Sendmail: sasl2/AUTH

alext · 07-13-2006, 08:01 AM

hello!

I am having a heck of a time getting Sendmail to authenticate using Cyrus saslauthd
I've isolated my problem to either saslauthd or Sendmail.

by the way, i use a sendmail DUAL configuration with amavisd
here are some config files/outputs:

Code:

# sendmail -d0.1
Version 8.13.6
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NDBM NETINET NETINET6 NETUNIX NIS NISPLUS PIPELINING
                SASLv2 SCANF STARTTLS XDEBUG

Code:

#less sendmail-rx.mc
...
define(`confLOG_LEVEL', `13')
...
dnl  AUTH
define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl

dnl  Weitervermittlung erlauben, WENN der Host sich erfolgreich authentifiziert hat
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl

dnl  p-PLAIN/LOGIN nur dann anbieten, wenn SSL/TLS aktiv ist
dnl  y- anonymous-login verbieten
define(`confAUTH_OPTIONS', `A y')dnl
...

Code:

root   311     1   0 13:48:28 ?           0:00 /opt/csw/sbin/saslauthd -a pam
    root   313   311   0 13:48:28 ?           0:00 /opt/csw/sbin/saslauthd -a pam
    root   312   311   0 13:48:28 ?           0:00 /opt/csw/sbin/saslauthd -a pam
    root   314   311   0 13:48:28 ?           0:00 /opt/csw/sbin/saslauthd -a pam
    root   315   311   0 13:48:28 ?           0:00 /opt/csw/sbin/saslauthd -a pam

Code:

#less Sendmail.conf
pwcheck_method:saslauthd
mech_list: LOGIN PLAIN
saslauthd_path:/var/opt/csw/saslauthd

Code:

# ll /var/opt/csw/saslauthd
Gesamt 6
drwxrws---   2 root     sasl         512 Jul 13 13:48 ./
drwxr-xr-x   3 root     bin          512 Jul  7 16:12 ../
srwxrwxrwx   1 root     sasl           0 Jul 13 13:48 mux=
-rw-------   1 root     sasl           0 Jul 13 13:48 mux.accept
-rw-------   1 root     sasl           4 Jul 13 13:48 saslauthd.pid

Code:

# ldd /usr/lib/sendmail
        libsasl2.so.2 =>         /usr/lib/libsasl2.so.2
        libresolv.so.2 =>        /lib/libresolv.so.2
        libsocket.so.1 =>        /lib/libsocket.so.1
        libnsl.so.1 =>   /lib/libnsl.so.1
        libc.so.1 =>     /lib/libc.so.1
        libdl.so.1 =>    /lib/libdl.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd5.so.1 =>   /lib/libmd5.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libm.so.2 =>     /lib/libm.so.2

Code:

#testsaslauthd -u user -p pass
0: OK "Success."

when i try to authentificate i get:

Code:

mta-rx: [ID 801593 mail.error] k6DCm1ID002220: AUTH failure (PLAIN): generic failure (-1) SASL(-1): generic failure: Password verification failed

and

Code:

mta-rx: [ID 801593 mail.warning] k6DCnNJu002290: AUTH failure (LOGIN): generic failure (-1) SASL(-1): generic failure: checkpass failed

well, i don't get any other errors, it looks like sendmail doesnt see saslauthd (?!)

If someone can just point me in the right direction...

Thanks!
Alex

ramram29 · 07-13-2006, 12:44 PM

Run the command 'testsaslauthd' to see if sasl is working first. If it logs you in then you can isolate the problem to being something other than sasl.

alext · 07-13-2006, 12:52 PM

hi!

i've already tried it, see above

alext · 07-13-2006, 01:42 PM

i've made some more tests:

i've started saslauthd in debug mode and
when i run

Code:

# testsaslauthd -u user -p pass
0: OK "Success."

i get

Code:

# saslauthd -a pam -d
saslauthd[12076] :main            : num_procs  : 5
saslauthd[12076] :main            : mech_option: NULL
saslauthd[12076] :main            : run_path   : /var/opt/csw/saslauthd
saslauthd[12076] :main            : auth_mech  : pam
saslauthd[12076] :ipc_init        : using accept lock file: /var/opt/csw/saslauthd/mux.accept
saslauthd[12076] :detach_tty      : master pid is: 0
saslauthd[12076] :ipc_init        : listening on socket: /var/opt/csw/saslauthd/mux
saslauthd[12076] :main            : using process model
saslauthd[12076] :have_baby       : forked child: 12077
saslauthd[12076saslauthd[] :have_baby       12077: forked child: 12078] :
get_accept_lock : acquired accept lock
saslauthd[12076] :have_baby       : forked child: 12079
saslauthd[12076] :have_baby       : forked child: 12080
saslauthd[12077] :rel_accept_lock : saslauthd[released accept lock
12078] :get_accept_lock : acquired accept lock
saslauthd[12077] :do_auth         : auth success: [user=user] [service=imap] [realm=] [mech=pam]
saslauthd[12077] :do_request      : response: OK

when i try to authentificate via sendmail, nothing happens .....
doesn't sendmail know from saslauthd (?!)

ramram29 · 08-01-2006, 02:02 PM

You should drop sendmail and try postfix - it's more secure, faster and easier to setup.

benjithegreat98 · 08-01-2006, 05:26 PM

Here's a link that's basically a tutorial for this:
http://www.jonfullmer.com/smtpauth/

One big difference I see in the 2 is your Sendmail.conf file. I set this up today for the first time (well, I setup TLS as well) and it looks good as far as I can tell. I have to ask the obligatory sendmail question. Did you convert your .mc file to the sendmail.cf and restart?

gilead · 08-01-2006, 09:07 PM

There's a good article on this at http://www.linuxquestions.org/questi...d.php?t=224543. I have it running on on 2 systems here (without amavisd though). Unless you're new to sendmail I don't recommend changing MTA's over what is probably a configuration issue.