cyrus-sasl2 setup failing
admin
admin2 at enabled.com
Wed Jun 4 21:35:53 PDT 2003
On Thu, 05 Jun 2003 05:54:45 +0200, Dirk Meyer wrote
> > Sendmail 8.12.9-sasl2 (compiled from /usr/ports/mail/sendmail-sasl)
> > cyrus-sasl-2.1.13 (compiled from /usr/ports/security/cyrus-sasl2-saslauthd)
> >
> > A client is still not able to authenticate via SASL - looks like is it not
> > happy but I am not sure how to fix it. Anybody got a clue what I am doing
> > wrong here?
>
> > --- from the logs when some attempts to authenticate ----
> > Jun 4 20:09:46 typhoon sm-mta[78399]: AUTH: available mech=NTLM LOGIN PLAIN
> > OTP DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
>
> > Jun 4 20:09:46 typhoon sm-mta[78399]: h5539jJQ078399: AUTH failure (LOGIN):
> > no mechanism available (-4) SASL(-4): no mechanism available: checkpass failed
>
> > define(`confAUTH_OPTIONS', `A p y')dnl
> > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
>
> checkpass failed, is the saslauthd started?
> do you needd the "A" Option?
wait I figured this out. I changed the saslauthd flags to
if [ -z "${sasl_saslauthd_flags}" ]; then
sasl_saslauthd_flags="-a getpwent"
fi
got the daemon running and things are fine now.
are there any security issues here. looks liek I cannot send mail unless I
have SSL enabled on the client side. SO I think I have things running properly.
- Noah
>
> from: /usr/local/share/sendmail/cf/README
> confAUTH_OPTIONS AuthOptions [undefined] If this option
> is 'A' then the AUTH=
> parameter for the MAIL FROM
> command is only issued when
> authentication succeeded. [...] See doc/op/op.me for details.
>
> from: /usr/local/share/doc/sendmail/op.txt
> [no short name] List of options for SMTP
> AUTH consisting of single characters with
> intervening white space or commas.
>
> A Use the AUTH= parameter for the MAIL FROM
> command only when authentication succeeded.
> This can be used as a workaround for broken
> MTAs that do not implement RFC 2554
> correctly. a protection from active (non-
> dictionary) attacks during authentication exchange.
> c require mechanisms which pass client
> credentials, and allow mechanisms which can
> pass credentials to do so.
> d don't permit mechanisms susceptible to passive
> dictionary attack. f require forward
> secrecy between sessions
> (breaking one won't help break next).
> p don't permit mechanisms susceptible to simple
> passive attack (e.g., PLAIN, LOGIN), unless a
> security layer is active. y
> don't permit mechanisms that allow anonymous login.
>
> The first option applies to sendmail as a
> client, the others to a server. Example:
>
> O AuthOptions=p,y
>
> more links:
> http://www.sendmail.org/~gshapiro/
> http://www.sendmail.org/~ca/email/auth.html
> http://www.asp.ogi.edu/people/paja/linux/sendmail/
> http://blue-labs.org/clue/sendmail.php
> http://www.digitalanswers.org/sendmail/
>
>
> kind regards Dirk
>
> - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
> - [dirk.meyer at dinoex.sub.org],[dirk.meyer at guug.de],[dinoex at FreeBSD.org]
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list