SMTP AUTH on Fedora Core 6 (problems)

26/04/2007, 20h30

I've configured my sendmail.mc (version 8.13.8) to use SASLv2 (stock,
via package), TLS, etc. However, my EHLO response still does not
contain 250-AUTH.

I'm able to get this working on my BSD system, using a similar
configuration - so I'm not sure what it wrong or how Fedora's config
is doing it differently (ie: the options for SASLv2 appear when
debugging sendmail, so I know it's available).

I experimented with my confAUTH_MECHANISMS and TRUST_MECHANISMS. I had
to enable PLAIN and LOGIN as using just CRAM-MD5 and DIGEST would not
work (using Thunderbird as the client).

I see no errors, even after using mail.debug in syslog.conf. 250-AUTH
is still not advertised; when I manually try to AUTH, it tells me it's
not available:

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10000000
250-STARTTLS
250-DELIVERBY
250
AUTH
503 5.3.3 AUTH not available
quit

Can anyone point me in the right direction about getting this working
on Fedora, without having to compile the lot myself, etc.

When I enabled PLAIN and LOGIN I see this in the log when sending
locally:

Apr 18 15:37:54 server-name sendmail[19308]: AUTH=server,
relay=dhcp-0-25.ourdomain.com [10.103.0.25],
authid=faldrich@ourdomain.com, mech=PLAIN, bits=0

But AUTH is not in the EHLO offering. I'd much perfer to avoid LOGIN
and/or PLAIN, if possible.

My Sendmail.conf for Sasl2 has:

pwcheck_method:saslauthd
# pwcheck_method: auxprop
sasl_mech_list: cram-md5 digest-md5
auxprop_plugin: sasldb
allowanonymouslogin: 0

I've tried both auxprop and saslauthd. Here are some settings I have
from sendmail.mc:

define(`confAUTH_OPTIONS', `A y p')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSAS LDBFile
GroupReadableKeyFile')dnl

TLS is working fine.

Thanks.

26/04/2007, 22h39

Am Thu, 26 Apr 2007 12:30:06 -0700 schrieb forrie@gmail.com:

> I've configured my sendmail.mc (version 8.13.8) to use SASLv2 (stock,
> via package), TLS, etc. However, my EHLO response still does not contain
> 250-AUTH.

The sendmail.mc shipped with Fedora has it all required already prepared
and easy to activate.

> I'm able to get this working on my BSD system, using a similar
> configuration - so I'm not sure what it wrong or how Fedora's config is
> doing it differently (ie: the options for SASLv2 appear when debugging
> sendmail, so I know it's available).
>
> I experimented with my confAUTH_MECHANISMS and TRUST_MECHANISMS. I had
> to enable PLAIN and LOGIN as using just CRAM-MD5 and DIGEST would not
> work (using Thunderbird as the client).

For sure Thunderbird handles CRAM-MD5 well.

> I see no errors, even after using mail.debug in syslog.conf. 250-AUTH is
> still not advertised; when I manually try to AUTH, it tells me it's not
> available:
>
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE 10000000
> 250-STARTTLS
> 250-DELIVERBY
> 250
> AUTH
> 503 5.3.3 AUTH not available
> quit
>
> Can anyone point me in the right direction about getting this working on
> Fedora, without having to compile the lot myself, etc.
>
> When I enabled PLAIN and LOGIN I see this in the log when sending
> locally:
>
> Apr 18 15:37:54 server-name sendmail[19308]: AUTH=server,
> relay=dhcp-0-25.ourdomain.com [10.103.0.25],
> authid=faldrich@ourdomain.com, mech=PLAIN, bits=0
>
> But AUTH is not in the EHLO offering. I'd much perfer to avoid LOGIN
> and/or PLAIN, if possible.
>
> My Sendmail.conf for Sasl2 has:
>
> pwcheck_method:saslauthd
> # pwcheck_method: auxprop
> sasl_mech_list: cram-md5 digest-md5
> auxprop_plugin: sasldb
> allowanonymouslogin: 0

Your list of supported SASL mechanisms does not match what you have
posted below.

Did you start the saslauthd service when you activated this solution?

> I've tried both auxprop and saslauthd. Here are some settings I have
> from sendmail.mc:
>
> define(`confAUTH_OPTIONS', `A y p')dnl TRUST_AUTH_MECH(`LOGIN PLAIN
> DIGEST-MD5 CRAM-MD5')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN
> DIGEST-MD5 CRAM-MD5')dnl
> define(`confDONT_BLAME_SENDMAIL',`GroupReadableSAS LDBFile
> GroupReadableKeyFile')dnl

You force to offer PLAIN and LOGIN only if the connection is secured, via
TLS.

> TLS is working fine.

Then run a TLS secured connection with your server and then use telnet
again to check your sendmail offerings.

openssl s_client -connect server:port -starttls smtp

> Thanks.

Alexander

http://www.joreybump.com/code/howto/smtpauth.html

26/04/2007, 20h30	#1
forrie@gmail.com Messages: n/a Hébergeur:	SMTP AUTH on Fedora Core 6 (problems) I've configured my sendmail.mc (version 8.13.8) to use SASLv2 (stock, via package), TLS, etc. However, my EHLO response still does not contain 250-AUTH. I'm able to get this working on my BSD system, using a similar configuration - so I'm not sure what it wrong or how Fedora's config is doing it differently (ie: the options for SASLv2 appear when debugging sendmail, so I know it's available). I experimented with my confAUTH_MECHANISMS and TRUST_MECHANISMS. I had to enable PLAIN and LOGIN as using just CRAM-MD5 and DIGEST would not work (using Thunderbird as the client). I see no errors, even after using mail.debug in syslog.conf. 250-AUTH is still not advertised; when I manually try to AUTH, it tells me it's not available: 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 10000000 250-STARTTLS 250-DELIVERBY 250 AUTH 503 5.3.3 AUTH not available quit Can anyone point me in the right direction about getting this working on Fedora, without having to compile the lot myself, etc. When I enabled PLAIN and LOGIN I see this in the log when sending locally: Apr 18 15:37:54 server-name sendmail[19308]: AUTH=server, relay=dhcp-0-25.ourdomain.com [10.103.0.25], authid=faldrich@ourdomain.com, mech=PLAIN, bits=0 But AUTH is not in the EHLO offering. I'd much perfer to avoid LOGIN and/or PLAIN, if possible. My Sendmail.conf for Sasl2 has: pwcheck_method:saslauthd # pwcheck_method: auxprop sasl_mech_list: cram-md5 digest-md5 auxprop_plugin: sasldb allowanonymouslogin: 0 I've tried both auxprop and saslauthd. Here are some settings I have from sendmail.mc: define(`confAUTH_OPTIONS', `A y p')dnl TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSAS LDBFile GroupReadableKeyFile')dnl TLS is working fine. Thanks.

26/04/2007, 22h39	#2
Alexander Dalloz Messages: n/a Hébergeur:	Re: SMTP AUTH on Fedora Core 6 (problems) Am Thu, 26 Apr 2007 12:30:06 -0700 schrieb forrie@gmail.com: > I've configured my sendmail.mc (version 8.13.8) to use SASLv2 (stock, > via package), TLS, etc. However, my EHLO response still does not contain > 250-AUTH. The sendmail.mc shipped with Fedora has it all required already prepared and easy to activate. > I'm able to get this working on my BSD system, using a similar > configuration - so I'm not sure what it wrong or how Fedora's config is > doing it differently (ie: the options for SASLv2 appear when debugging > sendmail, so I know it's available). > > I experimented with my confAUTH_MECHANISMS and TRUST_MECHANISMS. I had > to enable PLAIN and LOGIN as using just CRAM-MD5 and DIGEST would not > work (using Thunderbird as the client). For sure Thunderbird handles CRAM-MD5 well. > I see no errors, even after using mail.debug in syslog.conf. 250-AUTH is > still not advertised; when I manually try to AUTH, it tells me it's not > available: > > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE 10000000 > 250-STARTTLS > 250-DELIVERBY > 250 > AUTH > 503 5.3.3 AUTH not available > quit > > Can anyone point me in the right direction about getting this working on > Fedora, without having to compile the lot myself, etc. > > When I enabled PLAIN and LOGIN I see this in the log when sending > locally: > > Apr 18 15:37:54 server-name sendmail[19308]: AUTH=server, > relay=dhcp-0-25.ourdomain.com [10.103.0.25], > authid=faldrich@ourdomain.com, mech=PLAIN, bits=0 > > But AUTH is not in the EHLO offering. I'd much perfer to avoid LOGIN > and/or PLAIN, if possible. > > My Sendmail.conf for Sasl2 has: > > pwcheck_method:saslauthd > # pwcheck_method: auxprop > sasl_mech_list: cram-md5 digest-md5 > auxprop_plugin: sasldb > allowanonymouslogin: 0 Your list of supported SASL mechanisms does not match what you have posted below. Did you start the saslauthd service when you activated this solution? > I've tried both auxprop and saslauthd. Here are some settings I have > from sendmail.mc: > > define(`confAUTH_OPTIONS', `A y p')dnl TRUST_AUTH_MECH(`LOGIN PLAIN > DIGEST-MD5 CRAM-MD5')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN > DIGEST-MD5 CRAM-MD5')dnl > define(`confDONT_BLAME_SENDMAIL',`GroupReadableSAS LDBFile > GroupReadableKeyFile')dnl You force to offer PLAIN and LOGIN only if the connection is secured, via TLS. > TLS is working fine. Then run a TLS secured connection with your server and then use telnet again to check your sendmail offerings. openssl s_client -connect server:port -starttls smtp > Thanks. Alexander http://www.joreybump.com/code/howto/smtpauth.html

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email