PHWinfo - Afficher un message - SASL Auth -- "no secret in database"

05/09/2007, 16h02

In article <fbma5a$q6a$1@e250.ripco.com>,
Bruce Esquibel <bje@e4500.ripco.com> wrote:

> He managed to get us a copy of his logs of the smtp conversation and the one
> thing that stood out was this...
>
> 4/9/2007 15:40:05.890 - 00000003<250-ETRN
> 4/9/2007 15:40:05.890 - 00000003<250-AUTH PLAIN LOGIN CRAM-MD5
> 4/9/2007 15:40:05.890 - 00000003<250-STARTTLS
> 4/9/2007 15:40:05.890 - 00000003<250-DELIVERBY
> 4/9/2007 15:40:05.890 - 00000003<250
> 4/9/2007 15:40:05.890 - 00000003>AUTH CRAM-MD5
> 4/9/2007 15:40:05.953 - 00000003<334
> PDM1NjA0NzExMjQuMTQ1MzMzNjFAZW1haWwucmlwY28uY29tPg ==
> 4/9/2007 15:40:05.953 -
> 00000003>ZGF0YXdhdmUgNzBhMzRjM2Y3MTZhMjllZjliN2U0Z Tc2ZmI3YTZjOWE=
> 4/9/2007 15:40:06.031 - 00000003<535 5.7.0 authentication failed
> 4/9/2007 15:40:06.031 - 00000003>QUIT
>
> The problem here is, his software (VPOP3), according to him, has no
> reference to supporting or using MD5 anything.
>
> Hmmmm.

CRAM-MD5 is a SASL authentication mechanism that can be used over
unencrypted channel because it never transmits the password in a
recoverable form. The flipside of that advantage is that it requires
that both the client and server need to have unencrypted forms of the
password or "shared secret." That might be considered a problem for some
people.

> For yucks I did a quick edit on our sendmail.cf clipping out the CRAM-MD5
> from the AuthMechanisms= line and it not only fixed his problem but stopped
> the syslog messages about the no user in db stuff.
>
> Since it isn't going to hurt anything, I'd suggest the original poster who
> lost AUTH from working, do the same and see what happens.

Actually, it CAN hurt. If you care about the risk of sniffed passwords,
supporting LOGIN and PLAIN over unencrypted channels is a problem. On
the other hand, if you already require TLS, then using CRAM-MD5 or
DIGEST-MD5 is pointless.

A better approach if you support unencrypted sessions is to actually
make CRAM-MD5 work. That includes building the SASL password database.

> Just set the one line in sendmail.cf to
>
> O AuthMechanisms=PLAIN LOGIN
>
> restart sendmail and see how it works now.
>
> Being we never ran into this in the past with pre 8.14.x sendmail and are
> using a known working saslauthd, like I said in the beginning, I wouldn't
> rule out some bug in this version.
>
> The old 8.12.x had the line
>
> O AuthMechanisms=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>
> and this wasn't an issue, it is with 8.14.1.
>
> Don't know what to make of it all but is what it is.

The difference is indeed odd.

--
Now where did I hide that website...

05/09/2007, 16h02	#6
Bill Cole Messages: n/a Hébergeur:	Re: SASL Auth -- "no secret in database" In article <fbma5a$q6a$1@e250.ripco.com>, Bruce Esquibel <bje@e4500.ripco.com> wrote: > He managed to get us a copy of his logs of the smtp conversation and the one > thing that stood out was this... > > 4/9/2007 15:40:05.890 - 00000003<250-ETRN > 4/9/2007 15:40:05.890 - 00000003<250-AUTH PLAIN LOGIN CRAM-MD5 > 4/9/2007 15:40:05.890 - 00000003<250-STARTTLS > 4/9/2007 15:40:05.890 - 00000003<250-DELIVERBY > 4/9/2007 15:40:05.890 - 00000003<250 > 4/9/2007 15:40:05.890 - 00000003>AUTH CRAM-MD5 > 4/9/2007 15:40:05.953 - 00000003<334 > PDM1NjA0NzExMjQuMTQ1MzMzNjFAZW1haWwucmlwY28uY29tPg == > 4/9/2007 15:40:05.953 - > 00000003>ZGF0YXdhdmUgNzBhMzRjM2Y3MTZhMjllZjliN2U0Z Tc2ZmI3YTZjOWE= > 4/9/2007 15:40:06.031 - 00000003<535 5.7.0 authentication failed > 4/9/2007 15:40:06.031 - 00000003>QUIT > > The problem here is, his software (VPOP3), according to him, has no > reference to supporting or using MD5 anything. > > Hmmmm. CRAM-MD5 is a SASL authentication mechanism that can be used over unencrypted channel because it never transmits the password in a recoverable form. The flipside of that advantage is that it requires that both the client and server need to have unencrypted forms of the password or "shared secret." That might be considered a problem for some people. > For yucks I did a quick edit on our sendmail.cf clipping out the CRAM-MD5 > from the AuthMechanisms= line and it not only fixed his problem but stopped > the syslog messages about the no user in db stuff. > > Since it isn't going to hurt anything, I'd suggest the original poster who > lost AUTH from working, do the same and see what happens. Actually, it CAN hurt. If you care about the risk of sniffed passwords, supporting LOGIN and PLAIN over unencrypted channels is a problem. On the other hand, if you already require TLS, then using CRAM-MD5 or DIGEST-MD5 is pointless. A better approach if you support unencrypted sessions is to actually make CRAM-MD5 work. That includes building the SASL password database. > Just set the one line in sendmail.cf to > > O AuthMechanisms=PLAIN LOGIN > > restart sendmail and see how it works now. > > Being we never ran into this in the past with pre 8.14.x sendmail and are > using a known working saslauthd, like I said in the beginning, I wouldn't > rule out some bug in this version. > > The old 8.12.x had the line > > O AuthMechanisms=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > > and this wasn't an issue, it is with 8.14.1. > > Don't know what to make of it all but is what it is. The difference is indeed odd. -- Now where did I hide that website...