Rolling Resource

This is a sendmail error and causes the header X-Authentication-Warning: to be added to your email. It occurs when sendmail is accessed without logging in and you have PrivacyOptions=authwarnings in your sendmail.cf file.

If you have access to your sendmail configuration, then simply remove authwarnings from the line beginning “O PrivacyOptions=” in /etc/mail/sendmail.cf. (I did not start to get this error until I enabled the genericstable feature).

If you do not have access to your sendmail setup, then all email you receive will probably have it added as a header. However, you may be able to avoid adding this header to your outgoing email by configuring your email client so that it logs in to sendmail first. Here is how to configure some common email clients

Outlook

Click on menu item Tools
Click on submenu item Options…
Click on Mail Setup tab
Click on E-mail Accounts… button
Select the option View or change existing e-mail accounts
Click on Next
Select the account you wish to change
Click on the Change… button
Click on the More Settings… button
Click on the Outgoing Server tab
Select My outgoing server (SMTP) requires authentication
Select the option Use same settings as my incoming mail server

Outlook Express

Click on menu item Tools
Click on submenu item Accounts…
Click on the Mail tab
Select the account you wish to edit
Click on the Properties button
Click on the Servers tab
Select My server requires authentication under Outgoing Mail Server
Click on the Settings button
Select the option Use same settings as my incoming mail server

Thunderbird v1.5

Click on menu item Tools
Click on Account Settings…
Select Outgoing Server (SMTP) in the left hand pane
Select the server you wish to edit in the right hand pane
Click on the Edit… button
Select Use name and password under Security and Authentication
Enter your User Name
Select option No for Use secure connection unless you have SSL installed.

or How to setup recipient@domain1.com and recipient@domain2.com to be delivered to different mailboxes

Apache provides the ability to host multiple domains on a single VPS account using Virtual Hosts. However, we run into a problem if we want email to be treated uniquely for each domain.

There are several programs involved in processing email on the server, but we won't have to change most of them. These include

Program	Description
* If installed
sendmail	used to send and receive email by your server
procmail	used to process email after it is received by sendmail
spamassassin*	called from procmail to filter out spam messages
clamav*	called from procmail to filter out viruses
qpopper	used to deliver email to your computer using the pop3 protocol
uw-imap*	used to view email on your computer using the imap protocol

Sendmail uses a lookup table (virtusertable) to convert an email address into a Unix user account. Full details can be found at Sendmail's website

If you have a hosting plan which allows for multiple domains, then Westhost configures virtusertable so that email to recipient@anydomain.com is delivered to the Unix mailbox for recipient's account. We need to modify this so that the email for recipient@domain1.com is delivered to a separate mailbox from recipient@domain2.com

You will need SSH access to your server to complete this task. PuTTY is available for free for this purpose from here; configuration instructions are available from Westhost.

Here are the steps you will have to take:

Create separate user accounts

• Login in to your site manager
• Click on EMail/FTP Management (Second item on menu bar)
• Click on New E-mail/FTP button (in lower right)
• A window titled “E-mail/FTP Wizard (1 of 3)” will pop up.
• • Enter the user details for recipient@domain1.com. Use a unique user name - I suggest recipient.domain1.com
• Click on Next once you have entered user name, description and password
• A window titled “E-mail/FTP Wizard (2 of 3)” will pop up.
• • Modify the email quota if desired. We can change this later by editing the file /etc/features
  • Enable the Autoresponder - it can be setup later by logging in to the the user account at http://www.domain1.com/users/
• A window titled “E-mail/FTP Wizard (3 of 3)” will pop up.
• • Disable FTP access unless needed
• Repeat the above for recipient@domain2. I suggest using a user name of recipient.domain2.com

Edit virtusertable

• If you are comfortable with SSH then edit /etc/mail/virtusertable on the server or, alternatively, download a copy to your computer and edit it using a simple text editor such as Notepad (on a Windows PC). DO NOT USE A WORD PROCESSOR. Make sure you backup the file first.
• virtusertable will contain various lines, but you should find these at the end

  recipient.domain1.com@domain1.com      recipient.domain1.com
  recipient.domain1.com@domain2.com   recipient.domain1.com
  recipient.domain2.com@domain1.com      recipient.domain2.com
  recipient.domain2.com@domain2.com   recipient.domain2.com
  

• Change this to

  recipient@domain1.com      recipient.domain1.com
  recipient@domain2.com      recipient.domain2.com
  

  NOTE: the two columns of data MUST be separated by a TAB

• Upload the changed file to /etc/mail/virtusertable

Create genericstable (optional)

If you want any applications or scripts on your server to send email from recipient@domain2.com, then follow these optional steps.

• Create a new file /etc/mail/genericstable which contains

  recipient.domain1.com   recipient@domain1.com
  recipient.domain2.com   recipient@domain2.com
  

Create generics-domains (optional)

• Create a new file /etc/mail/generics-domains which contains

  domain1.com
  domain2.com
  

Modify sendmail.mc (optional)

• Add these two lines to /etc/mail/sendmail.mc

  FEATURE(`genericstable', `dbm /etc/mail/genericstable')dnl Added two lines
  GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl
  

Activate changes

• Login to your server using SSH
• Generate a new copy of virtusertable.db by entering the command makemap hash /etc/mail/virtusertable </etc/mail/virtusertable
  (If you are not hosted by Westhost, then check your /etc/mail/sendmail.cf file for the type of database used by virtusertable. This will be either hash (as above) or dbm)
• If you completed the optional steps above, you will also need to
  • generate a copy of genericstable.db by entering the command makemap hash /etc/mail/genericstable </etc/mail/genericstable on one line.
  • regenerate your sendmail configuration file if you made the optional changes by typing m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf (again on one line)
• Logout of your SSH session (logout)

Configure your email client

• You will need to set up two accounts
• For domain1.com
  • Your Name: Recipient One
  • EMail Address: recipient@domain1.com
  • Incoming Mail Server: pop.domain1.com
  • Outgoing Mail Server: smtp.domain1.com
  • User Name: recipient.domain1.com
  • Password: domain1
  • NOTE: User Name and Password are case sensitive. In other words, recipient.domain1.com is not the same as Recipient.Domain1.Com
  • Under More Settings:
    • Click on Outgoing Server
    • Select “My outgoing server requires authentication”
    • Select “Use same settings as my incoming mailserver”
• For domain2.com
  • Your Name: Recipient Two
  • EMail Address: recipient@domain2.com
  • Incoming Mail Server: pop.domain2.com
  • Outgoing Mail Server: smtp.domain2.com
  • User Name: recipient.domain2.com
  • Password: domain2
  • NOTE: User Name and Password are case sensitive. In other words, recipient.domain2.com is not the same as Recipient.Domain2.Com
  • Under More Settings:
    • Click on Outgoing Server
    • Select “My outgoing server requires authentication”
    • Select “Use same settings as my incoming mailserver”

Distribution lists

These can be created by editing /etc/mail/aliases

In order to configure Uebimiau for multiple domains, we need to edit the config.php file located in the inc folder of your Uebimiau installation. We can either have an installation for each domain or set it up so that the user is able to select the domain from a drop down list. If we are clever, we can configure Uebimiau so that it selects the domain automatically.

If we are hosting multiple domains on a signle server, then all we need for the login is the username in the configuration file inc/config.php. The POP usernames and passwords are found in /etc/passwd or /etc/shadow and are those you defined from the Westhost Site Manager Email/FTP Configuration section.

If you have $mail_server_type = "DETECT"; then set

The user will have to enter a username of joe@domainx.com

If you have $mail_server_type = "ONE-FOR-ALL"; then set

The user will have to enter a username of joe@domainx.com

If you have $mail_server_type = "ONE-FOR-EACH"; then set

The user will have to select the domain from a drop down menu and you will have to have one $mail_servers[] block for each domain.

However, if you use the php reserved variable $_SERVER['HTTP_HOST'] as shown below you will only need one $mail_servers[] block and uebimiau will automatically detect the domain so that the user will just have to enter their user ID. The code below will let you access your domain by either domain.com, www.domain.com or webmail.domain.com.

If you want email for joe@domain1.com and joe@domain2.com to be delivered to different users, then you will have to edit /etc/mail/virtusertable as described in this post or elsewhere in the Westhost forum. By default mail to joe@domain1.com and joe@domain2.com are delivered to user joe.

It has been a long time coming, but my sendmail has been upgraded to 8.12.11.20060308 (Released 2004/01/18, patched 2006/03/08) from 8.11.6 (Released 2001/08/20), which I guess is progress. However, while this version supports MILTERs, many milters require Sendmail 8.13 or later. The latest stable version is 8.13.8 (Released 2006/09/08); I do not understand why Westhost have upgraded to an obsolete version.

Some of the milters I have looked at must be started before Sendmail and shutdown after it. I am not sure how we would achieve this as Sendmail is controlled at the Server level, rather than the VPS level where we have control

Also, some other users wanted SSL support. Issuing the command sendmail -d0.1 -bv tells us that Sendmail has been built with MILTER and SASL support, but not STARTTLS. This means that the username and password will be passed in the clear using Base64 Encoding rather than being encrypted. A pity.

Quoted from http://www.joreybump.com/code/howto/smtpauth.html

Make sure that sendmail was compiled with the necessary options:

sendmail -d0.1 -bv

STARTTLS and SASL must be present in the resulting list.

Verify the location of sendmail.cf:

sendmail -d0.20 -bv | grep sendmail.cf

The output might look similar to this:

Conf file: /etc/mail/sendmail.cf (default for MTA)
Conf file: /etc/mail/sendmail.cf (selected)

Back up your configuration files:

cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf~
cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc~

Make your certificate (note that on Fedora Core 4 the location is now /etc/pki/tls/certs):

cd /usr/share/ssl/certs
make sendmail.pem

Carefully edit the corresponding lines in

/etc/mail/sendmail.mc to match the following:

define(`confAUTH_OPTIONS', `A p y')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')

If you plan on using a DNSBL, you should add this line:

FEATURE(delay_checks)dnl

The sendmail provided by Red Hat/Fedora Linux listens only on the loopback interface (127.0.0.1) by default, so it will accept no outside connections. If you haven't already done so, comment out the related line. Change this:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

To this:

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Generate sendmail.cf using the location you verified earlier, and restart sendmail:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

service sendmail restart

Configure the SASL authentication daemon to run when the server boots, then start it:

chkconfig saslauthd on
service saslauthd restart

That's it! You now have SMTP AUTH with encrypted logins!

Verbose mode

In order to provide encrypted logins, you must use a version of sendmail that was compiled to use SASL and STARTTLS. The binaries provided with Red Hat 9.0 and Fedora Core have been compiled with all of the necessary options. In fact, Red Hat has done an excellent job in finally providing a version of sendmail that is relatively easy to secure. Most of the of the options mentioned are already present in the provided sendmail.mc, and merely need to be uncommented.

Note: Users of Red Hat/Fedora Linux need to run the saslauthd daemon. The following commands will start the daemon and ensure that it gets launched at boot time:

chkconfig saslauthd on
service saslauthd restart

Now let's go through each step:

Step 1: Back up important files

Red Hat has finally placed sendmail.cf in /etc/mail, where it belongs. To verify the location of your configuration file, type this command:

sendmail -d0.20 -bv | grep sendmail.cf

The default installation outputs this:

Conf file: /etc/mail/sendmail.cf (default for MTA)
Conf file: /etc/mail/sendmail.cf (selected)

Be sure to use this path when generating your new sendmail.cf from sendmail.mc, or no changes will take place. Back up your current sendmail.cf and the m4 file that generated it (probably /etc/mail/sendmail.mc):

cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf~
cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc~

Step 2: Make your certificate

We are also setting up STARTTLS, which allows sendmail to communicate over an encrypted layer using TLS. This is very important, as it allows us to use the LOGIN or PLAIN authentication mechanisms without transferring the password in plain text. It also allows the entire message to remain encrypted from the user's machine to the mail server. If sendmail relays the message to another server that offers STARTTLS, the message will be encrypted again. But the most important advantage of this approach is that we get to authenticate using regular system logins and passwords, with no need to maintain a separate user database.

Red Hat's openssl package includes a Makefile that makes it extremely easy to generate a certificate (note that on Fedora Core 4 the location is now /etc/pki/tls/certs):

cd /usr/share/ssl/certs
make sendmail.pem

Just follow the prompts and be sure to use the fully qualified domain name of the mail server for the Common Name prompt. Users will still be warned that the certificate is self-signed or not trusted, but you will prevent a warning that the certificate doesn't match the host offering it. This certificate is suitable for testing, but you may want to investigate further about the use of certificates before deploying it in a production environment, a topic that is beyond the scope of this howto.

Step 3: Edit sendmail.mc

If you take a look at the sendmail.mc provided by Red Hat, you will notice that the necessary directives are already present but have been commented out (m4 doesn't use the # symbol for comments, it starts a line with dnl, which stands for "delete until new line"). Since we want the easiest method possible, without sacrificing security, we need to edit these lines. Don't cut & paste from this web page, or you may introduce unwanted characters into your configuration file that will prevent sendmail from starting.

The confAUTH_OPTIONS macro allows you to instruct sendmail not to offer plain text authentication until after a secure mechanism such as TLS is active (the p option). We are also prohibiting anonymous logins (the y option). The A option is a workaround for broken MTAs:

define(`confAUTH_OPTIONS', `A p y')dnl

Now we define which authentication mechanisms we will trust and use:

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

Next, we tell sendmail where to find the certificates:

define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')

And finally, it may be useful to increase the log level for debugging purposes (delete or comment out this line after everything is working properly):

define(`confLOG_LEVEL', `14')dnl

Use the m4 command to generate a new sendmail.cf:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Be sure to use the right location for sendmail.cf, as determined earlier. Alternatively, you can use the following command in a stock Red Hat 9.0 or Fedora Core installation:

make -C /etc/mail sendmail.cf

This uses the commands in /etc/mail/Makefile to generate the new sendmail.cf configuration file.

Step 4: Test the configuration

This is where things get really interesting. sendmail must be restarted before it can use the new configuration file. Rather than simply restarting sendmail with our fingers crossed, we can test it to verify that every thing works properly. You can stop sendmail and then start it with command line options that cause it to log to a specified file. There are various ways to stop sendmail on a Red Hat/Fedora system:

service sendmail stop

or

cd /etc/mail
make stop

or

make -C /etc/mail stop

or

/etc/init.d/sendmail stop

We want to start sendmail with arguments to make it log the SMTP transaction to a special file while we are testing it:

sendmail -bD -X /tmp/test.log

Now, try to send a message from an e-mail client on another computer that does not have relay access, using your server as the outgoing mail server. You should be denied relaying. Edit your preferences so that the client uses authentication, with a login and password (not Secure Password Authentication, or SPA, which is something completely different). You should still be denied access. The last thing you need to do is to instruct the client to use SSL or TLS with the outgoing mail server (there is no need to specify a special port). After making this change, you should be able to send mail (you will be prompted to accept the certificate, however, which you might want to install to prevent further prompts). Now hit ctrl-c to stop sendmail. Restart it normally:

service sendmail restart

Now it's time to look at the log. After the first EHLO, sendmail offers something like this:

30245 >>> 250-ENHANCEDSTATUSCODES
30245 >>> 250-PIPELINING
30245 >>> 250-8BITMIME
30245 >>> 250-SIZE

30245 >>> 250-DSN
30245 >>> 250-ETRN
30245 >>> 250-STARTTLS
30245 >>> 250-DELIVERBY
30245 >>> 250 HELP

The important thing is that AUTH is not offered here, because the channel isn't encrypted. If you see AUTH in the first exchange, and it offers PLAIN or LOGIN, something is wrong. Look at your logs, go over the previous steps, and make sure that you generated a new sendmail.cf in the right location. The next entries in our log show that TLS is activated:

30245 <<< STARTTLS
30245 >>> 220 2.0.0 Ready to start TLS

Another EHLO takes place, followed by something like this:

30245 >>> 250-ENHANCEDSTATUSCODES
30245 >>> 250-PIPELINING
30245 >>> 250-8BITMIME
30245 >>> 250-SIZE
30245 >>> 250-DSN

30245 >>> 250-ETRN
30245 >>> 250-AUTH LOGIN PLAIN
30245 >>> 250-DELIVERBY
30245 >>> 250 HELP

Now AUTH is offered with the allowed mechanisms (but not STARTTLS, which isn't needed here, as the channel is already encrypted). Authentication takes place, and the message is relayed to its destination.

It's interesting to note that the username and password is Base64 encoded by the client, so it isn't really sent as clear text:

30245 <<< AUTH PLAIN AHJvYmVydABzbHVncw==
30245 >>> 235 2.0.0 OK Authenticated

Nevertheless, it would be trivial to decode the string into the correct username/login pair (robert/slugs, in this case). Therefore, it is best to secure the transaction with TLS. If you want to verify that the transaction is encrypted, open another terminal for root, and run tcpdump:

tcpdump -s 1500 -vvxX port 25

Send a mail with easy to identify strings. You shouldn't see your login or the message in tcpdump's output. Note that the certificate will be exchanged in plain text before TLS is enabled. If the mail is relayed to another server that doesn't offer STARTTLS, you will see the content of the outgoing message in plain text.

Source Documentation

SMTP AUTH in sendmail 8.10-8.13 - The official documentation at sendmail.org. Much of it concerns compiling cyrus-sasl and sendmail, steps that are not necessary when using Red Hat/Fedora RPMs.

Configuring Sendmail's STARTTLS (SSL) and Relaying - An excellent article by Jason Heiss about STARTTLS and sendmail. He also explains how to allow relaying based on certificates offered by clients.

My Experiences (So Far) with STARTTLS and Sendmail - Weldon Whipple shares his experiences sorting out the intricacies of STARTTLS. Read this for a good introduction to the way sendmail handles encryption and certificates.

RFC 2222: Simple Authentication and Security Layer (SASL)

RFC 2487: SMTP Service Extension for Secure SMTP over TLS

RFC 2554: SMTP Service Extension for Authentication

I've been playing with the connections theme by Patricia Müller. There have been several minor changes,

index.php

Moved Links into sidebar.php

header.php

Limited archives to current month so that menu does not wrap

Added drop down menu. Wrapping all list items within <form> </form> declarations prevents drop down menu appearing on a separate line.

Reorder from Home, Login, Archives, Links, About, Contact to Login, About, Contact, Links, Recent, Archives, DropDown

sidebar.php

Moved Links from index.php
Changed order of elements from Categories, Monthly, Pages, Search to Search, Categories, Links, Monthly, Pages
Changed Links from unordered list to table so that I could centre graphics

styles.css

Added definitions for table

Note that in order to define the <td> element, I needed to define the whole tree table tr td. These definitions are based on those for #sidebar ul.
Added definition for select so that drop down menu fits within the top menu

search.php

Removed bug for favicon. Path was was /favicon.ico/bullet.ico