Am Sa, den 10.04.2004 schrieb Frederic Herman um 13:02:
After upgrading from RedHat 9 to Fedora core, I have a problem with smtp, due to sendmail now using sasl for authentication. I have saslauthd running as:
SASL(2) was used for authentification before too.
/usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
That is hopefully just the line you get by "ps axuw". Run the saslauthd service through its init script. Therein the MECH is specified and by default it's using shadow. You can overwrite that by setting the MECH in /etc/sysconfig/saslauthd (create that file if not there). To start the saslauthd run "service saslauthd start". To be sure it is automagically running in the desired runlevels use "chkconfig --list saslauthd".
Yes-- that's what I was doing.
which should use the /etc/shadow file for authentication. However, what actually happens is that each user must have their username & password in the /etc/sasldb2 file. As far as I can tell, the shadow password file isn't being used for authentication. The only configuration file that I'm aware of the sasl should be using is /usr/lib/sasl2/Sendmail.conf which contains:
pwcheck_method: sasluathd
saslauthd as pwcheck_method is correct. But it matters which client you use to talk with the Sendmail daemon and which auth mech that one uses. If your mail client is using i.e. CRAM-MD5 then this will not work with saslauthd against shadow. That will always require authentification against a sasldb2. Only PLAIN and LOGIN run with shadow.
You should check your sendmail.mc configuration which authentification
mechanisms your Sendmail offers to clients. You can see that too if you
"telnet sendmail_IP 25" and after greeting sending a "EHLO foo".
Sendmail shows you then along with other information a line "250 AUTH
...".
I'd actually like to not use passwords for this since I already restrict smtp to a very limited number of ip's, because everytime a user start's their browser, they have to reenter their password.
If you do not require Sendmail authentification at all, because your SMTP restriction is already for few very specific IPs (i.e. from private address area, static IPs) - you can switch off SMTP AUTH in your sendmail.mc and using "IP RELAY" in the access_db map. On the other hand you could switch off SMTP AUTH too on a per IP basis.
Any help would be appreciated.
Fred
Alexander
I tested sendmail via your suggestion and confirmed that it was only offering the auth methods that you said would not work with shadow passwords. I changed sendmail.mc to use PLAIN and LOGIN, and now the server is using the shadow passwords.
Rather than shutting off auth, I decided that using it would be a better idea even though I currently only service fixed and limited ip's. The reason is that I will be going through this drill for another mail server that in the past restricted what a roaming client could do. We will just instruct our mail clients to be prepared to enter a password, and have their browser remember it.
Thank you for your help.
Fred
