SBC-Yahoo ® Authenticated SMTP

Last Updated Dec 10, 2003
This dated info needs to be updated for AT&T/Yahoo using smtp.att.yahoo.com relay for SMTP SSL on port 465

This is not a complete smtp tutorial. It assumes that your smtp server is already able to send and receive from other hosts.

SBC requires that mail from SBC dynamic IPs to SBC e-mail addresses uses their outgoing SMTP servers (probably to minimize spread of local spam, and worms that contain their own SMTP). Before SBC-Yahoo, it was just a matter of relaying mail through their outgoing servers, as long as you were connected with an SBC IP. In my case I used mailertable entries to just relay the necessary domains, and anything else went direct. Otherwise a Smarthost could relay everything.

But for new customers and migration of old customers to SBC-Yahoo, it is unknown how long the old outgoing relays will remain. For the new outgoing relays they have addition tricks up their sleeve for foiling worms and other local SMTP. They require authentication (standard SMTP AUTH) and the relays have an MX record pointing to nomail.yahoo.com, which I think is a dummy that refuses all mail. One advantage of the authentication is that it should allow using SBC SMTP from anywhere (except ISPs that block port 25).

Following are some details for sendmail and postfix.

Sendmail

The first step is to make sure that your sendmail can be configured to act as SMTP AUTH client. You should probably have at least sendmail v8.11. I found details for SuSE 7.3 Linux at http://sdb.suse.de/en/sdb/html/sendmail_smtp_auth.html about installation and configuration of sendmail-tls (v8.11.6) package. You may have to do a web search to find details about other distributions or OS. If you currently have an older sendmail version, you could set up the relay to the old mailhost and skip authentication for now.

Relay Set Up (sendmail 8.11 or 8.12)

In following examples * should be substituted with your second level domain (sbcglobal, ameritech, pacbell, swbell, etc.)

Next you need to either set up your designated smtp.*.yahoo.com server as either Smarthost (to relay all mail) or /etc/mail/mailertable to only relay for specific destination domains. For either smarthost or mailertable you may have to enclose the relay in square brackets like esmtp:[smtp.*.yahoo.com] so the bogus MX record will be ignored.

mailertable example:

ameritech.net		esmtp:[smtp.*.yahoo.com]
.ameritech.net		esmtp:[smtp.*.yahoo.com]

Do likewise for other SBC related domains on the left like pacbell.net, prodigy.net, prodigy.com, sbcglobal.net, snet.net, swbell.net, yahoo.com. If you just want to send mail through the old servers for now, just put your old mailhost within the brackets. In either case do: makemap hash /etc/mail/mailertable < /etc/mail/mailertable, then restart sendmail (/etc/rc.d/init.d/sendmail restart or /etc/init.d/sendmail restart ).

Otherwise for setting Smart host (to relay all mail), you either need to consult your system sendmail configuration tool or modify the m4 file used to generate sendmail.cf. Note: I heard that using brackets in a smart host does not help avoid the bogus MX, but according to http://www.cm.nu/~shane/lists/comp.mail.sendmail/2001-12/0074.html it should work, at least with the actual IP if not a hostname. Example for m4 (left quotes really are grave or backtick).

define(`SMART_HOST', `[smtp.*.yahoo.com]')dnl

If at this point you tried to send to an address on your same SBC domain, and the bounce error is:

From mx server about e-mail program config - your mailertable or Smart host is incorrect, you did not do makemap (mailertable), or forgot to restart sendmail.
From nomail.yahoo.com - you forgot brackets around [smtp.*.yahoo.com].
From a long yahoo.com name about 530 authentication required - you reached the right server and just need to configure authentication.

Sendmail 8.11 as AUTH SMTP Client

Depending upon your sendmail version you either need to set up /etc/mail/default-auth-info (v8.11) or /etc/mail/authinfo (v8.12). Either file should have root owner/group and 600 permission (so no other users can see password).

/etc/mail/default-auth-info (sendmail 8.11):

root (seems to work for normal user since sendmail runs as root)
sbc_user@your.sbc.domain (ie, username@ameritech.net)
sbc_password
yahoo.com

Sendmail 8.12 as SMTP AUTH Client

I have sendmail 8.12.3 on my laptop and this is what I did to get it working in SuSE 8.0 Linux (besides mailertable per Relay Set Up above):

In /etc/sysconfig/sendmail I set SMTP_AUTH_MECHANISMS="plain" (since that is what SBC auth uses). SuSEconfig uses that to define `confAUTH_MECHANISMS' and FEATURE `authinfo' when generating a new sendmail.cf.

In auth-info I was not really sure what to use for AuthInfo: and U: (me, root or the user sendmail runs as?). Apparently "U:root" works (not sure if "U:username" would limit it to that local user). The servers changed at some point in time, smtp.*.yahoo.com names are now CNAMEs for smtp-sbc.mail.yahoo.com which seems to work for AuthInfo:

AuthInfo:smtp-sbc.mail.yahoo.com "U:root" "I:me@ameritech.net" "P:passwd"

Note Dec 10, 2003 due to recent DNS changes again, you may need also or instead:

AuthInfo:smtp-sbc-v1.mail.vip.sc5.yahoo.com "U:root" "I:me@ameritech.net" "P:passwd"

I ran SuSEconfig (which rebuilt sendmail.cf and db files), sendmail apparently recognized the auth-info update, and the mail was successfully relayed and received on the other end. For more info about sendmail 8.12.x see http://www.sendmail.org/m4/smtp_auth.html and scroll down to "If SENDMAIL acts as client...".

NOTE: DNS for smtp.*.yahoo.com may change occasionally. So you may occasionally want to check what the relay resolves to, and update AuthInfo, especially if it suddenly stops working.

Testing (sendmail)

You can test it by running sendmail in verbose mode on the command line (at least sendmail 8.11). However, sendmail 8.12 has a 2 part daemon, so you might end up only seeing sendmail communicating with itself. Not sure how to see verbose output of the second daemon to the outside world. But your mail logs will tell you if it was sent successfully, or the bounce error will tell you why not, if you used a valid return address.

Create a small mail.txt file with To: and Subject: (and valid From: if necessary) lines, followed by a blank line and short test message (maybe relavant to configuration changes you are testing). Then try:

cat mail.txt | /usr/lib/sendmail -v -t > maildump.txt 2>&1

View maildump.txt to check results. Example of success (username in all cases should be an actual user):

username@ameritech.net... Connecting to smtp-sbc-v1.mail.vip.sc5.yahoo.com. via esmtp...
220 smtp800.mail.sc5.yahoo.com ESMTP
>>> EHLO realhost.no-ip.com
250-smtp800.mail.sc5.yahoo.com
250-AUTH LOGIN PLAIN
250-PIPELINING
250 8BITMIME
>>> AUTH PLAIN em8vdADlZmZsYW5kcEBhbWVyaXRlY3gubmVOAFJ6Nn36PXMO
235 ok, go ahead (#2.0.0)
>>> MAIL From:<username@realhost.no-ip.com> AUTH=username@realhost.no-ip.com
250 ok
>>> RCPT To:<username@ameritech.net>
250 ok
>>> DATA
354 go ahead
>>> .
250 ok 1043627560 qp 36203
username@ameritech.net... Sent (ok 1043627560 qp 36203)
Closing connection to smtp-sbc-v1.mail.vip.sc5.yahoo.com.
>>> QUIT
221 smtp800.mail.sc5.yahoo.com

If you get something similar it is working. Congradulations!

Postfix

I am not that familiar with postfix versions or at what point it could be configured as SMTP AUTH client, but the default postfix version installed by SuSE 8.2 Pro had everything required and just needed to be configured.

Relay Set Up (postfix)

In following examples * should be substituted with your second level domain (sbcglobal, ameritech, pacbell, swbell, etc.)

You need to either set up your designated smtp.*.yahoo.com server as either relayhost (to relay all mail), or /etc/postfix/transport (man 5 transport) to only relay for specific destination domains. For either relayhost or transport you may have to enclose the relay in square brackets like relayhost = [smtp.*.yahoo.com] so the bogus MX record will be ignored.

transport file example:

ameritech.net   smtp:[smtp.*.yahoo.com]
.ameritech.net  smtp:[smtp.*.yahoo.com]

Do likewise for other SBC related domains on the left like pacbell.net, prodigy.net, prodigy.com, sbcglobal.net, snet.net, swbell.net, yahoo.com. Then do postmap /etc/postfix/transport to update transport.db.

Postfix as SMTP AUTH Client

Things you need to enable or add to /etc/postfix/main.cf:

smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
# above blank to clear default noplaintext since SBC auth is plain text
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

With smtp.*.yahoo.com now as CNAME for smtp-sbc.mail.yahoo.com, this works in sasl_passwd file:

# this worked before
smtp-sbc.mail.yahoo.com		user@yourSBC.domain:passwd
# this may be needed now (Dec 10, 2003):
smtp-sbc-v1.mail.vip.sc5.yahoo.com	user@yourSBC.domain:passwd

Then you need to postmap /etc/postfix/sasl_passwd to update sasl_passwd.db (or just run SuSEconfig in SuSE). Since I am new to postfix I do not know how to get verbose output of what it is doing, but either your mail logs should tell you if it sent successfully, or the bounce error will tell you why not, if your return address is valid.

NOTE: DNS for smtp.*.yahoo.com may change occasionally. If it was working and stops working, check DNS to see what your smtp.*.yahoo.com points to.

efflandt@ameritech.net