Re: SMTP Authentication

Reed Lai Thu, 30 Jul 2009 21:52:17 -0700

The test of saslauthd seems OK too:

--------
banyan# testsaslauthd -s smtp -u aNNNNNN -p xxxxxxxx
0: OK "Success."
--------


The auth login in smtp connection is still not available:

--------
ehlo local
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
...
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
auth login
504 5.3.3 AUTH mechanism login not available
--------

Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:26 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


And there is LOGIN option selected (as ports default options) when
installing the cyrus-sasl2.

Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:14 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Both servers have same ldd outputs and Sendmail.conf contains only
"pwcheck_method: saslauthd"

--------
banyan# ldd -a /usr/sbin/sendmail
/usr/sbin/sendmail:
       libutil.so.7 => /lib/libutil.so.7 (0x2807d000)
       libc.so.7 => /lib/libc.so.7 (0x2808a000)
/lib/libutil.so.7:
       libc.so.7 => /lib/libc.so.7 (0x2808a000)
banyan#
banyan# ll /usr/local/lib/sasl2/Sendmail.conf
-rw-r--r--  1 root  wheel  26  7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf
banyan# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd
--------

Reed

From: Ihor Prystay
Sent: Friday, July 31, 2009 2:55 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:

The liblogin.so is in directory

banyan# ll /usr/local/lib/sasl2/liblogin.so
lrwxr-xr-x  1 root  wheel  13  7 29 14:54
/usr/local/lib/sasl2/liblogin.so -> liblogin.so.2
banyan# ll /usr/local/lib/sasl2/liblogin.so.2
-rwxr-xr-x  1 root  wheel  17172  7 29 14:54
/usr/local/lib/sasl2/liblogin.so.2

There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS

dnl set SASL options
dnl --------------------------------
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 4:58 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=========
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==============
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are
class and option listed

C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN
in the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does
matter or not..

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the
output.
Check
250-AUTH <list of supported auth mech>
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication

The mail client is Windows Live Mail and it work well with the
functional
server. Its SMTP authenication should be ok.

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication

your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor

Reed Lai wrote:

Instruction of the "SMTP AUTO in sendmail 8.10-8.13" to test the
Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
               NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
               SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
     (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
        (subdomain name) $m = ..com
             (node name) $k = banyan...com
========================================================

root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009
21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the
maillogs of the two servers, there is an AUTH=server message appear in
the
functional server, but the other one has not.

The maillog of functional server
======================
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-....net
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825:
from=<reed...@...>,
size=1430, class=0, nrcpts=1,
msgid=<40f9cc65e8874d128639a39c1eebd...@reedxp>, proto=ESMTP,
daemon=IPv4,
relay=59-...net [59...147]

The other one
=========
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539:
ruleset=check_rcpt,
arg1=<reed...@...>, relay=59-...-147.HINET-IP.hinet.net [59...147],
reject=550 5.7.1 <reed...@...>... Relaying denied
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539:
from=<reed...@...>,
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
relay=59-...-147.HINET-IP.hinet.net [59...147]

It seems the other one's smtp authentication is not trigged.

Please help or tip me for something I forget.

Thank you!

Reed

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions

To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: SMTP Authentication

Reply via email to