Trying to setup SMTP AUTH
w0lver
I found a couple of really good HowTos but when I follow the
instructions, and the final verfication comes down, bang, I never see
AUTH in the EHLO... Here's what I got:
sendmail 8.12.8
in my sendmail.mc if have:
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
I do a m4 sendmail.mc > sendmail.cf
telnet to the localhost 25 and do an EHLO:
250-www1.mydomain.com Hello [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
Then I try the following:
AUTH LOGIN
504 5.3.3 AUTH mechanism LOGIN not available
This might help too:
[root@www1 mail]# sendmail -d0.1 -bv
Version 8.12.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET
NETINET6
NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS
TCPWRAPPERS
USERDB USE_LDAP_INIT
Any ideas on what I am missing??
Thanks,
Ross
Alexander Dalloz
> Ross
Did you install the cyrus-sasl RPMs? Do you have the sendmail-cf RPM
installed so that the sendmail.cf file is really freshly created? Did you
service sendmail restart? Increase the log level with
define(`confLOG_LEVEL', `15')dnl in sendmail.mc and check the
/var/log/maillog when starting Sendmail and when connecting the daemon.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
Claus Aßmann
> sendmail 8.12.8
Upgrade to 8.12.11, versions older than 8.12.10 have security
problems: http://www.sendmail.org/
> define(`confAUTH_OPTIONS', `A')dnl
> TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> AUTH LOGIN
> 504 5.3.3 AUTH mechanism LOGIN not available
Increase logging and try again, see:
http://www.sendmail.org/~ca/email/auth.html
Then check the logfile, it should tell you what's missing.
--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Alexander Dalloz
>> sendmail 8.12.8
>
> Upgrade to 8.12.11, versions older than 8.12.10 have security
> problems: http://www.sendmail.org/
As long as he installed the bug fixing packages for Sendmail for Redhat 9
his Sendmail is patched against the vulnerabilities discovered last year.
Rob MacGregor
> Then I try the following:
> AUTH LOGIN
> 504 5.3.3 AUTH mechanism LOGIN not available
AFAIK the default for the cyrus SASL libraries is to not support LOGIN.
You may have to install a different RPM or build from source.
--
Rob MacGregor (BOFH) Oh my God! They killed init! You bastards!
What are they? Zombies.
Are they dead? No, they're undead.
So they're like you? No, zombies are slow, dim-witted,
evil undead beings.
So, they're like you?
w0lver
> w0lver wrote:
> > Then I try the following:
> > AUTH LOGIN
> > 504 5.3.3 AUTH mechanism LOGIN not available
>
> AFAIK the default for the cyrus SASL libraries is to not support LOGIN.
> You may have to install a different RPM or build from source.
OK, I was trying a total rebuild so I could make sure SASL was
configure correctly but not I cannot compile sendmail.
I did the SASL configure like this:
./configure --prefix=/usr --enable-login
my site.config.m4:
APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL -DSTARTTLS')dnl
APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl')dnl
APPENDDEF(`confLIBDIRS', `-L/usr/lib/sasl2')
APPENDDEF(`confINCDIRS', `-I/usr/include/sasl')
APPENDDEF(`confINCDIRS', `-I/usr/include')
APPENDDEF(`confINCDIRS', `-I/usr/kerberos/include')
APPENDDEF(`confLIBDIRS', `-L/usr/kerberos/lib')
and when I do a sh Build -c I get:
cc -o sendmail -L/usr/lib/sasl2 -L/usr/kerberos/lib main.o alias.o
arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o
deliver.o domain.o envelope.o err.o headers.o macro.o map.o mci.o
milter.o mime.o parseaddr.o queue.o readcf.o recipient.o sasl.o
savemail.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o
stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o
version.o -lsasl -lssl
/home/ross/sendmail-8.12.10/obj.Linux.2.4.20-8smp.i686/libsmutil/libsmutil.a
/home/ross/sendmail-8.12.10/obj.Linux.2.4.20-8smp.i686/libsm/libsm.a
-ldb -lresolv -lcrypt -lnsl -ldl
srvrsmtp.o(.text+0xe77): In function `smtp':
: undefined reference to `sasl_errdetail'
srvrsmtp.o(.text+0x4995): In function `smtp':
: undefined reference to `sasl_errdetail'
collect2: ld returned 1 exit status
make: *** [sendmail] Error 1
Does this have to be this hard??
Ross
Alexander Dalloz
> OK, I was trying a total rebuild so I could make sure SASL was
> configure correctly but not I cannot compile sendmail.
> I did the SASL configure like this:
>
> ./configure --prefix=/usr --enable-login
> /home/ross/sendmail-8.12.10/obj.Linux.2.4.20-8smp.i686/libsmutil/libsmutil.a
> /home/ross/sendmail-8.12.10/obj.Linux.2.4.20-8smp.i686/libsm/libsm.a
> Does this have to be this hard??
>
> Ross
You do neither have to recompile Sendmail nor SASL. Install the packages
that Redhat offers for your release 9! And be sure you installed ALL
update packages! At least your kernel source is very old and if you run
the same kernel release as your source it is highly vulnerable.
Do as I told you and install the cyrus-sasl RPMs.
Rob MacGregor
> APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl')dnl
Try `-lsasl2' instead (assuming you're using v2 of the SASL libraries).
w0lver
> w0lver wrote:
> > APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl')dnl
>
> Try `-lsasl2' instead (assuming you're using v2 of the SASL libraries).
same error <sigh>:
srvrsmtp.o(.text+0xe77): In function `smtp':
: undefined reference to `sasl_errdetail'
srvrsmtp.o(.text+0x4995): In function `smtp':
: undefined reference to `sasl_errdetail'
collect2: ld returned 1 exit status
make: *** [sendmail] Error 1
Ross
Claus Aßmann
> Rob MacGregor <m...@privacy.net> wrote in message news:<c8kfv5$la$1...@carbon.macgregor>...
> > w0lver wrote:
> > > APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl')dnl
> > Try `-lsasl2' instead (assuming you're using v2 of the SASL libraries).
> same error <sigh>:
> srvrsmtp.o(.text+0xe77): In function `smtp':
> : undefined reference to `sasl_errdetail'
You did use
sh ./Build -c
or removed your obj.* directory before you recompiled, right?
w0lver
> w0lver wrote:
> > APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl')dnl
>
> Try `-lsasl2' instead (assuming you're using v2 of the SASL libraries).
I got sendmail to compile! Yeah!
Now when I EHLO I get:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
However my sendmail.mc has:
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
Correct me if I am wrong but for clients using Outlook or Outlook
Express I need LOGIN running?
Ross
Rob MacGregor
> However my sendmail.mc has:
> define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
> TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
>
> Correct me if I am wrong but for clients using Outlook or Outlook
> Express I need LOGIN running?
Correct, in this case it nearly certainly means you either:
a) Don't have a version of SASLv2 that has LOGIN or PLAIN enabled.
b) You're not using an authentication method that supports LOGIN or PLAIN
w0lver
> w0lver wrote:
> > However my sendmail.mc has:
> > define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
> > TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
> >
> > Correct me if I am wrong but for clients using Outlook or Outlook
> > Express I need LOGIN running?
>
> Correct, in this case it nearly certainly means you either:
>
> a) Don't have a version of SASLv2 that has LOGIN or PLAIN enabled.
> b) You're not using an authentication method that supports LOGIN or PLAIN
I got my SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
Which I believe is the full version...
for b) I not sure what that means... what do I look for to see if my
box supports LOGIN or PLAIN? I thought that was part of SASL and if I
compiled with the --enable-login I would be fine...
Almost there... thanks for the help thus far...
Ross
Rob MacGregor
> I got my SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
> Which I believe is the full version...
But the default ./configure doesn't enable LOGIN, and may not even
enable PLAIN - check the output of "./configure --help".
> for b) I not sure what that means... what do I look for to see if my
> box supports LOGIN or PLAIN? I thought that was part of SASL and if I
> compiled with the --enable-login I would be fine...
A skim through the Cyrus list suggests that some authentication backends
may not support LOGIN or PLAIN. I've personally used the shadow method
(ie the password file) with LOGIN before without problems. However with
v2 I think that requires that you use saslauthd as the entry in
/usr/lib/sasl2/Sendmail.conf and configure saslauthd accordingly. I am
currently using the following /usr/lib/sasl2/Sendmail.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasldb2
The sasldb file was created with saslpasswd2. It does support LOGIN and
PLAIN (at least so it claims).
I will say that I've had problems with V2 of sasl with Sendmail. It
requires me to explicitly specify the domain (defaults to the hostname
of the server - seen via sasldblistusers2). It's only Sendmail this
happens with, and I don't know why. Attempts to debug this have run out
of time (and inclination) before I've identified what's going on. It
nearly certainly isn't actually a problem with Sendmail or the client,
so it may be some wierd problem with v2 of SASL itself.
w0lver
Man, it took forever but I finally got it working. This HowTo was the key:
http://www.falkotimme.com/howtos/sendmail_smtp_auth_tls/index.php
If was using the versions I was and, I think, included some missing steps.
Thanks Rob, you help me look for the right things to fix.
Ross