Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Kerberos Authenticated SMTP Service Installation Instructions

This document describes how to install Kerberos authenticated SMTP service on Penn UNIX servers. The sendmailTM package is covered here since it is the predominant SMTP software in use on UNIX platforms.

Note:

This document assumes the reader is already familiar with installing and configuring sendmail on a UNIX system. Most UNIX system administrators will need site-specific customizations to their sendmail configurations. This document therefore gives a very general description of how to configure sendmail with Kerberos support. Some sendmail configuration hints are available, but you might want to enlist the help of a more experienced UNIX system administrator.

Prerequisites

Before installing Kerberos authenticated SMTP service, the following must be installed:

Obtain and unpack the software

  1. Download the sendmail software from the following location:

    http://www.sendmail.org/current-release.html

    As of the writing of this document, the latest version is 8.12.6.

  2. Unpack the sendmail software:

    gzip -dc sendmail.8.12.6.tar.gz | tar xvf -
    cd sendmail-8.12.6

Write a configuration file and build sendmail

  1. Write a configuration file appropriate for the system in question. Exactly what goes into the configuration file will vary from site to site. Readers unfamiliar with the procedure are encouraged to consult the "README" file in the top level of the unpacked distribution.

  2. Place the configuration file in ./devtools/Site/site.config.m4. A generic configuration file follows (with directives to compile sendmail linked with the Cyrus SASL libraries). It should be adapted as necessary:

    APPENDDEF(`confENVDEF', `-DSASL')
    APPENDDEF(`conf_sendmail_LIBS', `-lsasl')
    APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
    APPENDDEF(`confINCDIRS', `-I/usr/local/include')

  3. Build sendmail:

    sh Build -c

    This creates a platform-specific subdirectory, called obj.platform, where platform is a text string that describes the hardware platform and operating system. For example, on Solaris 8, the subdirectory is called obj.SunOS.5.8.sun4. The sendmail and associated binaries are built inside this platform-specific directory.

  4. Create a sendmail configuration file called sendmail.cf modified for the target system. Again, the exact contents of the file vary. Readers unfamiliar with the procedure should consult the file ./cf/README for details. The configuration generation file should include the following M4 macros to activate Kerberos5/GSSAPI as the available authentication mechanism:

    TRUST_AUTH_MECH(`GSSAPI')dnl
    define(`confAUTH_MECHANISMS', `GSSAPI')dnl

    Note:

    If it is necessary to include support for non-Kerberized SMTP authentication, the following variation should be used instead:

    TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
    define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl

  5. Assuming the configuration generation file is placed in ./cf/CF/sendmail.mc, issue the following commands to create the actual configuration file:

    cd CF/CF
    sh Build sendmail.cf

  6. Copy sendmail.cf into the appropriate system location. By default, the location is /etc/mail/sendmail.cf, but again your system may differ. Now execute:

    cp sendmail.cf /etc/mail

  7. Change to the top-level directory of the distribution and install the sendmail binary:

    cd obj.platform/sendmail
    make install

  8. Start 'sendmail'. Details are omitted because they are platform-specific. While it is possible to start sendmail manually from the command line, you'll probably want a startup script to do this.

  9. Verify that sendmail is running and that it advertises GSSAPI as an available authentication mechanism. The simplest way is to connect to the SMTP port (25), issue 'EHLO servername', and see if sendmail reports the following in its response:

    250-AUTH GSSAPI

    Be sure to confirm that open relaying is disabled.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania