Secure Sendmail SMTP authentication

[Micski]

I am installing SMTP authentication for Sendmail. I followed the guide in the FreeBSD Handbook. To complete the installation, I want to test, if the authentication works, and confirm, that the username and password are kept secure. Of course, I could dump the packets and inspect them for plain text username and password, but, I thought, I might be able to look in the log also. I set the log level of Sendmail to 13, configure a test client to use SMTPS/465 with authentication - and send a test mail from an untrusted network to a non-hosted relay recipient. The following is written in the log.

xxx sm-mta[52988]: r8EKkC6M052988: from=<xxx>, size=790, class=0, nrcpts=1, msgid=<xxx>, proto=ESMTP, daemon=TLSMTA, relay=xxx [xxx]
xxx sm-mta[53010]: r8EKkC6M052988: to=<xxx>, ctladdr=<xxx> (1003/1003), delay=00:00:05, xdelay=00:00:03, mailer=esmtp, pri=30790, relay=xxx. [xxx], dsn=2.0.0, stat=Sent (Queued!)

# pkg_info | grep cyrus-sasl

cyrus-sasl-2.1.26_2 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.26 SASL authentication server for cyrus-sasl2

# ps acx | grep sasl

66773  ??  Is       0:00.00 saslauthd

# nano -w `hostname`.mc

TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')

The mail does get sent. However, I am not sure, if the log confirms the use of secure authentication?

 

[Micski]

I decided to resend the mail test while dumping the TCP packets from the test client. I loaded the captured dump into a packet inspection tool and tested it for an SMTP authentication password.

# tcpdump -i em0 -s 65535 -w smtp-auth-test.txt host xxx
% wireshark smtp-auth-test.txt &

I used the filter smtp.auth.password in Wireshark. Would I be able to catch a misconfigured plain text password this way?

 

[Micski]

For what it is worth, for future readers, another capture test - with plain text SMTP - did show up in Wireshark with the smtp display filter, so I would assume, that a plain text password would have showed up in the capture above. I therefore believe, that the communication happens within an encrypted connection, why there is nothing readable in the mail log nor in the TCP captured data.

# tcpdump -i em0 -s 65535 -w smtp-auth-test-plain.cap host xxx
% wireshark -Y smtp smtp-auth-test-plain.cap &

On another note, I used the suffix txt above in error. It should have been cap. However, the contents of the file remains valid.

Any comments are welcome.

 

[kpa]

I think the

daemon=TLSMTA

string in the log reveals that TLS was in fact used for the connection.