, create the /etc/mail/relay-domains file, and populate it with the domains you want to allow relaying from:
austin.ibm.com
xyz.domain.comCreate a user in the SASL database:
# saslpasswd dummyuser
<enter a password; for this example I'll use 12345>Run the following command to verify the user is added to the SASL database:
# sasldblistusersThat command should show the username with the hostname or FQDN hostname appended to it:
dummyuser@hostname.domain.com: userPassword
dummyuser@hostname.domain.com: cmusaslsecretOTPIf that command fails due to being unable to load libsasldb.a, then you need a fix for IJ42911 / IJ40668. Contact AIX support for an ifix if this is not shipped in your current service pack.
Stop and restart the sendmail daemon:
# stopsrc -s sendmail
# startsrc -s sendmail -a "-bd -q30m"On the client side
Create an authinfo directory inside of /etc/mail:
# mkdir /etc/mail/authinfo
# cd /etc/mail/authinfoCreate a file in this directory called smtp-auth which contains the user that was created on the relay - with the hostname or FQDN of the relay appended, like sasldblistusers showed earlier - and the password:
AuthInfo: "U:root" "I:dummyuser@hostname.domain.com" "P:12345"Important note: Some SMTP servers may reject the SMTP user if it contains the "@hostname.domain.com" portion. If authentication fails even though the password is correct, try removing the "@hostname.domain.com" part, rebuild the hash map, and try again.
Turn this file into a hash map:
# makemap hash smtp-auth < smtp-auth
# chmod go+r *After that step, in /etc/mail/authinfo directory, you will see:
# ls -l /etc/mail/authinfo
-rw-r--r-- 1 root system 43 Mar 07 14:33 smtp-auth
-rw-r--r-- 1 root system 12288 Mar 07 14:33 smtp-auth.dbAssuming a default submit.cf file, make a backup of it, and make the following changes to /etc/mail/submit.cf.
Look for the DS relay entry:
# "Smart" relay host (may be null)
DSIf no relay is specified there, then modify it to specify your SASL relay server:
# "Smart" relay host (may be null)
DShostname.domain.comLook for this section:
# arithmetic map
Karith arithAdd the following line below it:
# arithmetic map
Karith arith
Kauthinfo hash /etc/mail/authinfo/smtp-authLook for this section:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5Add the following line below it:
# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
O AuthMechanisms=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAINLook for this section:
######################################################################
### authinfo: lookup authinfo in the access map
###
### Parameters:
### $1: {server_name}
### $2: {server_addr}
######################################################################
SauthinfoThen add the following block directly below that:
######################################################################
### authinfo: lookup authinfo in the access map
###
### Parameters:
### $1: {server_name}
### $2: {server_addr}
######################################################################
Sauthinfo
R$* $: <$(authinfo AuthInfo:$&{server_name} $: ? $)>
R<?> $: <$(authinfo AuthInfo:$&{server_addr} $: ? $)>
R<?> $: <$(authinfo AuthInfo: $: ? $)>
R<?> $@ no no authinfo available
R<$*> $# $1
R$*<TAB><TAB>$: <$(authinfo AuthInfo:$&{server_name} $: ? $)>
R<?><TAB>$: <$(authinfo AuthInfo:$&{server_addr} $: ? $)>
R<?><TAB>$: <$(authinfo AuthInfo: $: ? $)>
R<?><TAB>$@ no no authinfo available
R<$*><TAB>$# $1Replace each instance of <TAB> with an actual tab character. The other whitespace seen in the block will be space characters.
At this point, you are done modifying the submit.cf file.
Attempt sending mail from this client:
# echo test | mail -vvv -s "test mail" myaddr@domain.comIf things go as expected, you will see 'OK Authenticated' in the debug output, and the mail is sent to its recipient.
If you see an error such as 'Deferred: Connection refused by [127.0.0.1]', you can modify the MTAHost entry in /etc/mail/submit.cf to add your SASL sendmail relay server:
#D{MTAHost}[127.0.0.1]
D{MTAHost}[hostname.domain.com]Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxaAAA","label":"Communication Applications-\u003ESENDMAIL\/MAIL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0"}]
Was this topic helpful?
Document Information
More support for:
AIX
Component:
Communication Applications->SENDMAIL/MAIL
Software version:
7.3.0
Document number:
6960607
Modified date:
11 March 2025
UID
ibm16960607
Manage My Notification Subscriptions