SMTP Authentication

Reed Lai reedlai at hotmail.com
Fri Jul 31 05:05:11 UTC 2009 

I am very sorry. I forgot to "make install" to install the 
/etc/mail/sendmail.cf, so it has only banyan..mc/cf files updated.
I always forget the final target is sendmail.cf XD

The new server is available for AUTH LOGIN now.
The trouble is resolved.

Ihor, thank you very mcuh for all helps!

Reed Lai

From: Reed Lai
Sent: Friday, July 31, 2009 12:51 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


The test of saslauthd seems OK too:

--------
banyan# testsaslauthd -s smtp -u aNNNNNN -p xxxxxxxx
0: OK "Success."
--------

The auth login in smtp connection is still not available:

--------
ehlo local
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
...
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
auth login
504 5.3.3 AUTH mechanism login not available
--------

Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:26 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


And there is LOGIN option selected (as ports default options) when
installing the cyrus-sasl2.

Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:14 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Both servers have same ldd outputs and Sendmail.conf contains only
"pwcheck_method: saslauthd"

--------
banyan# ldd -a /usr/sbin/sendmail
/usr/sbin/sendmail:
        libutil.so.7 => /lib/libutil.so.7 (0x2807d000)
        libc.so.7 => /lib/libc.so.7 (0x2808a000)
/lib/libutil.so.7:
        libc.so.7 => /lib/libc.so.7 (0x2808a000)
banyan#
banyan# ll /usr/local/lib/sasl2/Sendmail.conf
-rw-r--r--  1 root  wheel  26  7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf
banyan# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd
--------

Reed

From: Ihor Prystay
Sent: Friday, July 31, 2009 2:55 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:
> The liblogin.so is in directory
>
> banyan# ll /usr/local/lib/sasl2/liblogin.so
> lrwxr-xr-x  1 root  wheel  13  7 29 14:54
> /usr/local/lib/sasl2/liblogin.so -> liblogin.so.2
> banyan# ll /usr/local/lib/sasl2/liblogin.so.2
> -rwxr-xr-x  1 root  wheel  17172  7 29 14:54
> /usr/local/lib/sasl2/liblogin.so.2
>
> There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS
>
> dnl set SASL options
> dnl --------------------------------
> TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
>
> Reed
>
> From: Ihor Prystay
> Sent: Thursday, July 30, 2009 4:58 PM
> To: FreeBSD Question
> Subject: Re: SMTP Authentication
>
>
> Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
> recompile sasl with LOGIN mech support.
> Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
> make sure 'p' parameter is not on the list or LOGIN would be available
> only after TLS encryption which is not a case for you as your working
> configuration offers LOGIN during telnet session (it's actually a bad
> idea to do authentication clear text).
>
> Ihor
>
>
> Reed Lai wrote:
>> Yes, the new server leaks LOGIN in the 250-AUTH list!
>>
>> New server
>> =========
>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
>>
>> Functional server
>> ==============
>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>>
>> I have checked the generated .cf file in the new server and there are
>> class and option listed
>>
>> C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>> O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>>
>> The new server has same configuration to old server, but has not LOGIN
>> in the 250-AUTH list.
>> BTW, the new server has hostname changed once... I don't know if it does
>> matter or not..
>>
>> Reed
>>
>> From: Ihor Prystay
>> Sent: Thursday, July 30, 2009 2:35 PM
>> To: freebsd-questions at freebsd.org
>> Subject: Re: SMTP Authentication
>>
>>
>> Tray telnet to port 25 of your working SMTP server and compare the
>> output.
>> Check
>> 250-AUTH <list of supported auth mech>
>> According to the provided log from the working server it should be LOGIN
>> mech available in the list, which is not present on the new server.
>>
>> Ihor
>>
>>
>> Reed Lai wrote:
>>> The maillog does not log the sm-mta: AUTH=server action. The functional
>>> server has the AUTH=server action logged. How do I debug from this
>>> different?
>>>
>>> Reed
>>>
>>> From: Reed Lai
>>> Sent: Thursday, July 30, 2009 11:51 AM
>>> To: FreeBSD Questions
>>> Subject: Re: SMTP Authentication
>>>
>>>
>>> The mail client is Windows Live Mail and it work well with the
>>> functional
>>> server. Its SMTP authenication should be ok.
>>>
>>> Reed
>>>
>>>
>>> From: Ihor Prystay
>>> Sent: Thursday, July 30, 2009 10:49 AM
>>> To: freebsd-questions at freebsd.org
>>> Subject: Re: SMTP Authentication
>>>
>>>
>>> your working server does support LOGIN mech while other one dosn't.
>>> I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
>>> auth, usually it's PLAIN or/and LOGIN.
>>>
>>> Ihor
>>>
>>>
>>>
>>> Reed Lai wrote:
>>>> Instruction of the "SMTP AUTO in sendmail 8.10-8.13" to test the
>>>> Sendmail
>>>>
>>>> banyan# sendmail -d0.1 -bv root
>>>> Version 8.14.2
>>>> Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
>>>>                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
>>>> SASLv2
>>>>                SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
>>>>
>>>> ============ SYSTEM IDENTITY (after readcf) ============
>>>>      (short domain name) $w = banyan
>>>>  (canonical domain name) $j = banyan...com
>>>>         (subdomain name) $m = ..com
>>>>              (node name) $k = banyan...com
>>>> ========================================================
>>>>
>>>> root... deliverable: mailer local, user root
>>>>
>>>> banyan# telnet localhost 25
>>>> Trying 127.0.0.1...
>>>> Connected to localhost.
>>>> Escape character is '^]'.
>>>> 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009
>>>> 21:19:40
>>>> +0800 (CST)
>>>> ehlo localhost
>>>> 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
>>>> 250-ENHANCEDSTATUSCODES
>>>> 250-PIPELINING
>>>> 250-8BITMIME
>>>> 250-SIZE
>>>> 250-DSN
>>>> 250-ETRN
>>>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
>>>> 250-DELIVERBY
>>>> 250 HELP
>>>>
>>>> The Sendmail test seems OK
>>>> But the SMTP authentication does not work from my mail client.
>>>>
>>>> Reed
>>>>
>>>>
>>>> From: Reed Lai
>>>> Sent: Wednesday, July 29, 2009 5:37 PM
>>>> To: freebsd-questions at freebsd.org
>>>> Subject: SMTP Authentication
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I have two freebsd mail servers both configured SMTP authentication:
>>>>
>>>>    FreeBSD Handbook 28.10 SMTP Authenticatin
>>>>    http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html
>>>>
>>>>    SMTP AUTO in sendmail 8.10-8.13
>>>>    http://www.sendmail.org/~ca/email/auth.html
>>>>
>>>> One is functional, and the other one doesn't seem to work. Compare the
>>>> maillogs of the two servers, there is an AUTH=server message appear in
>>>> the
>>>> functional server, but the other one has not.
>>>>
>>>> The maillog of functional server
>>>> ======================
>>>> Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-....net
>>>> [59...147], authid=a660407, mech=LOGIN, bits=0
>>>> Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825:
>>>> from=<reedlai at ...>,
>>>> size=1430, class=0, nrcpts=1,
>>>> msgid=<40F9CC65E8874D128639A39C1EEBD410 at ReedXP>, proto=ESMTP,
>>>> daemon=IPv4,
>>>> relay=59-...net [59...147]
>>>>
>>>> The other one
>>>> =========
>>>> Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539:
>>>> ruleset=check_rcpt,
>>>> arg1=<reedlai at ...>, relay=59-...-147.HINET-IP.hinet.net [59...147],
>>>> reject=550 5.7.1 <reedlai at ...>... Relaying denied
>>>> Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539:
>>>> from=<reedlai at ...>,
>>>> size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
>>>> relay=59-...-147.HINET-IP.hinet.net [59...147]
>>>>
>>>> It seems the other one's smtp authentication is not trigged.
>>>>
>>>> Please help or tip me for something I forget.
>>>>
>>>> Thank you!
>>>>
>>>> Reed
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list