homepage Welcome to WebmasterWorld Guest from 54.227.12.4
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Sendmail, saslauthd and SMTP AUTH
Semi-long post with details ... sorry ... What's wrong with my setup?
StupidScript




msg:3506197
 10:40 pm on Nov 15, 2007 (gmt 0)

This long-ish post includes config settings, log entries and whatnot as I attempt to set up SMTP AUTH on my Fedora Core 4 server.
I just can't seem to get the AUTH services running ... any and all help is greatly appreciated.

1) MY SENDMAIL IS COMPILED WITH (note STARTTLS and SASLv2):

sendmail -d0.1 -bv
Version 8.13.7
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail
(canonical domain name) $j = mail.example.com
(subdomain name) $m = example.com
(node name) $k = mail.example.com
========================================================

2) MY sendmail.cf FILE IS LOCATED:

sendmail -d0.20 -bv ¦ grep sendmail.cf
Conf file: /etc/mail/sendmail.cf (default for MTA)
Conf file: /etc/mail/sendmail.cf (selected)

3) RELEVANT sendmail.mc ENTRIES (yes, I m4'd it to sendmail.cf, and the cert is in there):

define(`confAUTH_OPTIONS',`A p y')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl

I LEFT THIS COMMENTED OUT:

dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

4) CONTENTS OF /usr/lib/sasl2:

libanonymous.la
libanonymous.so -> libanonymous.so.2.0.20
libanonymous.so.2 -> libanonymous.so.2.0.20
libanonymous.so.2.0.20
libcrammd5.la
libcrammd5.so -> libcrammd5.so.2.0.20
libcrammd5.so.2 -> libcrammd5.so.2.0.20
libcrammd5.so.2.0.20
libdigestmd5.la
libdigestmd5.so -> libdigestmd5.so.2.0.20
libdigestmd5.so.2 -> libdigestmd5.so.2.0.20
libdigestmd5.so.2.0.20
liblogin.la
liblogin.so -> liblogin.so.2.0.20
liblogin.so.2 -> liblogin.so.2.0.20
liblogin.so.2.0.20
libplain.la
libplain.so -> libplain.so.2.0.20
libplain.so.2 -> libplain.so.2.0.20
libplain.so.2.0.20
libsasldb.la
libsasldb.so -> libsasldb.so.2.0.20
libsasldb.so.2 -> libsasldb.so.2.0.20
libsasldb.so.2.0.20
Sendmail.conf

CONTENTS OF Sendmail.conf:

pwcheck_method: saslauthd
mech_list: plain login
saslauthd_path: /var/run/saslauthd

(I added the last 2 lines per various instructions.)

5) I THEN DID:

service sendmail restart
service saslauthd start

6) ps wax SHOWS 5 saslauthd PROCESSES, EACH READS:

/usr/sbin/saslauthd -m /var/run/saslauthd -a pam

7) SENDMAIL SERVICE TEST OUTPUT:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.example.com ESMTP Sendmail 8.13.7/8.13.7; Thu, 15 Nov 2007 17:01:26 -0500
ehlo localhost
250-mail.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP

8) /var/log/maillog SHOWS:

sendmail[20684]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
sendmail[20684]: AUTH warning: no mechanisms
sendmail[20684]: lAFM3saq020684: Milter: no active filter

("AUTH warning: no mechanisms" seemed odd, so I removed "mech_list" from saslauthd's Sendmail.conf)

9) NOW I GET THE SAME TEST OUTPUT AS ABOVE, BUT maillog INCLUDES:

sendmail[20792]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
sendmail[20792]: AUTH: available mech=DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
sendmail[20792]: lAFMAZA1020792: Milter: no active filter

Note the second line ... "available mech" does not include LOGIN or PLAIN. Hmmm. Those are the ONLY 2 mechs included in sendmail.cf, and both are included in the sasl2 libraries.

10) AS A TEST, I RESTARTED sendmail WITH A TEMP LOG:

sendmail -bD -X /tmp/test.log

HERE IS THE OUTPUT FROM A TEST SMTP SEND FROM MY CLIENT, NO LOGIN (I'm not in relay-domains for this test):

20956 >>> 220 mail.example.com ESMTP Sendmail 8.13.7/8.13.7; Thu, 15 Nov 2007 17:23:00 -0500
20956 <<< EHLO mycomputer^M
20956 >>> 250-mail.example.com Hello [MY.IPA.DDR.ESS], pleased to meet you
20956 >>> 250-ENHANCEDSTATUSCODES
20956 >>> 250-PIPELINING
20956 >>> 250-8BITMIME
20956 >>> 250-SIZE
20956 >>> 250-DSN
20956 >>> 250-ETRN
20956 >>> 250-STARTTLS
20956 >>> 250-DELIVERBY
20956 >>> 250 HELP
20956 <<< RSET^M
20956 >>> 250 2.0.0 Reset state
20956 <<< MAIL FROM:<me@example.com>^M
20956 >>> 250 2.1.0 <me@example.com>... Sender ok
20956 <<< RCPT TO:<test@anotherdom.com>^M
20956 >>> 550 5.7.1 <test@anotherdom.com>... Relaying denied. IP name lookup failed [MY.IPA.DDR.ESS]
20956 <<< [EOF]
20956 >>> 421 4.4.1 mail.example.com Lost input channel from [MY.IPA.DDR.ESS]

AND FROM maillog:

sendmail[20956]: NOQUEUE: connect from [MY.IPA.DDR.ESS]
sendmail[20956]: AUTH: available mech=DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
sendmail[20956]: lAFMN0Q1020956: Milter: no active filter
sendmail[20956]: lAFMN0Q2020956: ruleset=check_rcpt, arg1=<test@anotherdom.com>, relay=[MY.IPA.DDR.ESS], reject=550 5.7.1 <test@anotherdom.com>... Relaying denied. IP name lookup failed [MY.IPA.DDR.ESS]
sendmail[20956]: lAFMN0Q2020956: lost input channel from [MY.IPA.DDR.ESS] to MTA after rcpt
sendmail[20956]: lAFMN0Q2020956: from=<me@example.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[MY.IPA.DDR.ESS]

"available mech" HAS GOT TO BE COMING FROM SOMEWHERE ... IF NOT /usr/lib/saslauthd AND sendmail.cf, THEN FROM WHERE?

HERE IS THE OUTPUT FROM A TEST SMTP SEND FROM MY CLIENT, WITH LOGIN (User supplied, plain text):

21097 >>> 220 mail.example.com ESMTP Sendmail 8.13.7/8.13.7; Thu, 15 Nov 2007 17:28:31 -0500
21097 <<< EHLO mycomputer^M
21097 >>> 250-mail.example.com Hello [MY.IPA.DDR.ESS], pleased to meet you
21097 >>> 250-ENHANCEDSTATUSCODES
21097 >>> 250-PIPELINING
21097 >>> 250-8BITMIME
21097 >>> 250-SIZE
21097 >>> 250-DSN
21097 >>> 250-ETRN
21097 >>> 250-STARTTLS
21097 >>> 250-DELIVERBY
21097 >>> 250 HELP
21097 <<< [EOF]
21097 >>> 421 4.4.1 mail.example.com Lost input channel from [MY.IPA.DDR.ESS]

AND FROM maillog:

sendmail[21097]: NOQUEUE: connect from [MY.IPA.DDR.ESS]
sendmail[21097]: AUTH: available mech=DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
sendmail[21097]: lAFMSV66021097: Milter: no active filter
sendmail[21097]: lAFMSV66021097: [MY.IPA.DDR.ESS] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

11) It seems clear that sendmail is not using saslauthd. My client (Calypso) reports "The server does not support any secure password authentication providers", and we can see that there is no "AUTH" in any of the exchanges.

Thanks in advance for shedding any light on this.

 

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved