Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Jul 2009 11:55:27 -0700
From:      Ihor Prystay <ihor@cia.com>
To:        FreeBSD Question <freebsd-questions@freebsd.org>
Subject:   Re: SMTP Authentication
Message-ID:  <4A71EC9F.2090001@cia.com>
In-Reply-To: <SNT121-DS537E6B71177F7725ABF78BD130@phx.gbl>
References:  <SNT121-DS22FFA13B8EF7D0C809E5EEBD120@phx.gbl><SNT121-DS3913F7028CC66BC1DB91DBD120@phx.gbl><4A710A2F.1030407@cia.com>	<SNT121-DS3A839A2860EC867519737BD130@phx.gbl><SNT121-DS20B22A0DCF9EF49120C4C9BD130@phx.gbl>	<4A713F34.5050404@cia.com><SNT121-DS18FFEA0FFD32E09E6E3A6CBD130@phx.gbl>	<4A7160C8.9050705@cia.com> <SNT121-DS537E6B71177F7725ABF78BD130@phx.gbl>

next in thread | previous in thread | raw e-mail | index | archive | help
You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:
> The liblogin.so is in directory
> 
> banyan# ll /usr/local/lib/sasl2/liblogin.so
> lrwxr-xr-x  1 root  wheel  13  7 29 14:54
> /usr/local/lib/sasl2/liblogin.so -> liblogin.so.2
> banyan# ll /usr/local/lib/sasl2/liblogin.so.2
> -rwxr-xr-x  1 root  wheel  17172  7 29 14:54
> /usr/local/lib/sasl2/liblogin.so.2
> 
> There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS
> 
> dnl set SASL options
> dnl --------------------------------
> TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> 
> Reed
> 
> From: Ihor Prystay
> Sent: Thursday, July 30, 2009 4:58 PM
> To: FreeBSD Question
> Subject: Re: SMTP Authentication
> 
> 
> Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
> recompile sasl with LOGIN mech support.
> Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
> make sure 'p' parameter is not on the list or LOGIN would be available
> only after TLS encryption which is not a case for you as your working
> configuration offers LOGIN during telnet session (it's actually a bad
> idea to do authentication clear text).
> 
> Ihor
> 
> 
> Reed Lai wrote:
>> Yes, the new server leaks LOGIN in the 250-AUTH list!
>>
>> New server
>> =========
>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
>>
>> Functional server
>> ==============
>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>>
>> I have checked the generated .cf file in the new server and there are
>> class and option listed
>>
>> C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>> O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>>
>> The new server has same configuration to old server, but has not LOGIN
>> in the 250-AUTH list.
>> BTW, the new server has hostname changed once... I don't know if it does
>> matter or not..
>>
>> Reed
>>
>> From: Ihor Prystay
>> Sent: Thursday, July 30, 2009 2:35 PM
>> To: freebsd-questions@freebsd.org
>> Subject: Re: SMTP Authentication
>>
>>
>> Tray telnet to port 25 of your working SMTP server and compare the
>> output.
>> Check
>> 250-AUTH <list of supported auth mech>
>> According to the provided log from the working server it should be LOGIN
>> mech available in the list, which is not present on the new server.
>>
>> Ihor
>>
>>
>> Reed Lai wrote:
>>> The maillog does not log the sm-mta: AUTH=server action. The functional
>>> server has the AUTH=server action logged. How do I debug from this
>>> different?
>>>
>>> Reed
>>>
>>> From: Reed Lai
>>> Sent: Thursday, July 30, 2009 11:51 AM
>>> To: FreeBSD Questions
>>> Subject: Re: SMTP Authentication
>>>
>>>
>>> The mail client is Windows Live Mail and it work well with the
>>> functional
>>> server. Its SMTP authenication should be ok.
>>>
>>> Reed
>>>
>>>
>>> From: Ihor Prystay
>>> Sent: Thursday, July 30, 2009 10:49 AM
>>> To: freebsd-questions@freebsd.org
>>> Subject: Re: SMTP Authentication
>>>
>>>
>>> your working server does support LOGIN mech while other one dosn't.
>>> I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
>>> auth, usually it's PLAIN or/and LOGIN.
>>>
>>> Ihor
>>>
>>>
>>>
>>> Reed Lai wrote:
>>>> Instruction of the "SMTP AUTO in sendmail 8.10-8.13" to test the
>>>> Sendmail
>>>>
>>>> banyan# sendmail -d0.1 -bv root
>>>> Version 8.14.2
>>>> Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
>>>>                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
>>>> SASLv2
>>>>                SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
>>>>
>>>> ============ SYSTEM IDENTITY (after readcf) ============
>>>>      (short domain name) $w = banyan
>>>>  (canonical domain name) $j = banyan...com
>>>>         (subdomain name) $m = ..com
>>>>              (node name) $k = banyan...com
>>>> ========================================================
>>>>
>>>> root... deliverable: mailer local, user root
>>>>
>>>> banyan# telnet localhost 25
>>>> Trying 127.0.0.1...
>>>> Connected to localhost.
>>>> Escape character is '^]'.
>>>> 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009
>>>> 21:19:40
>>>> +0800 (CST)
>>>> ehlo localhost
>>>> 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
>>>> 250-ENHANCEDSTATUSCODES
>>>> 250-PIPELINING
>>>> 250-8BITMIME
>>>> 250-SIZE
>>>> 250-DSN
>>>> 250-ETRN
>>>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
>>>> 250-DELIVERBY
>>>> 250 HELP
>>>>
>>>> The Sendmail test seems OK
>>>> But the SMTP authentication does not work from my mail client.
>>>>
>>>> Reed
>>>>
>>>>
>>>> From: Reed Lai
>>>> Sent: Wednesday, July 29, 2009 5:37 PM
>>>> To: freebsd-questions@freebsd.org
>>>> Subject: SMTP Authentication
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I have two freebsd mail servers both configured SMTP authentication:
>>>>
>>>>    FreeBSD Handbook 28.10 SMTP Authenticatin
>>>>    http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html
>>>>
>>>>    SMTP AUTO in sendmail 8.10-8.13
>>>>    http://www.sendmail.org/~ca/email/auth.html
>>>>
>>>> One is functional, and the other one doesn't seem to work. Compare the
>>>> maillogs of the two servers, there is an AUTH=server message appear in
>>>> the
>>>> functional server, but the other one has not.
>>>>
>>>> The maillog of functional server
>>>> ======================
>>>> Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-....net
>>>> [59...147], authid=a660407, mech=LOGIN, bits=0
>>>> Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825:
>>>> from=<reedlai@...>,
>>>> size=1430, class=0, nrcpts=1,
>>>> msgid=<40F9CC65E8874D128639A39C1EEBD410@ReedXP>, proto=ESMTP,
>>>> daemon=IPv4,
>>>> relay=59-...net [59...147]
>>>>
>>>> The other one
>>>> =========
>>>> Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539:
>>>> ruleset=check_rcpt,
>>>> arg1=<reedlai@...>, relay=59-...-147.HINET-IP.hinet.net [59...147],
>>>> reject=550 5.7.1 <reedlai@...>... Relaying denied
>>>> Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539:
>>>> from=<reedlai@...>,
>>>> size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
>>>> relay=59-...-147.HINET-IP.hinet.net [59...147]
>>>>
>>>> It seems the other one's smtp authentication is not trigged.
>>>>
>>>> Please help or tip me for something I forget.
>>>>
>>>> Thank you!
>>>>
>>>> Reed



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A71EC9F.2090001>