Quote:
Originally Posted by Elizine
Have you tried restarting sendmail?
|
Yes.
Quote:
Do you see this for all users, local and remote? How do you authenticate remote users for sending mail?
|
LAN/Domain users use Dovecot with GSSAPI authentication for incoming IMAP mail to their workstations. This authenticates with their Domain Credentials. SMTP authentication is to port 587 (forwarded to port 25) which is Sendmail; no authentication required.
Remote users are in this case users with smart phones. Their incoming IMAP server is to port 993 (forwarded to 143) and TLS. This port is listened by Dovecot, the IMAP server. This DOES NOT authenticate with domain credentials but does authenticate with /etc/shadow. Therefore, domain users who have cell phones must be in both sam.ldb and /etc/passwd. The outgoing SMTP goes to port 587 (forwarded to 25) and TLS which is listened by Sendmail. Sign-in is required. Again, I believe sendmail is verifying cell-phone sent credentials against /etc/shadow.
I would very much like to get domain users out of /etc/passwd as that is not considered kosher by Samba AD/DC experts. I do have a mechanism for Dovecot to authenticate with AD credentials and NOT NEED /etc/shadow. However, if the user is not in /etc/passwd, the Sendmail port 25 authentication fails if "Sign-in required" is required. If I do not require sign-in, the cell-phone user can connect with Sendmail, but cannot actually send email from the cell-phone because relaying is denied.
I think my problem has to do with saslauthd and AUTH mechanisms. In my .mc file I have:
Code:
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS', `A c y')dnl
In /etc/sasl2/Sendmail.conf I have:
Code:
pwcheck_method: saslauthd
mech_list: EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
And, if I telnet to the mail server I get:
Code:
250-AUTH LOGIN PLAIN
So, the only AUTH mechanisms available are LOGIN and PLAIN. I don't really know why DIGEST-MD5 and CRAM-MD5 don't show up in 250-AUTH because they are in both Sendmail.conf and sendmail.mc. I believe that LOGIN and/or PLAIN are mechanism that Sendmail will use to authenticate with /etc/passwd - /etc/shadow. They are not mechanism that will work for AD authentication.
I think I have to change something in the .mc file, but I'm not sure what. What if I added GSSAPI to the TRUST_AUTH_MECH list and confAUTH_MECHANISMS?
Quote:
Migrating to another MTA (eg Postfix) may work around your problem but it's not a quick fix. You'd have to configure Postfix in the same way your sendmail setup is currently configured. It's better to try to understand and fix the issue at hand.
|
For numerous other reason (e.g. custom milters), that's not gonna happen. We'll leave cellphone users in /etc/passwd before changing MTAs.