When sendmail is compiled with SASL (SASL) defined, authenticated connections can be supported. When negotiating an authenticated connection certain information is required, specifically and in this order:

  • The user id is the identifier sendmail uses to check allowable permissions. In general this should never be root.

  • The authorization id is the identifier of the user allowed to set up the connection. In general this should never be root.

  • The password is the clear text password used to authorize the mail connection. This should be a password dedicated to this use, not the plain text copy of the user's password.

  • The realm is the administrative zone for authentication. In general this should be your DNS domain. If no realm is specified (this item is blank), sendmail will substitute the value of the $j macro ($j).

  • The mechanism is the preferred mechanism for connection authentication. This should match one of the mechanisms listed in the AuthMechanisms option (AuthMechanisms).

This information can be stored either in a file where the items are listed one per line in the order shown, or in a program that is run and that prints these items to its standard output, one per line in the order shown. A program is a path specification prefixed with a vertical bar character. A file is a path specification not prefixed. The DefaultAuthInfo option is declared like this:

O DefaultAuthInfo=path                  configuration file (V8.10 and later) 
-ODefaultAuthInfo=path                  command line (V8.10 and later) 
define(`confDEF_AUTH_INFO',`path')      mc configuration (V8.10 and later) 

The file or program specified by path must live in a secure directory (that is, one in which every component is writable only by root or the trusted user specified in the TrustedUser option), and must be readable or executable only by root or the user listed in the TrustedUser option (TrustedUser). This option is not declared in the default configuration file generated by the mc configuration technique. The recommended path for the file form is /etc/mail/default-auth-info. No programs currently exist which can provide the information that is currently provided by the file.

Note that this DefaultAuthInfo option was introduced in V8.10 and declared deprecated in V8.12. Its functionality has been replaced by the access database (Section 10.9.3) and the authinfo feature (FEATURE(authinfo)).

The DefaultAuthInfo option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.

