dslreports logo

Update! auskie See Profile reports that the server name has changed:

Non-authoritative answer:
smtp.sbcglobal.yahoo.com canonical name = smtp-sbc.mail.yahoo.com.
smtp-sbc.mail.yahoo.com canonical name = smtp.sbc.mail.yahoo4.akadns.net.
Name: smtp.sbc.mail.yahoo4.akadns.net
Address: 68.142.198.11
----------
Update #2, MikeStammer See Profile reports that it's not all as easy as it should be:

I think SBC just broke SMTP AUTH again in things like sendmail and postfix. this morning i had errors at 2 sites. seems they changed the IP that smtp-sbc-v1.mail.vip.sc5.yahoo.com was resolving to. i had to hard code the IP of what smtp-sbc-v1.mail.vip.sc5.yahoo used to resolve to to get it working again. The old IP (the one that works) is 63.230.177.41. if you resolve the IP based on the hostname now and try to SMTP auth (at least with sasl) it doesnt work. it complains that authentication is needed.

Further update and a possible fix at »Warning: SBC Yahoo SMTP Auth possibly broken
----------
Update #3 (07-28-06) from parkut See Profile:

I discovered my configuration for using SBC and Sendmail as my MTA was broken. I spent some time googling around, and found a hint on another website. Here is the result of how I fixed it.
 
edit the file /etc/mail/authinfo
 
Below is the contents of my authinfo file
 
AuthInfo:yahoo.com "U:siege.x@sbcglobal.net" "I:siege.x@sbcglobal.net" "P:pAsSWoRd" "M:PLAIN"
 
AuthInfo: "U:siege.x@sbcglobal.net" "I:siege.x@sbcglobal.net" "P:pAsSWoRd" "M:PLAIN"
 
In case its not apparent, the text after U: and I: is the username, after P: is the password
 
Note that the second line is almost exactly the same as the first line except its missing yahoo.com and there is a space after the colon. I'm not exactly sure why this line is needed, but it did not work until I added it.
 
After editing the file, run the following command to secure the file:
 
chmod 660 /etc/mail/authinfo
 
Then convert to a .db file so sendmail will recognize our new settings:
 
makemap hash /etc/mail/authinfo < /etc/mail/authinfo
 

]]>----------

SBCYahoo's mailserver requires user authentication in order to relay email through it. This causes a problem if you want to run a mailserver with your own domain name on your home network and relay your outbound email through SBCYahoo's mailserver. You may want to use SBCYahoo as a SMARTHOST for all of your outbound email because you have a dynamic IP address and no mailservers out there will accept email from you because they are running RBL filters that block your IP. You may want to just use SBCYahoo's server as a fallback MX host in the event that your mailserver can not send directly for whatever reason. There are a number of configuration issues that can make this tricky to setup and the available documentation is less than helpful in understanding how to resolve these problems.

Following is a little tutorial that will hopefully clear up these issues and save you hours of frustration wondering why you keep getting authentication errors etc. This configuration is based on Sendmail 8.12.10 running on Mandrake Linux 9.2 with Linux kernel 2.4.22. This FAQ assumes you already have Sendmail compiled and installed and configured as your mailserver, that you understand the basics of Sendmail configuration, and you are logged in as root. If you need assistance with building Sendmail for authentication see Jon Fullmer's great tutorial.

The first thing to do is enable the proper directives in your sendmail.mc file to allow for the Sendmail authentication mechanisms. Uncomment or add the following options into your sendmail.mc (usually found in /etc/mail/cf/cf/ )

define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
 

]]>
If you want all of your outbound email to relay through SBC because you are using a dynamic source IP, also add the following SMARTHOST config into your sendmail.mc file:
define(`SMART_HOST', `esmtp:[smtp.sbcglobal.yahoo.com]')dnl
 

]]>
If you only want to use SBCYahoo's mailserver as a relay in the event that your mailserver can not forward email directly, add the following FALLBACK_MX config to your sendmail.mc file:
define(`confFALLBACK_MX', `esmtp:[smtp.sbcglobal.yahoo.com]')dnl
 

]]>
The format of these entries with brackets [ ] is key to making it work properly. The brackets keep Sendmail from looking up the MX record for the hostname which would return the bogus hostname nomail.yahoo.com. Without brackets Sendmail would bounce every message it attempted to relay through this host.

Once the above is completed, rebuild your sendmail.cf file using:
m4 /path/to/m4.cf /etc/mail/cf/cf/sendmail.mc > /etc/mail/sendmail.cf
 

]]>
Enter the paths for your specific site configuration as necessary in the above command.

Next we need to create the authinfo file which will contain the user credentials for logging into the mailserver. Create a file called 'authinfo' in /etc/mail/  For security reasons, this file should be chmod 400 and owned by root if you are running Sendmail as root. If you are using an alternate UID/GID for Sendmail then make sure that the file's group owner matches and set the file chmod 440. In the entry below, replace userID with your SBCGlobal username and password with your password.

Following is the syntax for the file (all on one line):
AuthInfo:smtp-sbc-v1.mail.vip.sc5.yahoo.com "U:userID@sbcglobal.net" 
"I:userID@sbcglobal.net" "R:sbcglobal.net" "P:password" "M:PLAIN"
 

]]>
The mailserver hostname is entered right after AuthInfo: in this file. Sendmail looks at the DNS A record for the host it is connecting to and parses the authinfo file looking for this hostname to match for credentials to use. If you do an nslookup for smtp.sbcglobal.yahoo.com you will notice that it is an alias or CNAME to the hostname entered above. If this ever changes, you will have to change this hostname in your authinfo file to match and rebuild the map file and restart sendmail. If you used smtp.sbcglobal.yahoo.com as the server name in the authinfo file, you would never match credentials and email would bounce from SBC for no authentication.

Once you have saved this file you need to build the authinfo map file.
makemap hash /etc/mail/authinfo < /etc/mail/authinfo
 

]]>
Mandrake Linux includes all the nice service start/stop scripts for standard services in /etc/init.d  In the script for Sendmail they include functions to automatically rebuild the map files whenever you start or restart the service. I just added authinfo into the list of maps to build...

for i in virtusertable access domaintable mailertable genericstable authinfo; do
         if [ -f /etc/mail/$i ] ; then
         makemap hash /etc/mail/$i < /etc/mail/$i
         fi
done
 

]]>
Now it is time to start or restart Sendmail. If you are going to be using the fallback MX option, I suggest initially configuring using the SMARTHOST for testing purposes and then switching back after you have verified that your config works.

service restart sendmail
 

]]>or
service start sendmail
 

]]>

Troubleshooting Once you have Sendmail up and running with the new configuration it is time to test. Use the SMARTHOST option as recommended above during testing so that all mail goes outbound through SBCYahoo's mailserver. Send an email to an outside email address you can check and verify that you do not get a bounce back like this...

The server responded: 530 authentication required - for help go to 
http://help.yahoo.com/help/us/sbc/dsl/mail/pop/pop-11.html
 

]]>
If you get the email on your external mail account, check the SMTP headers if you can and verify that the email passed through SBCYahoo's mailserver. You may also see an Authenticated bits header, as well.

If you get the dreaded bounce back, there are quite a few things you can do to troubleshoot this problem.

Verify proper configuration
  1. Check the output from 'sendmail -d0.1 -bt < /dev/null' The string "SASL" or "SASLv2" should appear somewhere in the output. If not, you didn't compile suitably.
  2. Check the output from 'echo "/map authinfo authinfo:smtp-sbc-v1.mail.vip.sc5.yahoo.com" | sendmail -bt' That will check whether the authinfo map is being properly recognized.
Verify mailserver output
  1. From the command line on your mailserver do the following:
    telnet smtp.sbcglobal.yahoo.com 25
     
    Trying 66.163.171.137...
    Connected to smtp.sbcglobal.yahoo.com (66.163.171.137).
    Escape character is '^]'.
    220 smtp812.mail.sc5.yahoo.com ESMTP
     
    EHLO domain.com
     
    250-smtp812.mail.sc5.yahoo.com
    250-AUTH LOGIN PLAIN
    250-PIPELINING
    250 8BITMIME
     
    quit
     
    221 smtp812.mail.sc5.yahoo.com
    Connection closed by foreign host.
     
    
    ]]>
    Make sure you are getting the 250-AUTH LOGIN PLAIN option back when you enter the 'EHLO domain.com' command. If not, you have a firewall that is inspecting or filtering SMTP at the application layer. Do not use the Cisco PIX fixup protocol for SMTP or the Cisco IOS 'ip inspect' commands for SMTP on outbound SMTP sessions. This breaks the ability to authenticate SMTP sessions because it blocks the EHLO responses and spoofs a 502 response to your server. Your mailserver will never see the AUTH LOGIN option and will never even try to send its user credentials.
    
    
  2. You can observe a session by creating a dummy email message in a file, then run 'sendmail -Am -v -t < /path/to/file'. The file should have To:email@externaldomain.com on the first line at a minimum.

Other Links about Sendmail SMTP Auth: »www.sendmail.org/~ca/ema ··· ientauth »www.jonfullmer.com/smtpauth/ »www.urbanophile.com/aren ··· dsl.html »efflandt.freeshell.org/s ··· uth.html



Expand got feedback?

by rolande See Profile edited by lev See Profile
last modified: 2006-07-28 15:36:41