SMTP authentication in sendmail

Created: — modified: — tags: e-mail

By default sendmail is configured in such a way that any program running on localhost can send an email without password, and none from another computer can do that. But what if you want to change that?

Update: Note that long after writing this guide, I've switched to Postfix as my mail server, so this guide was correct at the time of writing, it might be obsolete and/or incorrect at the time of reading.

This guide is inspired by Chapter 12 of Linux Home Server HOWTO and official sendmail documentation. Please read them if something's unclear.


On Ubuntu server 12.04 most required packages are already installed, and only authentication modules for SASL are missing (SASL is a library used to check username and password). To install them, just type:

apt-get install libsasl2-modules


First, to make sendmail use SASL, add this line somewhere in the middle of the /etc/mail/ file:


Next, to allow incoming connections, remove "Addr=" from DAEMON_OPTIONS lines in the same file, to make them look like this:

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea')dnl

After editing /etc/mail/ file, rebuild sendmail config by issuing the following command:


Passwordless access from localhost

Now sendmail would relay (send email to foreign hosts) only when provided a password. If you want to return the ability to send email from localhost without a password, first edit /etc/mail/access file: comment out everything but localhost and issue the following command to rebuild access database:

makemap hash access < access

After that, add this line somewhere to /etc/mail/ file:


And run sendmailconfig again.

Files and settings

Settings are scattered in these files:

/etc/mail/sasl/sasl.m4 defines how sendmail uses SASL library: settings confAUTH_MECHANISMS and TRUST_AUTH_MECH show what authentication methods are supported and authorize user, respectively (that's about methods to transfer password from e-mail client to sendmail).

/usr/lib/sasl2/Sendmail.conf shows how SASL checks if the password is correct. By default it says pwcheck_method: saslauthd what means that it uses SASL auth demon.

Configuration for this demon is stored in /etc/default/saslauthd file, which by default has a line MECHANISMS="pam" which means "use system method" (by default, username+password for local account).

These settings can be changed, but that's out of scope of this article, sorry.


To better secure your email (and its password!), you probably want to setup SSL connections, too. To do that, you need an SSL certificate (you can get one from Start SSL for free) and just perform first three steps from official guide.