-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 21 February 2004 11:41 am, Alexander Dalloz wrote: > Am Sa, den 21.02.2004 schrieb Jonathan M. Gardner um 20:06: > > On Saturday 21 February 2004 6:01 am, Alexander Dalloz wrote: > > > Am Sa, den 21.02.2004 schrieb Jonathan M. Gardner um 13:13: > > > > I'm playing around with authentication schemes with sendmail. > > > > > > > > I've noticed that the file /usr/lib/sasl2/Sendmail.conf is being > > > > completely ignored. No matter what I seem to put in that, > > > > sendmail checks /etc/sasldb2 for the password verification. > > > > > > > > If I use the saslpasswd2 utility, I can of course create an entry > > > > for the users. However, I would much rather use PAM than this > > > > method. > > > > > > > > Any hints? It seems Google is turning up blanks... > > > > > > Sendmail does not ignore /usr/lib/sasl2/Sendmail.conf! It is just > > > you confused about the authentification mechanisms. You can not > > > authenticate with MD5 mechanism when auting against PAM. Only PLAIN > > > / LOGIN will work that way. > > > > Okay, I have the sendmail.mc file setup as so in my mail server: > > > > define(`confAUTH_OPTIONS', `A p')dnl > > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl > > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl > > define(`confCACERT_PATH',`/usr/share/ssl/certs') > > define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') > > define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') > > define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') > > DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl > > DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl > > DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl > > I guess this is only the relevant part of sendmail.mc and not the whole > file. > You are correct. If there are any other lines you want to see, let me know. > > On my mail server, /usr/lib/sasl2/Sendmail.conf reads: > > pwcheck_method:pam > > Why not using saslauthd which then calls PAM? Though this should work > too. > How would I configure sendmail to use saslauthd? > > I am using KMail for the MUA on my workstation. I've set it up as so: > > Auth: LOGIN > > Encryption: TLS > > > > When it goes to authenticate, KMail displays the following messages: > > Sending failed: > > Authentication failed. > > Most likely the password is wrong. > > The server responded: "5.7.0 authentication failed" > > Do it first simpler and AUTH without STARTTLS. Set confAUTH_OPTIONS to > A only and configure KMail to not use TLS. > Done. > > There is no message /var/log/messages from sendmail. > > Check /var/log/maillog. Maybe increase LogLevel to 15 to have a more > verbose output in maillog. > I put a line in that reads as following in sendmail.mc: define(`confLOG_LEVEL', `15')dnl This is the output of the maillog (dervish is the mail server, atlas is my workstation). (1) When I used no encryption, with PLAIN login. Feb 21 12:31:52 dervish sendmail[15768]: NOQUEUE: connect from atlas.jonathangardner.net [66.92.192.166] Feb 21 12:31:52 dervish sendmail[15768]: AUTH: available mech=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS, allowed mech=DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: Milter: no active filter Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 220 dervish.jonathangardner.net ESMTP Sendmail 8.12.10/8.12.10; Sat, 21 Feb 2004 12:31:52 -0800 Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: <-- EHLO atlas.jonathangardner.net Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-dervish.jonathangardner.net Hello atlas.jonathangardner.net [66.92.192.166], pleased to meet you Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-ENHANCEDSTATUSCODES Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-PIPELINING Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-8BITMIME Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-SIZE Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-DSN Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-ETRN Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-STARTTLS Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250-DELIVERBY Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 250 HELP Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: <-- AUTH PLAIN Feb 21 12:31:52 dervish sendmail[15768]: i1LKVqCx015768: --- 334 Feb 21 12:31:53 dervish sendmail[15768]: i1LKVqCx015768: --- 535 5.7.0 authentication failed Feb 21 12:31:53 dervish sendmail[15768]: i1LKVqCx015768: AUTH failure (PLAIN): no mechanism available (-4) SASL(-4): no mechanism available: Password verification failed Feb 21 12:31:53 dervish sendmail[15768]: i1LKVqCx015768: --- 421 4.4.1 dervish.jonathangardner.net Lost input channel from atlas.jonathangardner.net [66.92.192.166] Feb 21 12:31:53 dervish sendmail[15768]: i1LKVqCx015768: atlas.jonathangardner.net [66.92.192.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA I think the relevant line is this one: Feb 21 12:31:53 dervish sendmail[15768]: i1LKVqCx015768: AUTH failure (PLAIN): no mechanism available (-4) SASL(-4): no mechanism available: Password verification failed saslauthd is running in the background, started with: # service saslauthd start > Do you contact Sendmail on port 25 or different? > Right now I am doing port 25, and the other ports above. I want it set up so that I can securely send mail through my server from almost anywhere. - -- Jonathan Gardner jgardner@xxxxxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAN8Jiqp6r/MVGlwwRAg4YAJ9peOOm13ZbQtCSiVkzjEOx9EFFhACfR13C sFjXOBt2Q6W8ItC4ROdhW8s= =WrBC -----END PGP SIGNATURE-----
