LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [SOLVED] Slackware 13 64bit, Problems with SASL/SMTP AUTH, Relaying down. (https://www.linuxquestions.org/questions/slackware-14/%5Bsolved%5D-slackware-13-64bit-problems-with-sasl-smtp-auth-relaying-down-784295/)

Blazeone 01-23-2010 08:32 PM
[SOLVED] Slackware 13 64bit, Problems with SASL/SMTP AUTH, Relaying down.
 
I will try to give as much detail as possible from get go, but if you are reading this, and think you can help but need more information, please reply to thread or pm me. I am just very frustrated as I know on my 10.2 install I did not go through all this much trouble.

(Note: I am on a dynamic dns service, my IP's stay steady for months at a time, but I am still utilizing smarthost setup for outgoing mail.)

So I have followed about 5 different sendmail+sasl+openssl walkthroughs to get this far, here is the current situation.

Local users CAN send and receive email via pine while logged on ssh, or from the roundcube mail webmail applet via httpd.

Local users CAN receive mail via IMAP/POP without any problems from most client software.

But the only way I've been able to get any type of relaying for remote use is to expressly allow relaying from the ip via the access.db.
IE: My cellphone is on an unlimited data plan, and I know my carriers domain pool, so I have that entire network authorized to relay at the moment, as my phone's ip address changes as much 7 times a day.

When I try to use authentication it just continually asks for a username/password, until I hit cancel and then it errors. (Logs at bottom of post)

Here is a copy of my sendmail.mc, lightly edited of course for security reasons.
Code:
dnl# This is the a sendmail .mc file for Slackware with TLS support.
dnl# To generate the sendmail.cf file from this (perhaps after making
dnl# some changes), use the m4 files in /usr/share/sendmail/cf like this:
dnl#
dnl# cp sendmail-slackware-tls.mc /usr/share/sendmail/cf/config.mc
dnl# cd /usr/share/sendmail/cf
dnl# sh Build config.mc
dnl#
dnl# You may then install the resulting .cf file:
dnl# cp config.cf /etc/mail/sendmail.cf
dnl#
include(`../m4/cf.m4')
VERSIONID(`TLS supporting setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
dnl#
dnl# You will need to create the certificates below with OpenSSL first:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/CA.cert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')
define(`confCRL', `/etc/mail/certs/revoke.crl')
define(`confTLS_SRV_OPTIONS', V')
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# Uncomment the line below to send outgoing mail through an external server:
define(`SMART_HOST',`smtp.comcast.net')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl# Enable the line below to use smrsh to restrict what sendmail can run:
dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`delay_checks')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected spam as" $&{client_addr} " found in dnsbl.sorbs.net"')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"Spam blocked see: http://www.abuse.net/sbl.phtml?IP="$&{client_addr}')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`enhdnsbl', `list.dsbl.org', `"Spam blocked see: http://dsbl.org"$&{client_addr}')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`masquerade_envelope')dnl
MASQUERADE_AS(`mydomainname.net')dnl # replaced for posting.
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
FEATURE(`redirect')dnl
dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail:
dnl FEATURE(`accept_unresolvable_domains')dnl
EXPOSED_USER(`root')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A y')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=s')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
And here is a snip of some of the attempts to relay while I removed my local network range from access.db

My linux box sits at 192.168.0.25 on the lan and my desktop machine is 192.168.0.2

Code:
Jan 20 20:04:28 blazeone sm-mta[28756]: STARTTLS=server, relay=[192.168.0.2], version=TLSv1/SSLv3, verify=NOT, cipher=AES128-SHA, bits=128/128
Jan 20 20:04:28 blazeone sm-mta[28756]: o0L44S8H028756: [192.168.0.2] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
This snip is my buddy trying from his house.
Code:
Jan 19 18:22:37 blazeone sm-mta[31049]: o0K2MbkB031049: c-71-197-174-23.hsd1.wa.comcast.net [71.197.174.23] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA-SSL
Jan 19 18:22:38 blazeone sm-mta[31050]: o0K2McPe031050: c-71-197-174-23.hsd1.wa.comcast.net [71.197.174.23] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA-SSL
Jan 19 18:23:15 blazeone sm-mta[31058]: gethostbyaddr(172.16.210.1) failed: 1
Jan 20 19:18:37 blazeone sm-mta[28667]: o0L3Ia0B028667: c-71-197-174-23.hsd1.wa.comcast.net [71.197.174.23] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 20 19:18:42 blazeone sm-mta[28671]: o0L3Ifks028671: c-71-197-174-23.hsd1.wa.comcast.net [71.197.174.23] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
We were both trying to use outlook, with different combinations of ports, SPA on/off, ssl required on/off, encryption method auto and set to tls or ssl. (Ports tried 25/465/587)

Here is my Sendmail.conf from /usr/lib/sasl2/
Code:
pwcheck_method: saslauthd
mech_list: EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Not sure where to go from here. Any fresh ideas are welcome. I am almost to the point of locating a sendmail god and having them remote in to fix this. :(

Blazeone 01-24-2010 01:51 PM
I think I am pretty hot on the tracks, increased log level and got this out of the mail log upon restart of saslauthd and sendmail daemons
Code:
Jan 24 10:56:09 blazeone sm-mta[11117]: error: safesasl(/etc/sasl2/Sendmail.conf) failed: No such file or directory
Jan 24 10:56:09 blazeone sm-mta[11118]: starting daemon (8.14.3): SMTP+queueing@00:25:00
Jan 24 10:56:09 blazeone sm-mta[11118]: STARTTLS=server, init=1
Jan 24 10:56:09 blazeone sm-mta[11118]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
Jan 24 10:56:09 blazeone sm-msp-queue[11121]: starting daemon (8.14.3): queueing@00:25:00
So I just made a symbolic link at /etc/sasl2/ to /usr/lib64/sasl2/

Restarting now, and going to see if it works :>

Blazeone 01-24-2010 01:53 PM
I feel very silly now... works great :> marking to solved.


All times are GMT -5. The time now is 01:49 PM.