Problems getting SMTP AUTH with sendmail to work

Problems getting SMTP AUTH with sendmail to work

Post by Chris Sheppa » Fri, 18 Oct 2002 18:54:28



I've tried reading all the docs for implementing SMTP AUTH and it
almost works but I'm not quite there. I've installed the latest port
'sendmail-sasl' on a fresh freebsd install of 4.7. I followed the
instructions at the end so that I'm now running the new sasl sendmail
rather than the one installed by default. I've stepped through the
configuration instructions in:

http://www.sendmail.org/~ca/email/auth.html

and here follows the tests

running 'sendmail -d0.1 -bv root | grep SASL' produces:

NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL

which presumably is correct. I then ran the test through telnet:

-bash-2.05b$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.foobar.net.
Escape character is '^]'.
220 mail.foobar.net ESMTP Sendmail 8.12.6/8.12.6; Thu, 17 Oct 2002
09:32:11 +0100 (BST)
ehlo localhost
250-mail.foobar.net Hello localhost.foobar.net [127.0.0.1], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.foobar.net closing connection
Connection closed by foreign host.
-bash-2.05b$

This already shows an error, because the AUTH line ought to be

250 AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5

because my sendmail.cf file has been created with a freebsd.mc file
which contains the following lines:

TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')

My '/usr/local/lib/sasl/Sendmail.conf' file contains just the line:

pwcheck_method: sasldb

and I have added one user (machine) to the sasldb. The sasldblistusers
command produces:

user: machine realm: mail.foobar.net mech: PLAIN-APOP
user: machine realm: mail.foobar.net mech: DIGEST-MD5
user: machine realm: mail.foobar.net mech: PLAIN
user: machine realm: mail.foobar.net mech: CRAM-MD5

I would have thought I should have also got a line like:

user: machine realm: mail.foobar.net mech: LOGIN

Now, when I try and authenticate user 'machine' with the password
'system0', I get the following:

AUTH LOGIN
334 VXNlcm5hbWU6
bWFjaGluZQ==
334 UGFzc3dvcmQ6
c3lzdGVtMA==
535 5.7.0 authentication failed

In the /var/log/messages file, I do get the following suspicious
lines:

Oct 15 22:57:53 mail sm-mta[789]: KERBEROS_V4: can't access srvtab
file /etc/srvtab: No such file or directory
Oct 15 22:57:53 mail sm-mta[789]:
add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic
failure

The auth.hrml file suggests the following test:

sendmail -O LogLevel=14 -bs -Am
EHLO localhost
QUIT

After doing it, the following lines appear in the maillog file:

Oct 17 10:32:48 mail sendmail[3026]: gethostbyaddr(IPv6:::1) failed: 1
Oct 17 10:32:48 mail sendmail[3026]: error:
safesasl(/usr/local/etc/sasldb.db) failed: Group readable file
Oct 17 10:32:48 mail sendmail[3026]: NOQUEUE: connect from

Oct 17 10:32:48 mail sendmail[3026]: STARTTLS: ServerCertFile missing
Oct 17 10:32:48 mail sendmail[3026]: AUTH: available mech=LOGIN PLAIN
ANONYMOUS, allowed mech=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
Oct 17 10:32:48 mail sendmail[3026]: g9H9WmD9003026: Milter: no active
filter

did not issue MAIL/EXPN/VRFY/ETRN during connection to stdin

The /usr/local/etc/ directory looks like this:

drwxr-xr-x   3 root   wheel     512 Oct 14 13:10 .
drwxr-xr-x  13 root   wheel     512 Oct 14 13:12 ..
-rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg
-rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg.default
drwxr-xr-x   2 root   wheel     512 Oct 14 13:14 rc.d
-rw-r-----   1 cyrus  mail    16384 Oct 15 12:57 sasldb.db

and indeed sasldb.db is a group readable file. Because of the above
error, I thought there might be a problem with the permissions of the
sasldb.db file. However, when I remove the group permissions, it says
permission denied, if I add world readable instead of group readable
it fails with the error 'world readable file' - I can't win!

Sorry if this is something easy, but I'm afraid that although I can
see there are problems, I don't know what to do next.

Any help will be much appreciated.

 
 
 

Problems getting SMTP AUTH with sendmail to work

Post by Nick Hilliar » Fri, 18 Oct 2002 19:13:26


Quote:> 220 mail.foobar.net ESMTP Sendmail 8.12.6/8.12.6; Thu, 17 Oct 2002

Sorry in advance for not being of any help, but if you're using dummy domains,
please don't use foobar.{com,net,org}.  They are real domains and belong to real
people.  The domains "example.{com,net,org} should be used for this purpose.

Nick
(owner of foobar.org, and recipient of lots of silly emails from people testing
their systems)

 
 
 

Problems getting SMTP AUTH with sendmail to work

Post by Richard Tob » Fri, 18 Oct 2002 22:29:57




Quote:>(owner of foobar.org, and recipient of lots of silly emails from people
>testing their systems)

And you somehow failed to think of this when choosing your domain?

-- Richard
--
Spam filter: to mail me from a .com/.net site, put my surname in the headers.

FreeBSD rules!

 
 
 

Problems getting SMTP AUTH with sendmail to work

Post by Henri Henneber » Mon, 21 Oct 2002 00:27:19



> I've tried reading all the docs for implementing SMTP AUTH and it
> almost works but I'm not quite there. I've installed the latest port
> 'sendmail-sasl' on a fresh freebsd install of 4.7. I followed the
> instructions at the end so that I'm now running the new sasl sendmail
> rather than the one installed by default. I've stepped through the
> configuration instructions in:

--- clip ---

Quote:> drwxr-xr-x   3 root   wheel     512 Oct 14 13:10 .
> drwxr-xr-x  13 root   wheel     512 Oct 14 13:12 ..
> -rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg
> -rw-r--r--   1 root   wheel  135435 Oct  5 12:59 lynx.cfg.default
> drwxr-xr-x   2 root   wheel     512 Oct 14 13:14 rc.d
> -rw-r-----   1 cyrus  mail    16384 Oct 15 12:57 sasldb.db

> and indeed sasldb.db is a group readable file. Because of the above
> error, I thought there might be a problem with the permissions of the
> sasldb.db file. However, when I remove the group permissions, it says
> permission denied, if I add world readable instead of group readable
> it fails with the error 'world readable file' - I can't win!

You should do:

chown root:wheel /usr/local/etc/sasldb
chmod 600 /usr/local/etc/sasldb

from http://www.sendmail.org/~ca/email/auth.html
 ...

Create a sasldb password file using saslpasswd if you use any mechanism
(CRAM-MD5, DIGEST-MD5, PLAIN if pwcheck_method: sasldb is used in the
.conf file) that requires it. BTW: sendmail requires sasldb to be
_owned_ _by_ _root_ or the trusted user and _not_ _be_ _readable_ by
anyone else since the file contains sensitive data (shared secrets). If
there is a conflict with other applications that need to read it too,
you can try a trick.

Henri

Quote:

> Sorry if this is something easy, but I'm afraid that although I can
> see there are problems, I don't know what to do next.

> Any help will be much appreciated.

 
 
 

Problems getting SMTP AUTH with sendmail to work

Post by Chris Sheppa » Tue, 22 Oct 2002 08:16:52



> You should do:

> chown root:wheel /usr/local/etc/sasldb.db
> chmod 600 /usr/local/etc/sasldb.db

Thank you very much Henri, this worked like a dream.

Chris

 
 
 

1. problem in unstanding sendmail/cf SMTP auth (Solaris 8 Sendmail 8.10) Please Explain

I want to set up a mail server like a provider wants to have.
The machine is an INTEL SOLARIS 8, sendmail is 8.10 like on the
companion CD.
It shall accept mails for local domains but "external" users who wants
to SMTP shall be allowed to do this if they are "customers" which they
can proof with user password.
I have problems with the following part of the documentation.

sendmail/cf says:
Document:
[
Requiring SMTP AUTH for all mails is in general a bad idea, because
then you cannot receive mails from other users (since the cannot
authenticate). So you must do this only on a server that is solely
intended for your own users to send mail, not for a publically
advertised (via MX records) server.
]

How to do this?
My mailserver is public via MX-records. Outgoing mails (mails to all
domains different from the local ones) shall require SMTP-auth,
mails to the local domains must be received.
Mails from outside must come in without SMTP-auth, because other
mailservers can't authorize themselves which should be clear- so the
local domains are allowed to relay to. So far i understood all this i
CANNOT remove them from the list of local domains (class R).
Or is there another possible solution?

Summary to clarify the problem:
The collected facts and functionallity is:

1.)Domain "mydomain1" and "mydomain2" shall receive mail from all the
world, (works now)
2.)customers shall be able to receive it with POP3 (Qpopper is
running) ,(works now)
3.)all the world shall be able to send mails to this server for the
"mydomains" (works now)
4.)local users shall be able to send mail to all the world (works now
with ip-restriction)(optional with no auth ..)

new item:
5.)(Our) users being outside the local network shall be able to send
mail to all the world after authorisation (does not work until now)

For "3.)" to work, as i understood, relaying to local domains must be
allowed absolutely unrestricted, because other mailserver log in on
port 25 and SMTP to the local domain.

Has someone an idea how to configure that all together?

Is it possible what i want to configure or do i have to decide between
auth7 and access-file?

Is the standard-Sendmail from the companion CD ready for SMTP auth or
do i have to rebuild????

Thank you , desperately waiting for hints
Ric

2. Ati expression

3. How to set sendmail SMTP auth and SMTP SSL on Solaris 9 (x86)

4. AT&T@Home & Linux

5. Port of sendmail including SMTP AUTH?

6. csh bug in HP/UX

7. sendmail smtp auth using sasl

8. How to create aliases of UNIX commands

9. Sendmail 8.11.0 and AUTH SMTP

10. HELP - SMTP AUTH/SASLv2/STARTTLS -SENDMAIL 8.12.9 - HELP

11. HOWTO: configure sendmail with SMTP AUTH as client

12. did anybody setup smtp auth in sendmail on aix

13. SMTP AUTH w/ Sendmail 8.10.1 on OpenBSD