Date: Wed, 4 Jun 2003 20:22:10 -0800 From: "admin" <admin2@enabled.com> To: dirk.meyer@dinoex.sub.org (Dirk Meyer), freebsd-questions@freebsd.org Subject: Re: cyrus-sasl2 setup failing Message-ID: <20030605041523.M49617@enabled.com> In-Reply-To: <lz5C3NcNtL@dmeyer.dinoex.sub.org> References: <20030605022228.M16985@enabled.com> <lz5C3NcNtL@dmeyer.dinoex.sub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 05 Jun 2003 05:54:45 +0200, Dirk Meyer wrote
> > Sendmail 8.12.9-sasl2 (compiled from /usr/ports/mail/sendmail-sasl)
> > cyrus-sasl-2.1.13 (compiled from /usr/ports/security/cyrus-sasl2-saslauthd)
> >
> > A client is still not able to authenticate via SASL - looks like is it not
> > happy but I am not sure how to fix it. Anybody got a clue what I am doing
> > wrong here?
>
> > --- from the logs when some attempts to authenticate ----
> > Jun 4 20:09:46 typhoon sm-mta[78399]: AUTH: available mech=NTLM LOGIN PLAIN
> > OTP DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
>
> > Jun 4 20:09:46 typhoon sm-mta[78399]: h5539jJQ078399: AUTH failure (LOGIN):
> > no mechanism available (-4) SASL(-4): no mechanism available: checkpass failed
>
> > define(`confAUTH_OPTIONS', `A p y')dnl
> > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
>
> checkpass failed, is the saslauthd started?
thanks for the quick response.
no, what should my saslauthd flags be since the sendmail configuration I am
asking for LOGIN PLAIN in my sendmail .mc - is this correct?
if [ -z "${sasl_saslauthd_flags}" ]; then
sasl_saslauthd_flags="-a pam"
fi
> do you needd the "A" Option?
>
> from: /usr/local/share/sendmail/cf/README
> confAUTH_OPTIONS AuthOptions [undefined] If this option
> is 'A' then the AUTH=
> parameter for the MAIL FROM
> command is only issued when
> authentication succeeded. [...] See doc/op/op.me for details.
>
> from: /usr/local/share/doc/sendmail/op.txt
> [no short name] List of options for SMTP
> AUTH consisting of single characters with
> intervening white space or commas.
>
> A Use the AUTH= parameter for the MAIL FROM
> command only when authentication succeeded.
> This can be used as a workaround for broken
> MTAs that do not implement RFC 2554
> correctly. a protection from active (non-
> dictionary) attacks during authentication exchange.
> c require mechanisms which pass client
> credentials, and allow mechanisms which can
> pass credentials to do so.
> d don't permit mechanisms susceptible to passive
> dictionary attack. f require forward
> secrecy between sessions
> (breaking one won't help break next).
> p don't permit mechanisms susceptible to simple
> passive attack (e.g., PLAIN, LOGIN), unless a
> security layer is active. y
> don't permit mechanisms that allow anonymous login.
>
> The first option applies to sendmail as a
> client, the others to a server. Example:
>
> O AuthOptions=p,y
>
> more links:
> http://www.sendmail.org/~gshapiro/
> http://www.sendmail.org/~ca/email/auth.html
> http://www.asp.ogi.edu/people/paja/linux/sendmail/
> http://blue-labs.org/clue/sendmail.php
> http://www.digitalanswers.org/sendmail/
>
>
> kind regards Dirk
>
> - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
> - [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030605041523.M49617>