How to Configure Messaging Server to Authenticate on Outbound SMTP Connections

How to Configure Messaging Server to Authenticate on Outbound SMTP Connections

Limited SASL capabilities have been added to the SMTP client starting with Messaging Server 7.0 Update 1 (Communication Suite 6 Update 1).

SASL authentication with the destination MTA will be attempted if the maysaslclient or mustsaslclient channel options are set (it must succeed if mustsaslclient is set).

The PLAIN and EXTERNAL SASL mechanisms are currently supported. The AUTH_USERNAME and AUTH_PASSWORD TCP channel options provide the credentials for the plain mechanism and the EXTERNAL_IDENTITY TCP channel option provides the identity string for SASL EXTERNAL. (EXTERNAL_IDENTITY can be set to the empty string to enable SASL EXTERNAL without an identity string.)

The following steps provide an example of using the mustsaslclient keyword to enforce SASL authentication to the destination MTA.

  1. Create a new channel which uses the mustsaslclient keyword in the Messaging Server imta.cnf configuration file e.g. 
    ! tcp_secure
tcp_secure nomx multiple subdirs 20 dequeue_removeroute maxjobs 7 musttlsclient mustsaslclient pool SMTP_POOL daemon [192.168.1.10]
tcp_secure-daemon
    Note
    The musttlsclient keyword ensures that the connection is encrypted prior to passing across the plain-text username/password. The example tcp_secure channel is also configured to send all emails to the MTA with an IP address of 192.168.1.10.
  2. Create a rewrite rule in the Messaging Server imta.cnf configuration file which directs emails for some.address@domain.com to the new channel. 
    domain.com $U%$D@tcp_secure-daemon
  3. Create a tcp_secure_option TCP channel option configuration file in the Messaging Server configuration directory which contains the SASL authentication username and password which is known to the MTA system at 192.168.1.10. 
    bash-3.00# cat /opt/sun/comms/messaging/config/tcp_secure_option
AUTH_USERNAME=authuser
AUTH_PASSWORD=secretpassword
  4. Rebuild the Messaging Server MTA configuration database and restart the MTA. 
    ./imsimta cnbuild
./imsimta restart
  5. Send an email to some.address@domain.com. You should see a log entry in mail.log_current resembling the following entry: 
    27-Jan-2009 12:25:51.82 tcp_secure                DEQS 1 my.address@internal.com rfc822;some.address@domain.com
some.address@domain.com [192.168.1.10] dns;[192.168.1.10] (TCP|1.2.3.4|34682|192.168.1.10|25) (domain.com -- 
Server ESMTP [Sun Java System Messaging Server 6.2-9.14 [built Aug 19 2008]]) smtp;250 2.1.5 address accepted for 
deferred processing: some.address@domain.com
    Note

    DEQS stands for "(D)equeue, (E)SMTP, TL(S)/SSL used". (Q) indicates that SMTP PIPELINING was used (RFC 1854)

Labels

messagingserver messagingserver Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact