Very Computer

http://www.sendmail.org/~ca/email/auth.html

and here follows the tests

running 'sendmail -d0.1 -bv root | grep SASL' produces:

NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL

which presumably is correct. I then ran the test through telnet:

-bash-2.05b$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.foobar.net.
Escape character is '^]'.
220 mail.foobar.net ESMTP Sendmail 8.12.6/8.12.6; Thu, 17 Oct 2002
09:32:11 +0100 (BST)
ehlo localhost
250-mail.foobar.net Hello localhost.foobar.net [127.0.0.1], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.foobar.net closing connection
Connection closed by foreign host.
-bash-2.05b$

This already shows an error, because the AUTH line ought to be

250 AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5

because my sendmail.cf file has been created with a freebsd.mc file
which contains the following lines:

TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')

My '/usr/local/lib/sasl/Sendmail.conf' file contains just the line:

pwcheck_method: sasldb

and I have added one user (machine) to the sasldb. The sasldblistusers
command produces:

user: machine realm: mail.foobar.net mech: PLAIN-APOP
user: machine realm: mail.foobar.net mech: DIGEST-MD5
user: machine realm: mail.foobar.net mech: PLAIN
user: machine realm: mail.foobar.net mech: CRAM-MD5

I would have thought I should have also got a line like:

user: machine realm: mail.foobar.net mech: LOGIN

Now, when I try and authenticate user 'machine' with the password
'system0', I get the following:

AUTH LOGIN
334 VXNlcm5hbWU6
bWFjaGluZQ==
334 UGFzc3dvcmQ6
c3lzdGVtMA==
535 5.7.0 authentication failed

In the /var/log/messages file, I do get the following suspicious
lines:

Oct 15 22:57:53 mail sm-mta[789]: KERBEROS_V4: can't access srvtab
file /etc/srvtab: No such file or directory
Oct 15 22:57:53 mail sm-mta[789]:
add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic
failure

The auth.hrml file suggests the following test:

sendmail -O LogLevel=14 -bs -Am
EHLO localhost
QUIT

After doing it, the following lines appear in the maillog file:

Oct 17 10:32:48 mail sendmail[3026]: gethostbyaddr(IPv6:::1) failed: 1
Oct 17 10:32:48 mail sendmail[3026]: error:
safesasl(/usr/local/etc/sasldb.db) failed: Group readable file
Oct 17 10:32:48 mail sendmail[3026]: NOQUEUE: connect from

Oct 17 10:32:48 mail sendmail[3026]: STARTTLS: ServerCertFile missing
Oct 17 10:32:48 mail sendmail[3026]: AUTH: available mech=LOGIN PLAIN
ANONYMOUS, allowed mech=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
Oct 17 10:32:48 mail sendmail[3026]: g9H9WmD9003026: Milter: no active
filter

did not issue MAIL/EXPN/VRFY/ETRN during connection to stdin

The /usr/local/etc/ directory looks like this:

drwxr-xr-x   3 root   wheel     512 Oct 14 13:10 .
drwxr-xr-x  13 root   wheel     512 Oct 14 13:12 ..
-rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg
-rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg.default
drwxr-xr-x   2 root   wheel     512 Oct 14 13:14 rc.d
-rw-r-----   1 cyrus  mail    16384 Oct 15 12:57 sasldb.db

and indeed sasldb.db is a group readable file. Because of the above
error, I thought there might be a problem with the permissions of the
sasldb.db file. However, when I remove the group permissions, it says
permission denied, if I add world readable instead of group readable
it fails with the error 'world readable file' - I can't win!

Sorry if this is something easy, but I'm afraid that although I can
see there are problems, I don't know what to do next.

Any help will be much appreciated.

Quote:> 220 mail.foobar.net ESMTP Sendmail 8.12.6/8.12.6; Thu, 17 Oct 2002

Nick
(owner of foobar.org, and recipient of lots of silly emails from people testing
their systems)

Quote:>(owner of foobar.org, and recipient of lots of silly emails from people
>testing their systems)

-- Richard
--
Spam filter: to mail me from a .com/.net site, put my surname in the headers.

FreeBSD rules!

Quote:> drwxr-xr-x   3 root   wheel     512 Oct 14 13:10 .
> drwxr-xr-x  13 root   wheel     512 Oct 14 13:12 ..
> -rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg
> -rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg.default
> drwxr-xr-x   2 root   wheel     512 Oct 14 13:14 rc.d
> -rw-r-----   1 cyrus  mail    16384 Oct 15 12:57 sasldb.db

> and indeed sasldb.db is a group readable file. Because of the above
> error, I thought there might be a problem with the permissions of the
> sasldb.db file. However, when I remove the group permissions, it says
> permission denied, if I add world readable instead of group readable
> it fails with the error 'world readable file' - I can't win!

chown root:wheel /usr/local/etc/sasldb
chmod 600 /usr/local/etc/sasldb

from http://www.sendmail.org/~ca/email/auth.html
 ...

Create a sasldb password file using saslpasswd if you use any mechanism
(CRAM-MD5, DIGEST-MD5, PLAIN if pwcheck_method: sasldb is used in the
.conf file) that requires it. BTW: sendmail requires sasldb to be
_owned_ _by_ _root_ or the trusted user and _not_ _be_ _readable_ by
anyone else since the file contains sensitive data (shared secrets). If
there is a conflict with other applications that need to read it too,
you can try a trick.

Henri

Quote:

> Sorry if this is something easy, but I'm afraid that although I can
> see there are problems, I don't know what to do next.

> Any help will be much appreciated.

Chris