sendmail + auth as client to ISP, but internally (imap) no auth wanted

17/08/2006, 14h23

Hi,

my ISP informed me that they will be using smtp auth soon, so I made the
necessary changes in my sendmail.mc:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

The ISP suggests not to use TLS/SSL (no idea why), but seems to accept
STARTTLS, so the LOGIN and PLAIN methods are at least encrypted:

Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=...,
version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168

Now I have the problem, that local authentication does not work. I get
this error with the new sendmail.cf:

Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client,
available mechanisms do not fulfill requirements
Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost,
temporary failure, connection abort
Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3,
delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089,
relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure

Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap,
I don't need this type of authentication and would like to use it only
for sending mail to my ISP's relay.

MAILER(smtp)dnl
MAILER(procmail)dnl
MAILER(local)dnl
MAILER(cyrusv2)dnl
define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
define(`confLOCAL_MAILER',`cyrusv2')dnl
dnl LOCAL_RULE_0
dnl R$=N $: $#local $: $1
dnl R$=N < @ $=w . > $: $#local $: $1
dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1

Is there any way to configure that? Can I disable AUTH for local mail
delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
local delivery (and sasl)?

Uwe

17/08/2006, 15h20

On Thu, 17 Aug 2006 15:23:29 +0200 Uwe Behle wrote:

> my ISP informed me that they will be using smtp auth soon, so I made the
> necessary changes in my sendmail.mc:
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>
> The ISP suggests not to use TLS/SSL (no idea why), but seems to accept
> STARTTLS, so the LOGIN and PLAIN methods are at least encrypted:
>
> Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=...,
> version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168
>
>
> Now I have the problem, that local authentication does not work. I get
> this error with the new sendmail.cf:
>
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client,
> available mechanisms do not fulfill requirements
> Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost,
> temporary failure, connection abort
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3,
> delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089,
> relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure
>
>
> Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap,
> I don't need this type of authentication and would like to use it only
> for sending mail to my ISP's relay.

In access_db you have set relay for localhost / 127.0.0.1?

> MAILER(smtp)dnl
> MAILER(procmail)dnl
> MAILER(local)dnl
> MAILER(cyrusv2)dnl
> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
> define(`confLOCAL_MAILER',`cyrusv2')dnl

Do not set such mailer modifications below any MAILER.

> dnl LOCAL_RULE_0
> dnl R$=N $: $#local $: $1
> dnl R$=N < @ $=w . > $: $#local $: $1
> dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1
>
>
> Is there any way to configure that? Can I disable AUTH for local mail
> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
> local delivery (and sasl)?

First + second question: yes, use access_db
Third question: no.

> Uwe

Alexander

--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 16:17:23 up 2 days, 21:23, load average: 0.34, 0.25, 0.26

18/08/2006, 02h37

Why are you sending your email via your ISP when you have an SMTP
server?
I ask because I recently got the same email message about security from
my ISP.
But I currently have my internal email clients using my sendmail server
as the SMTP server and the clients are pulling POP3 from the ISP and my
internal POP3 server.
Basically I set it up this way so that internal messages do not go to
an external server.
I'm just curious, because I'm wondering if I missed something wrong
with doing this.
Uwe Behle wrote:
> Hi,
>
> my ISP informed me that they will be using smtp auth soon, so I made the
> necessary changes in my sendmail.mc:
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>
> The ISP suggests not to use TLS/SSL (no idea why), but seems to accept
> STARTTLS, so the LOGIN and PLAIN methods are at least encrypted:
>
> Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=...,
> version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168
>
>
> Now I have the problem, that local authentication does not work. I get
> this error with the new sendmail.cf:
>
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client,
> available mechanisms do not fulfill requirements
> Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost,
> temporary failure, connection abort
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3,
> delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089,
> relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure
>
>
> Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap,
> I don't need this type of authentication and would like to use it only
> for sending mail to my ISP's relay.
>
> MAILER(smtp)dnl
> MAILER(procmail)dnl
> MAILER(local)dnl
> MAILER(cyrusv2)dnl
> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
> define(`confLOCAL_MAILER',`cyrusv2')dnl
> dnl LOCAL_RULE_0
> dnl R$=N $: $#local $: $1
> dnl R$=N < @ $=w . > $: $#local $: $1
> dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1
>
>
> Is there any way to configure that? Can I disable AUTH for local mail
> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
> local delivery (and sasl)?
>
> Uwe

18/08/2006, 07h37

devon_banks@comcast.net schrieb:
> Why are you sending your email via your ISP when you have an SMTP
> server?
> I ask because I recently got the same email message about security from
> my ISP.
> But I currently have my internal email clients using my sendmail server
> as the SMTP server and the clients are pulling POP3 from the ISP and my
> internal POP3 server.

Because, for fear of spam, more and more ISPs reject mail if you are not
in their accepted IP-address range.

Uwe

18/08/2006, 11h28

In article <44e5602e@news.ish.de>, Uwe Behle <posting2@df3du.mine.nu> writes:
>devon_banks@comcast.net schrieb:
>> Why are you sending your email via your ISP when you have an SMTP
>> server?
>> I ask because I recently got the same email message about security from
>> my ISP.
>> But I currently have my internal email clients using my sendmail server
>> as the SMTP server and the clients are pulling POP3 from the ISP and my
>> internal POP3 server.
>
>Because, for fear of spam, more and more ISPs reject mail if you are not
>in their accepted IP-address range.
>
>Uwe

Lots of mail servers check against lists such as
MAPS DUL (http://www.mail-abuse.com/enduserinfo_dul.html) and
SORBS DUHL (http://www.us.sorbs.net/faq/dul.shtml)

which list ISP's dynamically assigned address ranges but not the ISP's own
central mailservers.

Hence if you set up your own mail server using the broadband address provided
by your ISP and try to send mail out directly rather than through your ISP's
mail server you will probably find quite a lot of your mail rejected.

(A number of ISPs also block outgoing port 25 connections which effectively
stops direct sending of mail. To overcome it you either have to send through
the ISP's mail server or through another server with which you have made special
arrangements so that you can send using a different port).

David Webb
Security team leader
CCSS
Middlesex University

18/08/2006, 19h06

Hi Alexander,

thanks for the hints.

Alexander Dalloz schrieb:

>
> In access_db you have set relay for localhost / 127.0.0.1?
>
Yes this is set to RELAY.

>> MAILER(smtp)dnl
>> MAILER(procmail)dnl
>> MAILER(local)dnl
>> MAILER(cyrusv2)dnl
>> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
>> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
>> define(`confLOCAL_MAILER',`cyrusv2')dnl
>
> Do not set such mailer modifications below any MAILER.

Ok, It seemes to work, but I have moved the lines anyway.

>> Is there any way to configure that? Can I disable AUTH for local mail
>> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
>> local delivery (and sasl)?
>
> First + second question: yes, use access_db
> Third question: no.

I am still not any further. As soon as I put the line

FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

in my sendmail.mc, I get the error:

AUTH=client, available mechanisms do not fulfill requirements

I found some remotely similar discussion about how sendmail and sasl
play together and it seems that if they use different AUTH METHODS, that
could be a reason why it fails:

saslauthd -v
saslauthd 2.1.18
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

and in sendmail I have:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

So I changed the /usr/lib/sasl2/Sendmail.conf:
pwcheck_method:saslauthd
mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

liblogin and libplain are in /usr/lib/sasl2

Unfortunately it still does not work.

Uwe

18/08/2006, 21h08

On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote:

> I am still not any further. As soon as I put the line
>
> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

What did you set in the client-info file? Especially the "M:" setting is
of interest. And please tell us which MECHs your ISP's MTA offers you.

> in my sendmail.mc, I get the error:
>
> AUTH=client, available mechanisms do not fulfill requirements
>
> I found some remotely similar discussion about how sendmail and sasl
> play together and it seems that if they use different AUTH METHODS, that
> could be a reason why it fails:
>
> saslauthd -v
> saslauthd 2.1.18
> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

That is of interest if you would offer AUTH with Sendmail as server. You
try to configure Sendmail as client side.

> and in sendmail I have:
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>
> So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd
> mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

Sendmail server SMTP AUTH configuration. For that it too matter how
saslauthd is configured to run.

> liblogin and libplain are in /usr/lib/sasl2
>
> Unfortunately it still does not work.
>
>
> Uwe

Alexander

--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 22:05:33 up 4 days, 3:11, load average: 0.14, 0.16, 0.17

19/08/2006, 09h27

Alexander Dalloz wrote:
> On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote:
>
>> I am still not any further. As soon as I put the line
>>
>> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>
> What did you set in the client-info file? Especially the "M:" setting is
> of interest. And please tell us which MECHs your ISP's MTA offers you.

To make that clear: the authentication to my ISP works just fine with
the authinfo feature; her is the data:

AuthInfo: "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN"
and ISP:

250-DSN
250-SIZE 10485760
250-STARTTLS
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM
250-ETRN
250-TURN
250-ATRN
250-NO-SOLICITING
250-
250-PIPELINING
250 EHLO

>>
>> saslauthd -v
>> saslauthd 2.1.18
>> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
> That is of interest if you would offer AUTH with Sendmail as server. You
> try to configure Sendmail as client side.
>

Actually, The client side works fine. I am not sure how to
configure/disable the server part of sendmail. Is that the
TRUST_AUTH_MECH in sendmail.mc?

My understanding is that the AuthInfo feature only affects the client
side. The only explanation would be that sendmail acts as client when
communicating with the cyrus2 mailer. The following lines seem to
support that:

(without AuthInfo method):
Aug 19 05:10:44 webbie lmtpunix[7023]: lmtp connection preauth'd as postman
Aug 19 05:10:44 webbie sendmail[7022]: AUTH=client, relay=localhost,
mech=, bits=0

(with AuthInfo method):

Aug 17 10:53:52 webbie lmtpunix[13720]: lmtp connection preauth'd as postman
Aug 17 10:53:52 webbie master[13786]: about to exec
/usr/lib/cyrus-imapd/lmtpd
Aug 17 10:53:52 webbie sendmail[13784]: k7H8rnFe013783: AUTH=client,
available mechanisms do not fulfill requirements
Aug 17 10:53:52 webbie sendmail[13784]: AUTH=client, relay=localhost,
temporary failure, connection abort

>> and in sendmail I have:
>>
>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>>
>> So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd
>> mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
>
> Sendmail server SMTP AUTH configuration. For that it too matter how
> saslauthd is configured to run.

My SMTP AUTH settings are:

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250

How do I get saslauthd to use the LOGIN method or configure sendmail to
use saslauthd compatible methods?

Is my understanding correct that saslauthd -v displays only the
"external" authentication methods, involving the os (passwd or shadow)
or other autenticators (PAM, ldap, kerberos).
The Sendmail.conf affects the "internal" methods (namely in comunication
with sendmail). But how do I check if they are configured and work?

I am also not sure what the role of lmtpd is. It is configured to run
with -a (preauth'd). Could that be the problem?

Uwe

17/08/2006, 14h23	#1 (permalink)
Uwe Behle Messages: n/a Hébergeur:	sendmail + auth as client to ISP, but internally (imap) no auth wanted Hi, my ISP informed me that they will be using smtp auth soon, so I made the necessary changes in my sendmail.mc: TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl The ISP suggests not to use TLS/SSL (no idea why), but seems to accept STARTTLS, so the LOGIN and PLAIN methods are at least encrypted: Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=..., version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168 Now I have the problem, that local authentication does not work. I get this error with the new sendmail.cf: Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client, available mechanisms do not fulfill requirements Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost, temporary failure, connection abort Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3, delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089, relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap, I don't need this type of authentication and would like to use it only for sending mail to my ISP's relay. MAILER(smtp)dnl MAILER(procmail)dnl MAILER(local)dnl MAILER(cyrusv2)dnl define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl define(`confLOCAL_MAILER',`cyrusv2')dnl dnl LOCAL_RULE_0 dnl R$=N $: $#local $: $1 dnl R$=N < @ $=w . > $: $#local $: $1 dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1 Is there any way to configure that? Can I disable AUTH for local mail delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for local delivery (and sasl)? Uwe

17/08/2006, 15h20	#2 (permalink)
Alexander Dalloz Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no auth wanted On Thu, 17 Aug 2006 15:23:29 +0200 Uwe Behle wrote: > my ISP informed me that they will be using smtp auth soon, so I made the > necessary changes in my sendmail.mc: > > TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN > PLAIN')dnl > FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl > > The ISP suggests not to use TLS/SSL (no idea why), but seems to accept > STARTTLS, so the LOGIN and PLAIN methods are at least encrypted: > > Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=..., > version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168 > > > Now I have the problem, that local authentication does not work. I get > this error with the new sendmail.cf: > > Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client, > available mechanisms do not fulfill requirements > Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost, > temporary failure, connection abort > Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3, > delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089, > relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure > > > Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap, > I don't need this type of authentication and would like to use it only > for sending mail to my ISP's relay. In access_db you have set relay for localhost / 127.0.0.1? > MAILER(smtp)dnl > MAILER(procmail)dnl > MAILER(local)dnl > MAILER(cyrusv2)dnl > define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl > define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl > define(`confLOCAL_MAILER',`cyrusv2')dnl Do not set such mailer modifications below any MAILER. > dnl LOCAL_RULE_0 > dnl R$=N $: $#local $: $1 > dnl R$=N < @ $=w . > $: $#local $: $1 > dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1 > > > Is there any way to configure that? Can I disable AUTH for local mail > delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for > local delivery (and sasl)? First + second question: yes, use access_db Third question: no. > Uwe Alexander -- Alexander Dalloz \| Löhne, Germany \| GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 16:17:23 up 2 days, 21:23, load average: 0.34, 0.25, 0.26

18/08/2006, 02h37	#3 (permalink)
devon_banks@comcast.net Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no auth wanted Why are you sending your email via your ISP when you have an SMTP server? I ask because I recently got the same email message about security from my ISP. But I currently have my internal email clients using my sendmail server as the SMTP server and the clients are pulling POP3 from the ISP and my internal POP3 server. Basically I set it up this way so that internal messages do not go to an external server. I'm just curious, because I'm wondering if I missed something wrong with doing this. Uwe Behle wrote: > Hi, > > my ISP informed me that they will be using smtp auth soon, so I made the > necessary changes in my sendmail.mc: > > TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN > PLAIN')dnl > FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl > > The ISP suggests not to use TLS/SSL (no idea why), but seems to accept > STARTTLS, so the LOGIN and PLAIN methods are at least encrypted: > > Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=..., > version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168 > > > Now I have the problem, that local authentication does not work. I get > this error with the new sendmail.cf: > > Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client, > available mechanisms do not fulfill requirements > Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost, > temporary failure, connection abort > Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3, > delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089, > relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure > > > Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap, > I don't need this type of authentication and would like to use it only > for sending mail to my ISP's relay. > > MAILER(smtp)dnl > MAILER(procmail)dnl > MAILER(local)dnl > MAILER(cyrusv2)dnl > define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl > define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl > define(`confLOCAL_MAILER',`cyrusv2')dnl > dnl LOCAL_RULE_0 > dnl R$=N $: $#local $: $1 > dnl R$=N < @ $=w . > $: $#local $: $1 > dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1 > > > Is there any way to configure that? Can I disable AUTH for local mail > delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for > local delivery (and sasl)? > > Uwe

18/08/2006, 07h37	#4 (permalink)
Uwe Behle Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no authwanted devon_banks@comcast.net schrieb: > Why are you sending your email via your ISP when you have an SMTP > server? > I ask because I recently got the same email message about security from > my ISP. > But I currently have my internal email clients using my sendmail server > as the SMTP server and the clients are pulling POP3 from the ISP and my > internal POP3 server. Because, for fear of spam, more and more ISPs reject mail if you are not in their accepted IP-address range. Uwe

18/08/2006, 11h28	#5 (permalink)
david20@alpha2.mdx.ac.uk Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no auth wanted In article <44e5602e@news.ish.de>, Uwe Behle <posting2@df3du.mine.nu> writes: >devon_banks@comcast.net schrieb: >> Why are you sending your email via your ISP when you have an SMTP >> server? >> I ask because I recently got the same email message about security from >> my ISP. >> But I currently have my internal email clients using my sendmail server >> as the SMTP server and the clients are pulling POP3 from the ISP and my >> internal POP3 server. > >Because, for fear of spam, more and more ISPs reject mail if you are not >in their accepted IP-address range. > >Uwe Lots of mail servers check against lists such as MAPS DUL (http://www.mail-abuse.com/enduserinfo_dul.html) and SORBS DUHL (http://www.us.sorbs.net/faq/dul.shtml) which list ISP's dynamically assigned address ranges but not the ISP's own central mailservers. Hence if you set up your own mail server using the broadband address provided by your ISP and try to send mail out directly rather than through your ISP's mail server you will probably find quite a lot of your mail rejected. (A number of ISPs also block outgoing port 25 connections which effectively stops direct sending of mail. To overcome it you either have to send through the ISP's mail server or through another server with which you have made special arrangements so that you can send using a different port). David Webb Security team leader CCSS Middlesex University

18/08/2006, 19h06	#6 (permalink)
Uwe Behle Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no authwanted Hi Alexander, thanks for the hints. Alexander Dalloz schrieb: > > In access_db you have set relay for localhost / 127.0.0.1? > Yes this is set to RELAY. >> MAILER(smtp)dnl >> MAILER(procmail)dnl >> MAILER(local)dnl >> MAILER(cyrusv2)dnl >> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl >> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl >> define(`confLOCAL_MAILER',`cyrusv2')dnl > > Do not set such mailer modifications below any MAILER. Ok, It seemes to work, but I have moved the lines anyway. >> Is there any way to configure that? Can I disable AUTH for local mail >> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for >> local delivery (and sasl)? > > First + second question: yes, use access_db > Third question: no. I am still not any further. As soon as I put the line FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl in my sendmail.mc, I get the error: AUTH=client, available mechanisms do not fulfill requirements I found some remotely similar discussion about how sendmail and sasl play together and it seems that if they use different AUTH METHODS, that could be a reason why it fails: saslauthd -v saslauthd 2.1.18 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap and in sendmail I have: TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN liblogin and libplain are in /usr/lib/sasl2 Unfortunately it still does not work. Uwe

18/08/2006, 21h08	#7 (permalink)
Alexander Dalloz Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no auth wanted On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote: > I am still not any further. As soon as I put the line > > FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl What did you set in the client-info file? Especially the "M:" setting is of interest. And please tell us which MECHs your ISP's MTA offers you. > in my sendmail.mc, I get the error: > > AUTH=client, available mechanisms do not fulfill requirements > > I found some remotely similar discussion about how sendmail and sasl > play together and it seems that if they use different AUTH METHODS, that > could be a reason why it fails: > > saslauthd -v > saslauthd 2.1.18 > authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap That is of interest if you would offer AUTH with Sendmail as server. You try to configure Sendmail as client side. > and in sendmail I have: > > TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > > So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd > mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Sendmail server SMTP AUTH configuration. For that it too matter how saslauthd is configured to run. > liblogin and libplain are in /usr/lib/sasl2 > > Unfortunately it still does not work. > > > Uwe Alexander -- Alexander Dalloz \| Löhne, Germany \| GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 22:05:33 up 4 days, 3:11, load average: 0.14, 0.16, 0.17

19/08/2006, 09h27	#8 (permalink)
Uwe Behle Messages: n/a Hébergeur:	Re: sendmail + auth as client to ISP, but internally (imap) no authwanted Alexander Dalloz wrote: > On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote: > >> I am still not any further. As soon as I put the line >> >> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl > > What did you set in the client-info file? Especially the "M:" setting is > of interest. And please tell us which MECHs your ISP's MTA offers you. To make that clear: the authentication to my ISP works just fine with the authinfo feature; her is the data: AuthInfo: "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN" and ISP: 250-DSN 250-SIZE 10485760 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM 250-ETRN 250-TURN 250-ATRN 250-NO-SOLICITING 250- 250-PIPELINING 250 EHLO >> >> saslauthd -v >> saslauthd 2.1.18 >> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap > > That is of interest if you would offer AUTH with Sendmail as server. You > try to configure Sendmail as client side. > Actually, The client side works fine. I am not sure how to configure/disable the server part of sendmail. Is that the TRUST_AUTH_MECH in sendmail.mc? My understanding is that the AuthInfo feature only affects the client side. The only explanation would be that sendmail acts as client when communicating with the cyrus2 mailer. The following lines seem to support that: (without AuthInfo method): Aug 19 05:10:44 webbie lmtpunix[7023]: lmtp connection preauth'd as postman Aug 19 05:10:44 webbie sendmail[7022]: AUTH=client, relay=localhost, mech=, bits=0 (with AuthInfo method): Aug 17 10:53:52 webbie lmtpunix[13720]: lmtp connection preauth'd as postman Aug 17 10:53:52 webbie master[13786]: about to exec /usr/lib/cyrus-imapd/lmtpd Aug 17 10:53:52 webbie sendmail[13784]: k7H8rnFe013783: AUTH=client, available mechanisms do not fulfill requirements Aug 17 10:53:52 webbie sendmail[13784]: AUTH=client, relay=localhost, temporary failure, connection abort >> and in sendmail I have: >> >> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl >> >> So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd >> mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN > > Sendmail server SMTP AUTH configuration. For that it too matter how > saslauthd is configured to run. My SMTP AUTH settings are: 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 How do I get saslauthd to use the LOGIN method or configure sendmail to use saslauthd compatible methods? Is my understanding correct that saslauthd -v displays only the "external" authentication methods, involving the os (passwd or shadow) or other autenticators (PAM, ldap, kerberos). The Sendmail.conf affects the "internal" methods (namely in comunication with sendmail). But how do I check if they are configured and work? I am also not sure what the role of lmtpd is. It is configured to run with -a (preauth'd). Could that be the problem? Uwe

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email