Hi,

my ISP informed me that they will be using smtp auth soon, so I made the
necessary changes in my sendmail.mc:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

The ISP suggests not to use TLS/SSL (no idea why), but seems to accept
STARTTLS, so the LOGIN and PLAIN methods are at least encrypted:

Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=...,
version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168


Now I have the problem, that local authentication does not work. I get
this error with the new sendmail.cf:

Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client,
available mechanisms do not fulfill requirements
Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost,
temporary failure, connection abort
Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3,
delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089,
relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure


Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap,
I don't need this type of authentication and would like to use it only
for sending mail to my ISP's relay.

MAILER(smtp)dnl
MAILER(procmail)dnl
MAILER(local)dnl
MAILER(cyrusv2)dnl
define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
define(`confLOCAL_MAILER',`cyrusv2')dnl
dnl LOCAL_RULE_0
dnl R$=N $: $#local $: $1
dnl R$=N < @ $=w . > $: $#local $: $1
dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1


Is there any way to configure that? Can I disable AUTH for local mail
delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
local delivery (and sasl)?

Uwe

On Thu, 17 Aug 2006 15:23:29 +0200 Uwe Behle wrote:

> my ISP informed me that they will be using smtp auth soon, so I made the
> necessary changes in my sendmail.mc:
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>
> The ISP suggests not to use TLS/SSL (no idea why), but seems to accept
> STARTTLS, so the LOGIN and PLAIN methods are at least encrypted:
>
> Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=...,
> version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168
>
>
> Now I have the problem, that local authentication does not work. I get
> this error with the new sendmail.cf:
>
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client,
> available mechanisms do not fulfill requirements
> Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost,
> temporary failure, connection abort
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3,
> delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089,
> relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure
>
>
> Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap,
> I don't need this type of authentication and would like to use it only
> for sending mail to my ISP's relay.

In access_db you have set relay for localhost / 127.0.0.1?

> MAILER(smtp)dnl
> MAILER(procmail)dnl
> MAILER(local)dnl
> MAILER(cyrusv2)dnl
> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
> define(`confLOCAL_MAILER',`cyrusv2')dnl

Do not set such mailer modifications below any MAILER.

> dnl LOCAL_RULE_0
> dnl R$=N $: $#local $: $1
> dnl R$=N < @ $=w . > $: $#local $: $1
> dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1
>
>
> Is there any way to configure that? Can I disable AUTH for local mail
> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
> local delivery (and sasl)?

First + second question: yes, use access_db
Third question: no.

> Uwe

Alexander


--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 16:17:23 up 2 days, 21:23, load average: 0.34, 0.25, 0.26

Why are you sending your email via your ISP when you have an SMTP
server?
I ask because I recently got the same email message about security from
my ISP.
But I currently have my internal email clients using my sendmail server
as the SMTP server and the clients are pulling POP3 from the ISP and my
internal POP3 server.
Basically I set it up this way so that internal messages do not go to
an external server.
I'm just curious, because I'm wondering if I missed something wrong
with doing this.
Uwe Behle wrote:
> Hi,
>
> my ISP informed me that they will be using smtp auth soon, so I made the
> necessary changes in my sendmail.mc:
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>
> The ISP suggests not to use TLS/SSL (no idea why), but seems to accept
> STARTTLS, so the LOGIN and PLAIN methods are at least encrypted:
>
> Aug 17 10:51:52 webbie sendmail[13782]: STARTTLS=client, relay=...,
> version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168
>
>
> Now I have the problem, that local authentication does not work. I get
> this error with the new sendmail.cf:
>
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: AUTH=client,
> available mechanisms do not fulfill requirements
> Aug 17 11:05:45 webbie sendmail[13858]: AUTH=client, relay=localhost,
> temporary failure, connection abort
> Aug 17 11:05:45 webbie sendmail[13858]: k7H95hHn013857: to=posting3,
> delay=00:00:02, xdelay=00:00:00, mailer=cyrusv2, pri=162089,
> relay=localhost, dsn=4.7.1, stat=Deferred: Temporary AUTH failure
>
>
> Since on my mail-gw sendmail passes any incoming mail on to cyrus-imap,
> I don't need this type of authentication and would like to use it only
> for sending mail to my ISP's relay.
>
> MAILER(smtp)dnl
> MAILER(procmail)dnl
> MAILER(local)dnl
> MAILER(cyrusv2)dnl
> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
> define(`confLOCAL_MAILER',`cyrusv2')dnl
> dnl LOCAL_RULE_0
> dnl R$=N $: $#local $: $1
> dnl R$=N < @ $=w . > $: $#local $: $1
> dnl Rbb + $+ < @ $=w . > $#cyrusbb $: $1
>
>
> Is there any way to configure that? Can I disable AUTH for local mail
> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
> local delivery (and sasl)?
>
> Uwe

devon_banks@comcast.net schrieb:
> Why are you sending your email via your ISP when you have an SMTP
> server?
> I ask because I recently got the same email message about security from
> my ISP.
> But I currently have my internal email clients using my sendmail server
> as the SMTP server and the clients are pulling POP3 from the ISP and my
> internal POP3 server.

Because, for fear of spam, more and more ISPs reject mail if you are not
in their accepted IP-address range.

Uwe

In article <44e5602e@news.ish.de>, Uwe Behle <posting2@df3du.mine.nu> writes:
>devon_banks@comcast.net schrieb:
>> Why are you sending your email via your ISP when you have an SMTP
>> server?
>> I ask because I recently got the same email message about security from
>> my ISP.
>> But I currently have my internal email clients using my sendmail server
>> as the SMTP server and the clients are pulling POP3 from the ISP and my
>> internal POP3 server.
>
>Because, for fear of spam, more and more ISPs reject mail if you are not
>in their accepted IP-address range.
>
>Uwe

Lots of mail servers check against lists such as
MAPS DUL (http://www.mail-abuse.com/enduserinfo_dul.html) and
SORBS DUHL (http://www.us.sorbs.net/faq/dul.shtml)

which list ISP's dynamically assigned address ranges but not the ISP's own
central mailservers.

Hence if you set up your own mail server using the broadband address provided
by your ISP and try to send mail out directly rather than through your ISP's
mail server you will probably find quite a lot of your mail rejected.

(A number of ISPs also block outgoing port 25 connections which effectively
stops direct sending of mail. To overcome it you either have to send through
the ISP's mail server or through another server with which you have made special
arrangements so that you can send using a different port).


David Webb
Security team leader
CCSS
Middlesex University

Hi Alexander,

thanks for the hints.

Alexander Dalloz schrieb:

>
> In access_db you have set relay for localhost / 127.0.0.1?
>
Yes this is set to RELAY.

>> MAILER(smtp)dnl
>> MAILER(procmail)dnl
>> MAILER(local)dnl
>> MAILER(cyrusv2)dnl
>> define(`CYRUSV2_MAILER_FLAGS',`A5@W')dnl
>> define(`CYRUSV2_LMTP_SOCKET',`/var/lib/imap/socket/lmtp')dnl
>> define(`confLOCAL_MAILER',`cyrusv2')dnl
>
> Do not set such mailer modifications below any MAILER.

Ok, It seemes to work, but I have moved the lines anyway.


>> Is there any way to configure that? Can I disable AUTH for local mail
>> delivery? Do I need to enable some AUTH-METHODS (PLAIN and LOGIN) for
>> local delivery (and sasl)?
>
> First + second question: yes, use access_db
> Third question: no.

I am still not any further. As soon as I put the line

FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

in my sendmail.mc, I get the error:

AUTH=client, available mechanisms do not fulfill requirements

I found some remotely similar discussion about how sendmail and sasl
play together and it seems that if they use different AUTH METHODS, that
could be a reason why it fails:

saslauthd -v
saslauthd 2.1.18
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

and in sendmail I have:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

So I changed the /usr/lib/sasl2/Sendmail.conf:
pwcheck_method:saslauthd
mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

liblogin and libplain are in /usr/lib/sasl2

Unfortunately it still does not work.


Uwe

On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote:

> I am still not any further. As soon as I put the line
>
> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

What did you set in the client-info file? Especially the "M:" setting is
of interest. And please tell us which MECHs your ISP's MTA offers you.

> in my sendmail.mc, I get the error:
>
> AUTH=client, available mechanisms do not fulfill requirements
>
> I found some remotely similar discussion about how sendmail and sasl
> play together and it seems that if they use different AUTH METHODS, that
> could be a reason why it fails:
>
> saslauthd -v
> saslauthd 2.1.18
> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

That is of interest if you would offer AUTH with Sendmail as server. You
try to configure Sendmail as client side.

> and in sendmail I have:
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>
> So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd
> mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

Sendmail server SMTP AUTH configuration. For that it too matter how
saslauthd is configured to run.

> liblogin and libplain are in /usr/lib/sasl2
>
> Unfortunately it still does not work.
>
>
> Uwe

Alexander


--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 22:05:33 up 4 days, 3:11, load average: 0.14, 0.16, 0.17

Alexander Dalloz wrote:
> On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote:
>
>> I am still not any further. As soon as I put the line
>>
>> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>
> What did you set in the client-info file? Especially the "M:" setting is
> of interest. And please tell us which MECHs your ISP's MTA offers you.

To make that clear: the authentication to my ISP works just fine with
the authinfo feature; her is the data:

AuthInfo: "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN"
and ISP:

250-DSN
250-SIZE 10485760
250-STARTTLS
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM
250-ETRN
250-TURN
250-ATRN
250-NO-SOLICITING
250-
250-PIPELINING
250 EHLO

>>
>> saslauthd -v
>> saslauthd 2.1.18
>> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
> That is of interest if you would offer AUTH with Sendmail as server. You
> try to configure Sendmail as client side.
>

Actually, The client side works fine. I am not sure how to
configure/disable the server part of sendmail. Is that the
TRUST_AUTH_MECH in sendmail.mc?

My understanding is that the AuthInfo feature only affects the client
side. The only explanation would be that sendmail acts as client when
communicating with the cyrus2 mailer. The following lines seem to
support that:

(without AuthInfo method):
Aug 19 05:10:44 webbie lmtpunix[7023]: lmtp connection preauth'd as postman
Aug 19 05:10:44 webbie sendmail[7022]: AUTH=client, relay=localhost,
mech=, bits=0

(with AuthInfo method):

Aug 17 10:53:52 webbie lmtpunix[13720]: lmtp connection preauth'd as postman
Aug 17 10:53:52 webbie master[13786]: about to exec
/usr/lib/cyrus-imapd/lmtpd
Aug 17 10:53:52 webbie sendmail[13784]: k7H8rnFe013783: AUTH=client,
available mechanisms do not fulfill requirements
Aug 17 10:53:52 webbie sendmail[13784]: AUTH=client, relay=localhost,
temporary failure, connection abort


>> and in sendmail I have:
>>
>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>>
>> So I changed the /usr/lib/sasl2/Sendmail.conf: pwcheck_method:saslauthd
>> mech_list:EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
>
> Sendmail server SMTP AUTH configuration. For that it too matter how
> saslauthd is configured to run.

My SMTP AUTH settings are:

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250

How do I get saslauthd to use the LOGIN method or configure sendmail to
use saslauthd compatible methods?

Is my understanding correct that saslauthd -v displays only the
"external" authentication methods, involving the os (passwd or shadow)
or other autenticators (PAM, ldap, kerberos).
The Sendmail.conf affects the "internal" methods (namely in comunication
with sendmail). But how do I check if they are configured and work?

I am also not sure what the role of lmtpd is. It is configured to run
with -a (preauth'd). Could that be the problem?

Uwe

On Sat, 19 Aug 2006 10:27:16 +0200 Uwe Behle wrote:

> Alexander Dalloz wrote:
>> On Fri, 18 Aug 2006 20:06:26 +0200 Uwe Behle wrote:
>>
>>> I am still not any further. As soon as I put the line
>>>
>>> FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
>>
>> What did you set in the client-info file? Especially the "M:" setting is
>> of interest. And please tell us which MECHs your ISP's MTA offers you.
>
> To make that clear: the authentication to my ISP works just fine with
> the authinfo feature; her is the data:
>
> AuthInfo: "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN"
> and ISP:

That line misses the target host, the MTA of your ISP.

AuthInfo:mail.ispdomain.tld "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN"

Or better use "MIGEST-MD5" as that keeps your password secret with
unsecured connections.

http://www.sendmail.org/~ca/email/sm-812.html#812AUTH

> 250-DSN
> 250-SIZE 10485760
> 250-STARTTLS
> 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM 250-ETRN
> 250-TURN
> 250-ATRN
> 250-NO-SOLICITING
> 250-
> 250-PIPELINING
> 250 EHLO

> Uwe

Alexander


--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 17:46:25 up 4 days, 22:52, load average: 0.13, 0.24, 0.27

Alexander Dalloz schrieb:

>> AuthInfo: "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN"
>> and ISP:
>
> That line misses the target host, the MTA of your ISP.
>
> AuthInfo:mail.ispdomain.tld "U:xxx" "I:xxx@yyyy.de" "P:zzzz" "M:LOGIN"


Cool! local relaying works now! How could I have missed that - thanks a lot!

>
> http://www.sendmail.org/~ca/email/sm-812.html#812AUTH
>

Hmm, it clearly states there that the tag AutgInfo: without any auth-id
sets the default behaviour (wer lesen kann...)

>
> Or better use "MIGEST-MD5" as that keeps your password secret with
> unsecured connections.

Ok, but when I use LOGIN, the header has a different Received: line

it says
....
Received: from webbie.x.y (account uwe@provider [ip] verified) .....
....

If I use DIGEST-MD5 I have

....
Received: from webbie.x.y ([ip] verified) .....
....

I wonder if this will meet the requirements, set by the provider, once
he enforces authentication. That will be some time in September. Plenty
of time to play around with this.

As a workaround I can always use TLS

I have to work out a way to import the providers certificate, currently
I get:

STARTTLS: cert verify: depth=1 /C=GB/O=Comodo Limited/OU=Comodo Trust
Network/OU=Terms and Conditions of use:
http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo
Class 3 Security Services CA, state=0, reason=unable to get local issuer
certificate
While it is not strictly necessary for the operation, it is much nicer
if the verification succeeds...



Thanks again for the hint

Uwe