Date: Thu, 29 Aug 2002 20:40:08 -0700 (PDT) From: "Scot W. Hetzel" <hetzels@westbend.net> To: freebsd-ports@FreeBSD.org Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH) Message-ID: <200208300340.g7U3e8bg038725@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/38801; it has been noted by GNATS.
From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Seva Gluschenko" <gvs@rinet.ru>,
<FreeBSD-gnats-submit@FreeBSD.ORG>
Cc: <noc@rinet.ru>
Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
Date: Thu, 29 Aug 2002 22:38:23 -0500
From: "Seva Gluschenko" <gvs@rinet.ru>
> making Cyrus SASL library (used for SMTP AUTH) from ports results
> to non-working LOGIN authentication mechanism. Experiments show this
> situation to be result of sasl_apop_patch application.
> N.B.: It wasn't tested against pwcheck method, only with SaslDB.
> Try every MUA which is capable of LOGIN authentication (e.g. MSOE 5.5
> and higher). Sendmail will continuously re-request password, strings
> in maillog will look like
>
> Jun 1 20:37:39 kolokol sm-mta[26436]: g51GbdVS026436: demo.rinet.ru
> [195.54.192.69] did not issue MAIL/EXPN/VRFY/ETRN during connection
> to MTA
>
I looked into this problem further, and still can't get the original problem
to occur with the apop patch (No pwcheck or saslauthd1 daemons running and
Sendmail.conf's pwcheck_method set to sasldb).
The only problem I had was a mismatch between the servers 'hostname' and
DNS. The problem is that saslpasswd uses `hostname` found on the system for
the default realm. While sendmail does a DNS lookup to determine the
hostname of the mail server, and then uses it for the SASL realm name. On
my test system I had 'hostname' and DNS names in different cases:
hostname - Test.domain.org
DNS Lookup - TEST.domain.org
# sasldblistusers
user: testuser realm: Test.domain.org mech: PLAIN
user: testuser realm: Test.domain.org mech: CRAM-MD5
user: testuser realm: Test.domain.org mech: PLAIN-APOP
user: testuser realm: Test.domain.org mech: DIGEST-MD5
With the realm set to "Test.domain.org", sendmail would fail to authenticate
the user (OE would ask for username and password repeatedly), and sendmail
would report:
Aug 29 21:41:36 Test sm-mta[8111]: g7U2faWr008111: wrkstation.domain.org
[10.0.0.2] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Using saslpasswd's domain option (-u), to first remove and then reenter the
"testuser":
saslpasswd -d -u Test.domain.org testuser
saslpasswd -c -u TEST.domain.org testuser
allowed OE to login (changing DNS would also have worked).
I also tested the SASL library without the APOP patch and had the same
problem due to mismatched realms between sendmail and the sasldb database.
I don't know why you had success with the removal of the APOP patch, unless
someone had changed the case of the DNS entry for the server, while you were
testing.
If you could setup a test server, give it another try with the APOP patch
and let us know the results.
Scot W. Hetzel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208300340.g7U3e8bg038725>