LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   confAUTH_OPTIONS fails with 'p' running sendmail 8.14.4 and saslauthd 2.1.23 (http://www.linuxquestions.org/questions/linux-security-4/confauth_options-fails-with-p-running-sendmail-8-14-4-and-saslauthd-2-1-23-a-878653/)

KrisRoberts 05-03-2011 07:04 PM

confAUTH_OPTIONS fails with 'p' running sendmail 8.14.4 and saslauthd 2.1.23
 
I'm building a new machine with slackware 13.37 64bit and so far all has gone well except for secure smtp. My previous setup was with slackware 13.1 32bit which worked fine.

If I run with (`confAUTH_OPTIONS', `A p y') in my sendmail config it shows "AUTH warning: no mechanisms" in my maillog and obviously fails to authenticate.

When I take the 'p' out and run with (`confAUTH_OPTIONS', `A y') then it does list the defined confAUTH_MECHANISMS and works.

I would prefer to run with the 'p' option and require the security layer.

Most of my setup guidance has come from the "Sendmail SMTP AUTH Howto":
http://www.linuxquestions.org/questi...-howto-224543/
The Sendmail "TLS SASL SMTP-AUTH" page on slackwiki:
http://www.slackwiki.org/Sendmail_TLS_SASL_SMTP-AUTH
And this page for debugging "How to test Sendmail SASL Authentication":
http://networking.ringofsaturn.com/P...entication.php

My goal is to be able to send mail remotely with secure authentication. If the way I'm trying to go about it is old and there is some newer/better way I'm happy to go with that - but sendmail/saslauthd has worked for me in the past.

Sendmail is version 8.14.4 and looks like it has the necessary options compiled in:
Code:

root@samsara:/# sendmail -d0.1 -bt < /dev/null
Version 8.14.4
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2
                SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
      (short domain name) $w = r
  (canonical domain name) $j = r.com
        (subdomain name) $m = com
              (node name) $k = samsara
========================================================

saslauthd is version 2.1.23 and supports shadow:
Code:

root@samsara:/# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent rimap shadow

I did discover the need to link /etc/sasl2 to /usr/lib64/sasl2 and created the Sendmail.conf file there:
Code:

root@samsara:/# cat /usr/lib64/sasl2/Sendmail.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Here's the sendmail configuration script I'm using. Its really just the vanilla /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc file with my cert file names:
Code:

dnl# This is the a sendmail .mc file for Slackware with TLS support.
dnl# To generate the sendmail.cf file from this (perhaps after making
dnl# some changes), use the m4 files in /usr/share/sendmail/cf like this:
dnl#
dnl# cp sendmail-slackware-tls.mc /usr/share/sendmail/cf/config.mc
dnl# cd /usr/share/sendmail/cf
dnl# sh Build config.mc
dnl#
dnl# You may then install the resulting .cf file:
dnl# cp config.cf /etc/mail/sendmail.cf
dnl#
include(`../m4/cf.m4')
VERSIONID(`TLS supporting setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
dnl#
dnl# You will need to create the certificates below with OpenSSL first:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/cacert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.cert.pem')
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# Uncomment the line below to send outgoing mail through an external server:
dnl define(`SMART_HOST',`mailserver.example.com')
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# Enable the line below to use smrsh to restrict what sendmail can run:
dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`no_default_msa')dnl
dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail:
dnl FEATURE(`accept_unresolvable_domains')dnl
EXPOSED_USER(`root')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
dnl#define(`confAUTH_OPTIONS', `A y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-
SSLv2:+EXP:+eNULL

When I try to connect with (`confAUTH_OPTIONS', `A p y') in the config here is the output I get in maillog (none of the other logs seem to show anything and I dont see any errors/warnings when I restart sendmail):

Code:

May  3 15:27:01 samsara sm-mta[22526]: NOQUEUE: connect from rrcs-.west.biz.rr.com []
May  3 15:27:01 samsara sm-mta[22526]: AUTH warning: no mechanisms
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: Milter: no active filter
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 220 r.com ESMTP Sendmail 8.14.4/8.14.4; Tue, 3 May 2011 15:27:01 -0700
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: <-- EHLO [10.0.10.121]
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-r.com Hello rrcs-.west.biz.rr.com [], pleased to meet you
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-ENHANCEDSTATUSCODES
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-PIPELINING
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-8BITMIME
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-SIZE
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-DSN
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-ETRN
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-STARTTLS
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250-DELIVERBY
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 250 HELP
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: --- 421 4.4.1 r.com Lost input channel from rrcs-.west.biz.rr.com []
May  3 15:27:01 samsara sm-mta[22526]: p43MR1qW022526: rrcs-.west.biz.rr.com [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

If I change the option so its just (`confAUTH_OPTIONS', `A y') then it does work and this is the log output I get:

Code:

May  3 15:47:07 samsara sm-mta[22602]: NOQUEUE: connect from rrcs-.west.biz.rr.com []
May  3 15:47:07 samsara sm-mta[22602]: AUTH: available mech=PLAIN LOGIN, allowed mech=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: Milter: no active filter
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 220 r.com ESMTP Sendmail 8.14.4/8.14.4; Tue, 3 May 2011 15:47:07 -0700
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: <-- EHLO [10.0.10.121]
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-r.com Hello rrcs-.west.biz.rr.com [], pleased to meet you
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-ENHANCEDSTATUSCODES
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-PIPELINING
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-8BITMIME
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-SIZE
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-DSN
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-ETRN
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-AUTH LOGIN PLAIN
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-STARTTLS
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250-DELIVERBY
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 250 HELP
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: <-- AUTH PLAIN AHNlbGxpbmcAVmVya2F1ZjNu
May  3 15:47:07 samsara sm-mta[22602]: p43Ml7p2022602: --- 235 2.0.0 OK Authenticated

My client is configured to use SSL and when I go through the setup, it does appear to authenticate against the smtp server and it validates. The fail comes in when trying to actually send mail.

My hope is that I'm just missing something simple. Does anyone have insight into why adding the 'p' to confAUTH_OPTIONS is causing this behavior?

michaelk 05-08-2011 10:29 AM

Reported as duplicate.
continue here:
http://www.linuxquestions.org/questi...1-23-a-879439/

win32sux 05-08-2011 03:23 PM

KrisRoberts:

Going forward, please use the Report button to request a thread move, instead of opening a duplicate.


All times are GMT -5. The time now is 02:25 AM.