From owner-freebsd-questions@FreeBSD.ORG  Mon Nov 27 11:03:42 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2053C16A47B
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Nov 2006 11:03:42 +0000 (UTC)
	(envelope-from jhary@unsane.co.uk)
Received: from unsane.co.uk (www.unsane.co.uk [85.233.185.162])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B6AEE43D66
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Nov 2006 11:02:41 +0000 (GMT)
	(envelope-from jhary@unsane.co.uk)
Received: from [192.168.10.217] (150.117-84-212.staticip.namesco.net
	[212.84.117.150]) (authenticated bits=0)
	by unsane.co.uk (8.13.7/8.13.3) with ESMTP id kARB3gOB064803
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>; Mon, 27 Nov 2006 11:03:43 GMT
	(envelope-from jhary@unsane.co.uk)
Message-ID: <456AC5FF.60402@unsane.co.uk>
Date: Mon, 27 Nov 2006 11:03:27 +0000
From: Vince <jhary@unsane.co.uk>
User-Agent: Thunderbird 1.5.0.7 (X11/20061017)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <20061127032030.GH8339@server.idefix.loc>
In-Reply-To: <20061127032030.GH8339@server.idefix.loc>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: Sendmail and smtp-auth against passwd
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2006 11:03:42 -0000


Matthias Fechner wrote:
> Hi,
> 
> i tried to get smtp-auth against the pass working but it is not
> work. I must add users with saslpasswd2 to the sasldb but I want to
> auth my smtp users with there "normal" password without the need to
> add them to an additional db.
> 
> What I did is:
> Installed sasl2authd from the ports.
> 
> /etc/make.conf:
> # Add SMTP AUTH support to Sendmail
> SENDMAIL_CFLAGS+=   -I/usr/local/include -DSASL=2
> SENDMAIL_LDFLAGS+=  -L/usr/local/lib
> SENDMAIL_LDADD+=    -lsasl2
> # Enable smtps for sendmail
> SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
> SENDMAIL_MILTER_IN_BASE=yes
> And recompiled sendmail in base.
> 
> Edit /usr/local/lib/sasl2/Sendmail.conf:
> pwcheck_method: saslauthd
> 
> Enabled saslauth in rc.conf and start it:
> saslauthd_enable="yes"
> saslauthd_flags="-a getpwent"
> 
> Edited my .mc file:
> dnl Enable smpt-auth
> FEATURE(authinfo')
> define(confDONT_BLAME_SENDMAIL',GroupReadableSASLDBFile')dnl
> define(confAUTH_MECHANISMS',LOGIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl
> define(confRUN_AS_USER',root:mail')dnl
> 
> But it seems to me that sendmail isn't using saslauth instead it uses
> directly the sasldb so all thinks I configured in sasl2authd is useless.
> 
> Has someone smtp-auth with sendmail against passwd running?
> 
Hmm i used the sendmail from ports, due to lazyness and (at the time
wasnt too familiar with Freebsd's /etc/make.conf) but your config looks
ok. Also I use 6.x and at one point was using nss_ldap so i use PAM
which has the same effect as you are intending, it might be worth your
while trying that too.

.mc file
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')

Because of this (the plain bit) i also enabled ssl (self signed but who
cares here. its just so the passwords dont go in cleartext)

dnl ### do STARTTLS
define(`confCACERT_PATH', `/usr/local/certs')dnl
define(`confCACERT', `/usr/local/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/usr/local/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/usr/local/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/usr/local/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/usr/local/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl

The sasl side:
root@lobster
(10:50:35 <~>) 0 # cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd

/etc/rc.conf
#sasl auth for sendmail etc
saslauthd_enable="YES"

This allows sasl2authd to use the default flags of
-a pam

I also have the following file in /etc/pam.d/

root@lobster
(10:54:55 <~>) 0 # more /etc/pam.d/sendmail

# auth
#auth           required        pam_nologin.so          no_warn
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
#auth           sufficient      /usr/local/lib/pam_ldap.so      no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass
account         required        pam_unix.so
session         required        pam_unix.so

(excuse linewrap)
This works fine for me.
Good luck
Vince

> Best regards,
> Matthias
>