LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   confAUTH_OPTIONS fails with 'p' running sendmail 8.14.4 and saslauthd 2.1.23 (https://www.linuxquestions.org/questions/linux-security-4/confauth_options-fails-with-p-running-sendmail-8-14-4-and-saslauthd-2-1-23-a-879439/)

KrisRoberts 05-08-2011 01:44 AM
confAUTH_OPTIONS fails with 'p' running sendmail 8.14.4 and saslauthd 2.1.23
 
I originally posted this question in the slackware forum, but I thought it might not really be system specific and more of a general security thing. I'm sorry for double posting it here. I had messaged one of the moderators in the slackware forum to move it and did not know about the more proper way of using the Report button to request the move. I will always use that in the future.

In any event, the problem has been solved - and the system works now after installing the 32bit compatibility libraries:
http://alien.slackbook.org/dokuwiki/...kware:multilib

Perhaps someone might be able to figure out why the pure 64bit system did not work?

----
I'm building a new machine with slackware 13.37 64bit and so far all has gone well except for secure smtp. My previous setup was with slackware 13.1 32bit which worked fine.

If I run with (`confAUTH_OPTIONS', `A p y') in my sendmail config it shows "AUTH warning: no mechanisms" in my maillog and obviously fails to authenticate.

When I take the 'p' out and run with (`confAUTH_OPTIONS', `A y') then it does list the defined confAUTH_MECHANISMS and works.

I would prefer to run with the 'p' option and require the security layer.

Most of my setup guidance has come from the "Sendmail SMTP AUTH Howto":
http://www.linuxquestions.org/questi...-howto-224543/
The Sendmail "TLS SASL SMTP-AUTH" page on slackwiki:
http://www.slackwiki.org/Sendmail_TLS_SASL_SMTP-AUTH
And this page for debugging "How to test Sendmail SASL Authentication":
http://networking.ringofsaturn.com/P...entication.php

My goal is to be able to send mail remotely with secure authentication. If the way I'm trying to go about it is old and there is some newer/better way I'm happy to go with that - but sendmail/saslauthd has worked for me in the past.

Sendmail is version 8.14.4 and looks like it has the necessary options compiled in:
Code:
root@samsara:/# sendmail -d0.1 -bt < /dev/null
Version 8.14.4
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2
                SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
      (short domain name) $w = r
  (canonical domain name) $j = r.com
        (subdomain name) $m = com
              (node name) $k = samsara
========================================================
saslauthd is version 2.1.23 and supports shadow:
Code:
root@samsara:/# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent rimap shadow
I did discover the need to link /etc/sasl2 to /usr/lib64/sasl2 and created the Sendmail.conf file there:
Code:
root@samsara:/# cat /usr/lib64/sasl2/Sendmail.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Here's the sendmail configuration script I'm using. Its really just the vanilla /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc file with my cert file names:
Code:
dnl# This is the a sendmail .mc file for Slackware with TLS support.
dnl# To generate the sendmail.cf file from this (perhaps after making
dnl# some changes), use the m4 files in /usr/share/sendmail/cf like this:
dnl#
dnl# cp sendmail-slackware-tls.mc /usr/share/sendmail/cf/config.mc
dnl# cd /usr/share/sendmail/cf
dnl# sh Build config.mc
dnl#
dnl# You may then install the resulting .cf file:
dnl# cp config.cf /etc/mail/sendmail.cf
dnl#
include(`../m4/cf.m4')
VERSIONID(`TLS supporting setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
dnl#
dnl# You will need to create the certificates below with OpenSSL first:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/cacert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.cert.pem')
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# Uncomment the line below to send outgoing mail through an external server:
dnl define(`SMART_HOST',`mailserver.example.com')
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# Enable the line below to use smrsh to restrict what sendmail can run:
dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`no_default_msa')dnl
dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail:
dnl FEATURE(`accept_unresolvable_domains')dnl
EXPOSED_USER(`root')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
dnl#define(`confAUTH_OPTIONS', `A y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-
SSLv2:+EXP:+eNULL
When I try to connect with (`confAUTH_OPTIONS', `A p y') in the config here is the output I get in maillog (none of the other logs seem to show anything and I dont see any errors/warnings when I restart sendmail):

Code:
May  3 15:27:01 samsara sm-mta[22526]: NOQUEUE: connect from rrcs-.west.biz.rr.com []
May  3 15:27:01 samsara sm-mta[22526]: AUTH warning: no mechanisms
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: Milter: no active filter
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 220 r.com ESMTP Sendmail 8.14.4/8.14.4; Tue, 3 May 2011 15:27:01 -0700
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: <-- EHLO [10.0.10.121]
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-r.com Hello rrcs-.west.biz.rr.com [], pleased to meet you
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-ENHANCEDSTATUSCODES
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-PIPELINING
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-8BITMIME
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-SIZE
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-DSN
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-ETRN
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-STARTTLS
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-DELIVERBY
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250 HELP
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 421 4.4.1 r.com Lost input channel from rrcs-.west.biz.rr.com []
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: rrcs-.west.biz.rr.com [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
If I change the option so its just (`confAUTH_OPTIONS', `A y') then it does work and this is the log output I get:

Code:
May  3 15:47:07 samsara sm-mta[22602]: NOQUEUE: connect from rrcs-.west.biz.rr.com []
May  3 15:47:07 samsara sm-mta[22602]: AUTH: available mech=PLAIN LOGIN, allowed mech=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: Milter: no active filter
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 220 r.com ESMTP Sendmail 8.14.4/8.14.4; Tue, 3 May 2011 15:47:07 -0700
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: <-- EHLO [10.0.10.121]
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-r.com Hello rrcs-.west.biz.rr.com [], pleased to meet you
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-ENHANCEDSTATUSCODES
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-PIPELINING
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-8BITMIME
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-SIZE
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-DSN
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-ETRN
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-AUTH LOGIN PLAIN
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-STARTTLS
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-DELIVERBY
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250 HELP
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: <-- AUTH PLAIN AHNlbGxpbmcAVmVya2F1ZjNu
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 235 2.0.0 OK Authenticated
My client is configured to use SSL and when I go through the setup, it does appear to authenticate against the smtp server and it validates. The fail comes in when trying to actually send mail.

My hope is that I'm just missing something simple. Does anyone have insight into why adding the 'p' to confAUTH_OPTIONS is causing this behavior?

hua 05-08-2011 03:40 AM
It is ment to be like this.
Quote:
6. PLAIN SASL mechanism

Clear-text passwords are simple, interoperate with almost all
existing operating system authentication databases, and are useful
for a smooth transition to a more secure password-based
authentication mechanism. The drawback is that they are unacceptable
for use over an unencrypted network connection.
http://www.linuxquestions.org/questi...y-etrn-865481/

Begin with the version 13.0 in Slackware the Sednamil.conf should be in /etc/sasl2. I do not remember already where did I find this but I know I was searching a lot till I find this somewhere.
The fact that you don't see AUTH is like it should be because sendmail forces this way the user to use encryption. The AUTHENTICATION is only available after you initiate encryption.
There are also secure authentication mechanisms like DIGEST-MD5 or CRAM-MD5 but since you did not list them in Sendmail.conf they does not apear in the AUTH before encryption.

Your problem is probably the Sednamil.conf location. (I expect that the encryption works)
EDIT:
Quote:
Originally Posted by KrisRoberts (Post 4349772)
I did discover the need to link /etc/sasl2 to /usr/lib64/sasl2 and created the Sendmail.conf file there:
Code:
root@samsara:/# cat /usr/lib64/sasl2/Sendmail.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Sorry I missed several things from your post.

Now my best idea is the 64-bit version issue. Since I encountered unresolved problems with the 13.1 64 bit Slackware (which wasn't there in 13.0 64) I did not continue to use 64-bit versions. (I had lots of segfaults in applications, saslauthd crashed in segfault when authenticate the users created by webmin, imapd had also lots of segfaults)
So I am really interested to find out if this will be the same in this case. I have installed and configured the same system as yours on Slackware 13.37 32-bit. I will try this. And I will also download the 64-bit 13.37 and configure the same system.
I didn't try yet the old issue I experienced with saslauthd in 13.37 64-bit but I am really curious.

KrisRoberts 05-08-2011 11:21 AM
Hmm... So in an effort to get other unrelated 32bit stuff to work yesterday I installed the 32bit compatibility libraries:
http://alien.slackbook.org/dokuwiki/...kware:multilib

That did work for what I was doing and I thought all was well, but now I find that my sendmail/saslauthd is no longer working as it was before.

Regardless of the confAUTH_OPTIONS I have - and indeed without changing any configuration files - the maillog shows the "no mechanisms" warning and I can not send mail from my clients.

Code:
May  8 09:14:48 samsara sm-mta[2262]: NOQUEUE: connect from localhost [127.0.0.1]
May  8 09:14:48 samsara sm-mta[2262]: AUTH warning: no mechanisms
May  8 09:14:48 samsara sm-mta[2262]: p48GEmic002262: Milter: no active filter
May  8 09:14:48 samsara sm-mta[2262]: p48GEmic002262: --- 220 r.com ESMTP Sendmail 8.14.4/8.14.4; Sun, 8 May 2011 09:14:48 -0700
I get the same output regardless of whther saslauthd is running or not, which makes me think that something in the compatibility libraries changed where its looking for the Sendmail.conf file? I do have links in the usual places: /usr/lib64/sasl2 /usr/lib/sasl2 /etc/sasl2

Running testsaslauthd does work fine from the commandline.

I dont see anything suspcious in the logs when I start saslauthd or sendmail.

hua 05-08-2011 01:21 PM
What is the output of lsof? I have this libraries used by sednmail:
Quote:
root@dhamma:/# lsof | grep sendmail | grep sasl
sendmail 3041 root mem REG 8,34 19272 202247 /usr/lib64/sasl2/libcrammd5.so.2.0.23
sendmail 3041 root mem REG 8,34 48568 202253 /usr/lib64/sasl2/libdigestmd5.so.2.0.23
sendmail 3041 root mem REG 8,34 16456 202248 /usr/lib64/sasl2/libplain.so.2.0.23
sendmail 3041 root mem REG 8,34 103680 202249 /usr/lib64/sasl2/libotp.so.2.0.23
sendmail 3041 root mem REG 8,34 16488 202254 /usr/lib64/sasl2/liblogin.so.2.0.23
sendmail 3041 root mem REG 8,34 22136 202251 /usr/lib64/sasl2/libsasldb.so.2.0.23
sendmail 3041 root mem REG 8,34 103680 202260 /usr/lib64/libsasl2.so.2.0.23
sendmail 3044 smmsp mem REG 8,34 103680 202260 /usr/lib64/libsasl2.so.2.0.23
I would guess that the libraries are wrong. (Maybe it gets buggy with multilib installation)
If there is any problem with the libraries you should miss some from this list.
The saslauthd searches for Sendmail.conf in /etc, so if you want to be sure remove any link and put it there.

KrisRoberts 05-08-2011 03:21 PM
ALL IS WELL! Thank you for your replies.

I think I see how I messed things up. I foolishly had made the symbolic link /usr/lib/sasl2 -> /usr/lib64/sasl2 to try and get the Sendmail.conf file to be picked up early on.

So yesterday when I installed the 32bit compatibility stuff it thought it was putting new stuff in /usr/lib/sasl2 but that was really copying over stuff in /usr/lib64/sasl2

Oops!

I have now restored the proper files in my /usr/lib64/sasl2 folder and reinstalled the 32bit compatibility files into /usr/lib/sasl2.

Now, when I use (`confAUTH_OPTIONS', `A p y') IT WORKS!!!

I must connect with SSL to be able to authenticate, but when I do it behaves properly.

I guess the initial problem was that something needed to run a 32bit binary that was falling over before the multilib stuff was in place? My user error that caused the 32bit stuff to step on the 64bit stuff was unfortunate but easy to correct - but I probably wouldn't have found so quickly it without the reply above, so thank you very much!


All times are GMT -5. The time now is 10:34 AM.