Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SMTP AUTH, Need help
326 views
Skip to first unread message
Chris D
Sep 30, 2011, 6:37:24 PM9/30/11
to
Hello,
I have been wracking my brain on this for days now. I thought I had
this working.... but I see now that it isn't. Encryption is
working... but auth is not.
I'm trying to configure my sendmail server for SMTP authentication. I
have scoured the Internet, and it seems I have done everything asked
of me, but It still doesn't work.
When sending an email from client configured to use smtp
authentication, the mail fails, and I get this in my log:
[som.eip.ad.dr] did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA-v4
# /usr/sbin/sendmail -d0.1 -bv root
Version 8.14.3
Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS
MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX
NEWDB NIS NISPLUS PIPELINING SASLv2 SCANF SOCKETMAP
STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = smtp
(canonical domain name) $j = smtp.myserver.com
(subdomain name) $m = myserver.com
(node name) $k = smtp.myserver.com
=================================================
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp.myserver.com ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Fri, 30
Sep 2011 18:28:49 -0400; (No UCE/UBE) logging access from:
localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-smtp.myserver.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
# cat sendmail.mc
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.14.3-5 2008-07-15 22:30:00 cowboy Exp
$')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
FEATURE(`no_default_msa')dnl
LOCAL_DOMAIN(`smtp.myserver.com')
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp,
Addr=0.0.0.0')dnl
DAEMON_OPTIONS(`Family=inet, Name=MSA-v4, Port=587, Addr=0.0.0.0,
M=E')dnl dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl dnl
define(`confAUTH_OPTIONS', `A p y')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl dnl
define(`confCACERT_PATH', `/etc/smail/certs')dnl dnl
define(`confCACERT', `/etc/smail/certs/cacert.pem')dnl dnl
define(`confSERVER_CERT', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confSERVER_KEY', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confCLIENT_CERT', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confCLIENT_KEY', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
define(`confPRIVACY_FLAGS',
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
FEATURE(nouucp, `reject')dnl dnl
FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl dnl
FEATURE(`blacklist_recipients')dnl dnl
define(`confCONNECTION_RATE_THROTTLE', `250')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`5m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl dnl
FEATURE(`use_ct_file')dnl dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl dnl
FEATURE(always_add_domain)dnl dnl
FEATURE(redirect)dnl dnl
FEATURE(limited_masquerade)dnl dnl
EXPOSED_USER_FILE(`/etc/mail/exposed-users')dnl dnl
FEATURE(local_procmail)dnl dnl
FEATURE(`access_db', , `skip')dnl
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
RELAY_DOMAIN_FILE(`/etc/mail/relay-domains')dnl dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-
milter.ctl, F=, T=S:4m;R:4m')dnl dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/
spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
{if_name}, {if_addr}')dnl dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl dnl
define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr},
i')dnl for clam dnl
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl dnl
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl
FEATURE(`dnsbl',`zen.spamhaus.org')dnl
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(procmail)dnl dnl
I appreciate any help here.
Thank you.
I have been wracking my brain on this for days now. I thought I had
this working.... but I see now that it isn't. Encryption is
working... but auth is not.
I'm trying to configure my sendmail server for SMTP authentication. I
have scoured the Internet, and it seems I have done everything asked
of me, but It still doesn't work.
When sending an email from client configured to use smtp
authentication, the mail fails, and I get this in my log:
[som.eip.ad.dr] did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA-v4
# /usr/sbin/sendmail -d0.1 -bv root
Version 8.14.3
Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS
MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX
NEWDB NIS NISPLUS PIPELINING SASLv2 SCANF SOCKETMAP
STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = smtp
(canonical domain name) $j = smtp.myserver.com
(subdomain name) $m = myserver.com
(node name) $k = smtp.myserver.com
=================================================
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp.myserver.com ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Fri, 30
Sep 2011 18:28:49 -0400; (No UCE/UBE) logging access from:
localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-smtp.myserver.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
# cat sendmail.mc
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.14.3-5 2008-07-15 22:30:00 cowboy Exp
$')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
FEATURE(`no_default_msa')dnl
LOCAL_DOMAIN(`smtp.myserver.com')
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp,
Addr=0.0.0.0')dnl
DAEMON_OPTIONS(`Family=inet, Name=MSA-v4, Port=587, Addr=0.0.0.0,
M=E')dnl dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl dnl
define(`confAUTH_OPTIONS', `A p y')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl dnl
define(`confCACERT_PATH', `/etc/smail/certs')dnl dnl
define(`confCACERT', `/etc/smail/certs/cacert.pem')dnl dnl
define(`confSERVER_CERT', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confSERVER_KEY', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confCLIENT_CERT', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confCLIENT_KEY', `/etc/smail/certs/sendmail.pem')dnl dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
define(`confPRIVACY_FLAGS',
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
FEATURE(nouucp, `reject')dnl dnl
FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl dnl
FEATURE(`blacklist_recipients')dnl dnl
define(`confCONNECTION_RATE_THROTTLE', `250')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`5m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl dnl
FEATURE(`use_ct_file')dnl dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl dnl
FEATURE(always_add_domain)dnl dnl
FEATURE(redirect)dnl dnl
FEATURE(limited_masquerade)dnl dnl
EXPOSED_USER_FILE(`/etc/mail/exposed-users')dnl dnl
FEATURE(local_procmail)dnl dnl
FEATURE(`access_db', , `skip')dnl
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
RELAY_DOMAIN_FILE(`/etc/mail/relay-domains')dnl dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-
milter.ctl, F=, T=S:4m;R:4m')dnl dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/
spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
{if_name}, {if_addr}')dnl dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl dnl
define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr},
i')dnl for clam dnl
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl dnl
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl
FEATURE(`dnsbl',`zen.spamhaus.org')dnl
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(procmail)dnl dnl
I appreciate any help here.
Thank you.
Andrzej Adam Filip
Oct 1, 2011, 6:19:02 PM10/1/11
to
http://www.sendmail.org/~ca/email/auth.html
[...]
*Initial test*
[...] If this doesn't reveal any problems, increase the LogLevel to 13
and try again. [...]
--
[pl>en Andrew] Andrzej A. Filip : an...@onet.eu : Andrze...@gmail.com
The longest part of the journey is said to be the passing of the gate.
-- Marcus Terentius Varro
Chris
Oct 2, 2011, 12:44:13 PM10/2/11
to
Hi Marcus,
As you can see from the above post, I already included the information
from the tests listed on that page.
The interesting thing is, that I rebuilt my certs using RSA keys
instead of DSA, and now things seem to be working. Another problem
has cropped up, however, but I will post that separately. Thank you.
As you can see from the above post, I already included the information
from the tests listed on that page.
The interesting thing is, that I rebuilt my certs using RSA keys
instead of DSA, and now things seem to be working. Another problem
has cropped up, however, but I will post that separately. Thank you.
Chris
Oct 2, 2011, 1:33:38 PM10/2/11
to
Ok... scratch that. I was wrong. The settings on my test mail client
were mis-configured to not use auth and it gave me a false positive.
So, as stated, the tests on that page you referenced are on the
original post. I changed the log level to 13, but I don't get any
different output. The message still fails, and the log says:
Oct 2 13:28:08 myserver sm-mta[6856]: STARTTLS=server,
relay=141.sub-174-xxx-xxx.yourserver.com [174.xx.xx.141],
version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Oct 2 13:28:12 myserver sm-mta[6856]: p92HS0Ao006856: 141.sub-174-xxx-
xxx.yourserver.com [174.xx.xx.141] did not issue MAIL/EXPN/VRFY/ETRN
during connection to TLSMTA
This client here was an android phone using MD5 for the auth setting
(the only one available, it is either MD5 or none). As you can see
above, both digest-md5 and cram-md5 are supported on my server. I
have tested it with other clients, and get the same response when
trying to use auth.
I have used testsaslauthd, and it always states that it is working:
testsaslauthd -u uname -p mypass
0: OK "Success."
I absolutely need to have this working.... I have done what all the
docs say... What am I missing here?
were mis-configured to not use auth and it gave me a false positive.
So, as stated, the tests on that page you referenced are on the
original post. I changed the log level to 13, but I don't get any
different output. The message still fails, and the log says:
Oct 2 13:28:08 myserver sm-mta[6856]: STARTTLS=server,
relay=141.sub-174-xxx-xxx.yourserver.com [174.xx.xx.141],
version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Oct 2 13:28:12 myserver sm-mta[6856]: p92HS0Ao006856: 141.sub-174-xxx-
xxx.yourserver.com [174.xx.xx.141] did not issue MAIL/EXPN/VRFY/ETRN
during connection to TLSMTA
This client here was an android phone using MD5 for the auth setting
(the only one available, it is either MD5 or none). As you can see
above, both digest-md5 and cram-md5 are supported on my server. I
have tested it with other clients, and get the same response when
trying to use auth.
I have used testsaslauthd, and it always states that it is working:
testsaslauthd -u uname -p mypass
0: OK "Success."
I absolutely need to have this working.... I have done what all the
docs say... What am I missing here?
Andrzej Adam Filip
Oct 2, 2011, 3:21:40 PM10/2/11
to
1) try log level 14
2) try LOGIN authentication mechanism
http://www.geekyramblings.net/2011/08/07/android-and-sendmail/
Traveling through hyperspace isn't like dusting crops, boy.
-- Han Solo
Chris
Oct 3, 2011, 3:54:07 PM10/3/11
to
That was very helpful Han. I think I finally got this licked.
My problem wasn't a clone of that one, but it was definitely related.
The problem was Sendmail telling me the whole "did not issue MAIL/EXPN/
VRFY/ETRN" (and leaving it at that), that sent me in the wrong
direction entirely. Setting the log level to 14 told me what was
wrong, and that it had to do with Sasl2, not with Sendmail.
My problem was that the pw in my sasldb2 password file had somehow
gotten out of sync in all my testing and meddling. I would wager that
his problem is that he doesn't even have a sasldb2 file,the file is
empty, or there is no record for the user in question (because my
error was slightly different: "AUTH failure (CRAM-MD5): authentication
failure (-13) SASL(-13): authentication failure: incorrect digest
response"). Setting the auth to "Login" would just let it go to the
system's default (PAM, in the case of Debian). Using one of the MD5
algorithms requires the use of the sasldb2 file.
My Android phone requires the use of MD5 for authentication switching
to LOGIN as he did, would have solved nothing for me -- so I was glad
to get this working!
Thank you!
-Chris
My problem wasn't a clone of that one, but it was definitely related.
The problem was Sendmail telling me the whole "did not issue MAIL/EXPN/
VRFY/ETRN" (and leaving it at that), that sent me in the wrong
direction entirely. Setting the log level to 14 told me what was
wrong, and that it had to do with Sasl2, not with Sendmail.
My problem was that the pw in my sasldb2 password file had somehow
gotten out of sync in all my testing and meddling. I would wager that
his problem is that he doesn't even have a sasldb2 file,the file is
empty, or there is no record for the user in question (because my
error was slightly different: "AUTH failure (CRAM-MD5): authentication
failure (-13) SASL(-13): authentication failure: incorrect digest
response"). Setting the auth to "Login" would just let it go to the
system's default (PAM, in the case of Debian). Using one of the MD5
algorithms requires the use of the sasldb2 file.
My Android phone requires the use of MD5 for authentication switching
to LOGIN as he did, would have solved nothing for me -- so I was glad
to get this working!
Thank you!
-Chris
0 new messages