Re: question about SMTP-authentication (2nd )

[kamolpat]

Dear Matthew,

According to your recommendation   (as following). When I do make at 
/usr/src/sur.sbin/sendmail it show as following.

ns1:kamolpat:/usr/src/usr.sbin/sendmailmake clean
rm -f sm_os.h sendmail alias.o arpadate.o bf.o collect.o conf.o 
control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o 
headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o 
ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o 
sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o 
udb.o usersmtp.o util.o version.o mailq.1.gz newaliases.1.gz 
aliases.5.gz sendmail.8.gz mailq.1.cat.gz newaliases.1.cat.gz 
aliases.5.cat.gz sendmail.8.cat.gz

ns1:kamolpat:/usr/src/usr.sbin/sendmailmake
ln -sf 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h 
sm_os.h
cc -O2 -pipe  -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src 
-I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB 
-DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS 
-D_FFR_TLS_1 -I/usr/local/include/sasl -DSASL=2 -std=gnu99 
-fstack-protector  -c 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c
In file included from 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:135:25: 
error: sasl/sasl.h: No such file or directory
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:136:29: 
error: sasl/saslutil.h: No such file or directory
In file included from 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:607: 
error: expected '=', ',', ';', 'asm' or '__attribute__' before ':' token
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:691: 
error: expected specifier-qualifier-list before 'sasl_conn_t'

*** Error code 1

Stop in /usr/src/usr.sbin/sendmail.


then I try to find where is sasl.h

ns1:kamolpat:/usrfind . -name sasl.h
./local/include/sasl/sasl.h
./ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.25/include/sasl.h
./ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.25/include/sasl.h

What should I do next? Shold I just copy the sasl.h to 
/usr/src/contrib/sendmail/src/sendmail   ?


Thanks
Kamolpat

On 3/9/2012 12:34 AM, Matthew Seaman wrote:

On 08/03/2012 15:55, kamolpat wrote:

Setup Reference
==
1. I read the how to setup from  FreeBSD Handbook (online)-  Chapter 29
Electronic Mail -  29.10 SMTP Authentication  from freebsd.org
2. setup for cyrus-sasl2 was fine (setup via
usr/ports/security/cyrus-sasl2)
3. setup for openssl was 90% fine (setup via port) reference to FreeBSD
Handbook (online)-Chapter 15 Security -  15.8 OpenSSL
 accept the STARTTLS line doesn't appear  as mention on the last
part of article.


Did you rebuild sendmail with the right flags so that it would enable
all the SASL bits?  Apart from that you seem to have done all the right
stuff that I can see.

You need to add this to /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

and then rebuild sendmail -- assuming you have system sources installed:

# cd /usr/src/usr.sbin/sendmail
# make clean
# make
# make install

If you haven't got the system sources installed, then you can get them
easily enough with csup(1) or freebsd-update(8) or several other ways.
Or you could just install sendmail from ports -- obviously, make sure to
choose the option to enable SASL in the config dialogue.  If you use the
ports sendmail, so long as you set up mailer.conf(5) to point to the
ports version -- like so:

lucid-nonsense:/etc/mail:% cat mailer.conf
# $FreeBSD: stable/8/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z
gshapiro $
#
# Execute the real sendmail program, named /usr/local/sbin/sendmail
#
sendmail/usr/local/sbin/sendmail
send-mail   /usr/local/sbin/sendmail
mailq   /usr/local/sbin/sendmail
newaliases  /usr/local/sbin/sendmail
hoststat/usr/local/sbin/sendmail
purgestat   /usr/local/sbin/sendmail

and put the following in /etc/make.conf so it uses the latest
configuration file bits:

SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
MAKEMAP=/usr/local/sbin/makemap

then the ports sendmail is pretty much a drop-in replacement for the
system one, and you can use all the config bits in /etc/mail in exactly
the same way as normal.

Cheers,

Matthew







E-mail message checked by Internet Security (7.0.0.508)
Database version: 6.19440
http://www.pctools.com/en/internet-security/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: question about SMTP-authentication (2nd )

[Matthew Seaman]

On 12/03/2012 13:26, kamolpat wrote:
 According to your recommendation   (as following). When I do make at
 /usr/src/sur.sbin/sendmail it show as following.
 ns1:kamolpat:/usr/src/usr.sbin/sendmailmake clean
 rm -f sm_os.h sendmail alias.o arpadate.o bf.o collect.o conf.o
 control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o
 headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o
 ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o
 sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o
 udb.o usersmtp.o util.o version.o mailq.1.gz newaliases.1.gz
 aliases.5.gz sendmail.8.gz mailq.1.cat.gz newaliases.1.cat.gz
 aliases.5.cat.gz sendmail.8.cat.gz
 ns1:kamolpat:/usr/src/usr.sbin/sendmailmake
 ln -sf
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h
 sm_os.h
 cc -O2 -pipe  -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src
 -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB
 -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS
 -D_FFR_TLS_1 -I/usr/local/include/sasl -DSASL=2 -std=gnu99
 -fstack-protector  -c
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c
 In file included from
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:135:25:
 error: sasl/sasl.h: No such file or directory
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:136:29:
 error: sasl/saslutil.h: No such file or directory
 In file included from
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:607:
 error: expected '=', ',', ';', 'asm' or '__attribute__' before ':' token
 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:691:
 error: expected specifier-qualifier-list before 'sasl_conn_t'
 *** Error code 1
 
 Stop in /usr/src/usr.sbin/sendmail.
 
 
 then I try to find where is sasl.h
 
 ns1:kamolpat:/usrfind . -name sasl.h
 ./local/include/sasl/sasl.h
 ./ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.25/include/sasl.h
 ./ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.25/include/sasl.h
 
 
 What should I do next? Shold I just copy the sasl.h to
 /usr/src/contrib/sendmail/src/sendmail   ?

No.  Don't do that.  It won't help anything.

You need to follow my instructions correctly.  Specifically this line
needs to be in /etc/make.conf in order to pick up the SASL header files:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2

Where, you will note, this does *not* say /usr/local/include/sasl, which
is what appears in your compiler output.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey




signature.asc
Description: OpenPGP digital signature

Re: question about SMTP-authentication (3rd )

[kamolpat]

Dear Matthew,

Ok, I got sendmail complied. Thanks.
But seem like ...
POP3 still working in clear text usr/pwd sending to Server (but it work, 
I can get mail from server normal). When I chose option in ThunderBird 
to another mode, it doesn't work (accept connection security: none, 
authentication method: password transmitted insecurity this is the 
option that TB dectected during setting mail account)



SMTP doesn't work it declare
from Thunder Bird:

Send Message Error
The Kerberos/GSSAPI ticket was not accepted by the SMTP server 
mail.dmaccess.co.th Please check that you are logged in to the 
Kerberos/GSSAPI realm.
(event I change authentication method: Kerberos/GSSAPI, it still 
inform this message)


from /var/log/maillog
Mar 12 22:38:04 ns1 sendmail[93331]: q2CMc4jF093331: 
ppp-58-8-130-33.revip2.asianet.co.th [58.8.130.33] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MSA



this is my test on server
=
ns1:kamolpat:/etctelnet dmaccess.co.th 25
Trying 202.170.122.33...
Connected to dmaccess.co.th.
Escape character is '^]'.
220 ns1.dmaccess.co.th ESMTP Sendmail 8.14.4/8.14.4; Mon, 12 Mar 2012 
22:23:14 GMT

ehlo dmaccess.co.th
250-ns1.dmaccess.co.th Hello ns1.dmaccess.co.th [202.170.122.33], 
pleased to meet you

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 ns1.dmaccess.co.th closing connection
Connection closed by foreign host.


this is my /etc/mail/freebsd.mc
=
Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=78 
dnl Uncomment the first line to change the location of the default 
http://202.170.122.33:10099/sendmail/move.cgi?idx=78down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=78up=1 

Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=79 
dnl /etc/mail/local-host-names and comment out the second line. 
http://202.170.122.33:10099/sendmail/move.cgi?idx=79down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=79up=1 

Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=80 
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=80down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=80up=1 

*Define* 
http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=81 
define(`confCW_FILE', `-o /etc/mail/local-host-names') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=81down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=81up=1 


Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=82  

http://202.170.122.33:10099/sendmail/move.cgi?idx=82down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=82up=1
Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=83 
dnl Enable for both IPv4 and IPv6 (optional) 
http://202.170.122.33:10099/sendmail/move.cgi?idx=83down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=83up=1 

Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=84 
DAEMON_OPTIONS(`Name=IPv4, Family=inet') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=84down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=84up=1 

Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=85 
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=85down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=85up=1 


Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=86  

http://202.170.122.33:10099/sendmail/move.cgi?idx=86down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=86up=1
*Define* 
http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=87 
define(`confBIND_OPTS', `WorkAroundBroken') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=87down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=87up=1 

*Define* 
http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=88 
define(`confNO_RCPT_ACTION', `add-to-undisclosed') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=88down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=88up=1 

*Define* 
http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=89 
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') 
http://202.170.122.33:10099/sendmail/move.cgi?idx=89down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=89up=1 


Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=90  

http://202.170.122.33:10099/sendmail/move.cgi?idx=90down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=90up=1
Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=91 
GENERICS_DOMAIN_FILE(`/etc/mail/genericdomains'); 
http://202.170.122.33:10099/sendmail/move.cgi?idx=91down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=91up=1 


Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=92  

Re: question about SMTP-authentication (3rd )

[Paul Macdonald]

On 12/03/2012 15:47, kamolpat wrote:

Dear Matthew,

Ok, I got sendmail complied. Thanks.
But seem like ...
POP3 still working in clear text usr/pwd sending to Server (but it 
work, I can get mail from server normal). When I chose option in 
ThunderBird to another mode, it doesn't work (accept connection 
security: none, authentication method: password transmitted 
insecurity this is the option that TB dectected during setting mail 
account)



SMTP doesn't work it declare
from Thunder Bird:

Send Message Error
The Kerberos/GSSAPI ticket was not accepted by the SMTP server 
mail.dmaccess.co.th Please check that you are logged in to the 
Kerberos/GSSAPI realm.
(event I change authentication method: Kerberos/GSSAPI, it still 
inform this message)


from /var/log/maillog
Mar 12 22:38:04 ns1 sendmail[93331]: q2CMc4jF093331: 
ppp-58-8-130-33.revip2.asianet.co.th [58.8.130.33] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MSA




what are you using as the authentication method for sasl?

there are multiple authentication mechansims available for sasl(2), 
simplest is probably saslauthd


*In /etc/rc.conf
*saslauthd_enable=yes

In /usr/local/lib/sasl2/Sendmail.conf have:

pwcheck_method: saslauthd

make sure its running
/usr/local/etc/rc.d/saslauthd start

add a user with saslpasswd2

Test your u/p locally with testsaslauthd
testsaslauthd -u user -p PASS

(if thats not working it won't work over the network either)

have TB set to conn security to STARTTLS and password security set to 
normal password, (for non encrypted password obv)


Paul.



--
-
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-
t: 0131 5548070
m: 07970339546PLEASE NOTE NEW MOBILE
e: p...@ifdnrg.com
w: http://www.ifdnrg.com
-
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

question about SMTP-authentication

[kamolpat]

To whom it may concern:

Hello, may I need your help about SMTP authentication?

Problems:
=
SMTP-authen  doesn't functioning, when I use ThunderBird I try to set 
authentication method as Kerberos/GSSAPI or Encrypted password, it 
doesn't work.


Background:
===
I'm intermediate FreeBSD sysadmin. I used to run only normal mail 
service in my company, which use POP3 on myserver and SMTP from ISP. Now 
my ISP always get problem, so I prefer to set SMTP service on my server 
and provide to staffs in company. However to set pure SMTP is not safe, 
then I prefer to use SMTP-authenicate.


Setup Reference
==
1. I read the how to setup from  FreeBSD Handbook (online)- Chapter 29 
Electronic Mail - 29.10 SMTP Authentication  from freebsd.org

2. setup for cyrus-sasl2 was fine (setup via usr/ports/security/cyrus-sasl2)
3. setup for openssl was 90% fine (setup via port) reference to FreeBSD 
Handbook (online)-Chapter 15 Security - 15.8 OpenSSL
accept the STARTTLS line doesn't appear  as mention on the last 
part of article.


Raw info for considers

from /var/log/maillog
---
revip2.asianet.co.th is my provider , the dmaccess.co.th is my server

Mar  8 22:35:35 ns1 sendmail[18640]: q28MZZ4l018640: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:37:29 ns1 sendmail[18644]: q28MbSv3018644: ruleset=check_rcpt, 
arg1=kamol...@dmaccess.net, 
relay=ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248], reject=550 
5.7.1 kamolpa
Mar  8 22:37:34 ns1 sendmail[18644]: q28MbSv3018644: 
from=smtpt...@dmaccess.co.th, size=778, class=0, nrcpts=0, 
proto=ESMTP, daemon=IPv4, relay=ppp-58-8-163-248.revip2.asianet.co.th [58.
Mar  8 22:38:31 ns1 sendmail[18646]: q28McVl2018646: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:39:55 ns1 sendmail[18650]: q28MdsOC018650: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:40:57 ns1 sendmail[18688]: q28MevLw018688: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:42:05 ns1 sendmail[18689]: q28Mffbd018689: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4


from /etc/mail/freebsd.mc
--
dnl set SASL options
TRUST_AUTH_MECH (`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

dnl SSL Options
define(`confCACERT_PATH',`/etc/ssl')dnl
define(`confCACERT',`/etc/ssl/dm_new.crt')dnl
define(`confSERVER_CERT',`/etc/ssl/dm_new.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/dm_ca.key')dnl
define(`confTLS_SRV_OPTIONS',`V')dnl

MAILER(local)
MAILER(smtp)


Thanks in advance

Kamolpat








E-mail message checked by Internet Security (7.0.0.508)
Database version: 6.19420
http://www.pctools.com/en/internet-security/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: question about SMTP-authentication

[Matthew Seaman]

On 08/03/2012 15:55, kamolpat wrote:
 Setup Reference
 ==
 1. I read the how to setup from  FreeBSD Handbook (online)- Chapter 29
 Electronic Mail - 29.10 SMTP Authentication  from freebsd.org
 2. setup for cyrus-sasl2 was fine (setup via
 usr/ports/security/cyrus-sasl2)
 3. setup for openssl was 90% fine (setup via port) reference to FreeBSD
 Handbook (online)-Chapter 15 Security - 15.8 OpenSSL
 accept the STARTTLS line doesn't appear  as mention on the last
 part of article.
 

Did you rebuild sendmail with the right flags so that it would enable
all the SASL bits?  Apart from that you seem to have done all the right
stuff that I can see.

You need to add this to /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

and then rebuild sendmail -- assuming you have system sources installed:

# cd /usr/src/usr.sbin/sendmail
# make clean
# make
# make install

If you haven't got the system sources installed, then you can get them
easily enough with csup(1) or freebsd-update(8) or several other ways.
Or you could just install sendmail from ports -- obviously, make sure to
choose the option to enable SASL in the config dialogue.  If you use the
ports sendmail, so long as you set up mailer.conf(5) to point to the
ports version -- like so:

lucid-nonsense:/etc/mail:% cat mailer.conf
# $FreeBSD: stable/8/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z
gshapiro $
#
# Execute the real sendmail program, named /usr/local/sbin/sendmail
#
sendmail/usr/local/sbin/sendmail
send-mail   /usr/local/sbin/sendmail
mailq   /usr/local/sbin/sendmail
newaliases  /usr/local/sbin/sendmail
hoststat/usr/local/sbin/sendmail
purgestat   /usr/local/sbin/sendmail

and put the following in /etc/make.conf so it uses the latest
configuration file bits:

SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
MAKEMAP=/usr/local/sbin/makemap

then the ports sendmail is pretty much a drop-in replacement for the
system one, and you can use all the config bits in /etc/mail in exactly
the same way as normal.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey




signature.asc
Description: OpenPGP digital signature

Re: question about SMTP-authentication

[Julian H. Stacey]

kamolpat wrote:
 To whom it may concern:

I hope you get a more useful reply than mine later,  no time here, sorry
but I've had SASL-1 running fine for years FreeBSD both ends.
Documented here, 
http://www.berklix.com/~jhs/txt/sasl.html 
There's various URLs there to SASL-2

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
 Reply below not above, cumulative like a play script,  indent with  .
 Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
Mail from @yahoo dumped @berklix.  http://berklix.org/yahoo/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SMTP Authentication

[Ihor Prystay]

Tray telnet to port 25 of your working SMTP server and compare the output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:
 The maillog does not log the sm-mta: AUTH=server action. The functional
 server has the AUTH=server action logged. How do I debug from this
 different?
 
 Reed
 
 From: Reed Lai
 Sent: Thursday, July 30, 2009 11:51 AM
 To: FreeBSD Questions
 Subject: Re: SMTP Authentication
 
 
 The mail client is Windows Live Mail and it work well with the functional
 server. Its SMTP authenication should be ok.
 
 Reed
 
 
 From: Ihor Prystay
 Sent: Thursday, July 30, 2009 10:49 AM
 To: freebsd-questions@freebsd.org
 Subject: Re: SMTP Authentication
 
 
 your working server does support LOGIN mech while other one dosn't.
 I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
 auth, usually it's PLAIN or/and LOGIN.
 
 Ihor
 
 
 
 Reed Lai wrote:
 Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail

 banyan# sendmail -d0.1 -bv root
 Version 8.14.2
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
 SASLv2
SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

  SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = banyan
  (canonical domain name) $j = banyan...com
 (subdomain name) $m = ..com
  (node name) $k = banyan...com
 

 root... deliverable: mailer local, user root

 banyan# telnet localhost 25
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
 +0800 (CST)
 ehlo localhost
 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
 250-DELIVERBY
 250 HELP

 The Sendmail test seems OK
 But the SMTP authentication does not work from my mail client.

 Reed


 From: Reed Lai
 Sent: Wednesday, July 29, 2009 5:37 PM
 To: freebsd-questions@freebsd.org
 Subject: SMTP Authentication


 Hi,

 I have two freebsd mail servers both configured SMTP authentication:

FreeBSD Handbook 28.10 SMTP Authenticatin
http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

SMTP AUTO in sendmail 8.10-8.13
http://www.sendmail.org/~ca/email/auth.html

 One is functional, and the other one doesn't seem to work. Compare the
 maillogs of the two servers, there is an AUTH=server message appear in
 the
 functional server, but the other one has not.

 The maillog of functional server
 ==
 Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
 [59...147], authid=a660407, mech=LOGIN, bits=0
 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
 size=1430, class=0, nrcpts=1,
 msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP,
 daemon=IPv4,
 relay=59-...net [59...147]

 The other one
 =
 Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
 arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
 reject=550 5.7.1 reed...@.. Relaying denied
 Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
 size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
 relay=59-...-147.HINET-IP.hinet.net [59...147]

 It seems the other one's smtp authentication is not trigged.

 Please help or tip me for something I forget.

 Thank you!

 Reed

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org


 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org
 

___
freebsd-questions@freebsd.org mailing list
http

Re: SMTP Authentication

[Reed Lai]

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are class 
and option listed


C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN in 
the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does 
matter or not..


Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the
maillogs of the two servers, there is an AUTH=server message appear in
the
functional server, but the other one has not.

The maillog of functional server
==
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
size=1430, class=0, nrcpts=1,
msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP,
daemon=IPv4,
relay=59-...net [59...147]

The other one
=
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
reject=550 5.7.1 reed...@.. Relaying denied
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
relay=59-...-147.HINET-IP.hinet.net [59...147]

It seems the other one's smtp authentication is not trigged.

Please help or tip me for something I forget.

Thank you!

Reed

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr

Re: SMTP Authentication

[Ihor Prystay]

Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:
 Yes, the new server leaks LOGIN in the 250-AUTH list!
 
 New server
 =
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
 
 Functional server
 ==
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
 
 I have checked the generated .cf file in the new server and there are
 class and option listed
 
 C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
 O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
 
 The new server has same configuration to old server, but has not LOGIN
 in the 250-AUTH list.
 BTW, the new server has hostname changed once... I don't know if it does
 matter or not..
 
 Reed
 
 From: Ihor Prystay
 Sent: Thursday, July 30, 2009 2:35 PM
 To: freebsd-questions@freebsd.org
 Subject: Re: SMTP Authentication
 
 
 Tray telnet to port 25 of your working SMTP server and compare the output.
 Check
 250-AUTH list of supported auth mech
 According to the provided log from the working server it should be LOGIN
 mech available in the list, which is not present on the new server.
 
 Ihor
 
 
 Reed Lai wrote:
 The maillog does not log the sm-mta: AUTH=server action. The functional
 server has the AUTH=server action logged. How do I debug from this
 different?

 Reed

 From: Reed Lai
 Sent: Thursday, July 30, 2009 11:51 AM
 To: FreeBSD Questions
 Subject: Re: SMTP Authentication


 The mail client is Windows Live Mail and it work well with the functional
 server. Its SMTP authenication should be ok.

 Reed


 From: Ihor Prystay
 Sent: Thursday, July 30, 2009 10:49 AM
 To: freebsd-questions@freebsd.org
 Subject: Re: SMTP Authentication


 your working server does support LOGIN mech while other one dosn't.
 I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
 auth, usually it's PLAIN or/and LOGIN.

 Ihor



 Reed Lai wrote:
 Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
 Sendmail

 banyan# sendmail -d0.1 -bv root
 Version 8.14.2
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
 SASLv2
SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

  SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = banyan
  (canonical domain name) $j = banyan...com
 (subdomain name) $m = ..com
  (node name) $k = banyan...com
 

 root... deliverable: mailer local, user root

 banyan# telnet localhost 25
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
 +0800 (CST)
 ehlo localhost
 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
 250-DELIVERBY
 250 HELP

 The Sendmail test seems OK
 But the SMTP authentication does not work from my mail client.

 Reed


 From: Reed Lai
 Sent: Wednesday, July 29, 2009 5:37 PM
 To: freebsd-questions@freebsd.org
 Subject: SMTP Authentication


 Hi,

 I have two freebsd mail servers both configured SMTP authentication:

FreeBSD Handbook 28.10 SMTP Authenticatin
http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

SMTP AUTO in sendmail 8.10-8.13
http://www.sendmail.org/~ca/email/auth.html

 One is functional, and the other one doesn't seem to work. Compare the
 maillogs of the two servers, there is an AUTH=server message appear in
 the
 functional server, but the other one has not.

 The maillog of functional server
 ==
 Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
 [59...147], authid=a660407, mech=LOGIN, bits=0
 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
 size=1430, class=0, nrcpts=1,
 msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP,
 daemon=IPv4,
 relay=59-...net [59...147]

 The other one
 =
 Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
 arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
 reject=550 5.7.1 reed...@.. Relaying denied
 Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
 size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
 relay=59-...-147.HINET-IP.hinet.net [59...147]

 It seems the other one's smtp authentication is not trigged.

 Please help or tip me for something I forget.

 Thank you!

 Reed

 ___
 freebsd-questions@freebsd.org mailing list

Re: SMTP Authentication

[Reed Lai]

The liblogin.so is in directory

banyan# ll /usr/local/lib/sasl2/liblogin.so
lrwxr-xr-x  1 root  wheel  13  7 29 14:54 
/usr/local/lib/sasl2/liblogin.so - liblogin.so.2

banyan# ll /usr/local/lib/sasl2/liblogin.so.2
-rwxr-xr-x  1 root  wheel  17172  7 29 14:54 
/usr/local/lib/sasl2/liblogin.so.2


There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS

dnl set SASL options
dnl 
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 4:58 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are
class and option listed

C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN
in the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does
matter or not..

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the
maillogs of the two servers, there is an AUTH=server message appear in
the
functional server, but the other one has not.

The maillog of functional server
==
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
size=1430, class=0, nrcpts=1,
msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP,
daemon=IPv4,
relay=59-...net [59...147]

The other one
=
Jul 29 17:12:41 banyan sm-mta[2539

Re: SMTP Authentication

[Ihor Prystay]

You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:
 The liblogin.so is in directory
 
 banyan# ll /usr/local/lib/sasl2/liblogin.so
 lrwxr-xr-x  1 root  wheel  13  7 29 14:54
 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2
 banyan# ll /usr/local/lib/sasl2/liblogin.so.2
 -rwxr-xr-x  1 root  wheel  17172  7 29 14:54
 /usr/local/lib/sasl2/liblogin.so.2
 
 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS
 
 dnl set SASL options
 dnl 
 TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 
 Reed
 
 From: Ihor Prystay
 Sent: Thursday, July 30, 2009 4:58 PM
 To: FreeBSD Question
 Subject: Re: SMTP Authentication
 
 
 Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
 recompile sasl with LOGIN mech support.
 Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
 make sure 'p' parameter is not on the list or LOGIN would be available
 only after TLS encryption which is not a case for you as your working
 configuration offers LOGIN during telnet session (it's actually a bad
 idea to do authentication clear text).
 
 Ihor
 
 
 Reed Lai wrote:
 Yes, the new server leaks LOGIN in the 250-AUTH list!

 New server
 =
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

 Functional server
 ==
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

 I have checked the generated .cf file in the new server and there are
 class and option listed

 C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
 O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

 The new server has same configuration to old server, but has not LOGIN
 in the 250-AUTH list.
 BTW, the new server has hostname changed once... I don't know if it does
 matter or not..

 Reed

 From: Ihor Prystay
 Sent: Thursday, July 30, 2009 2:35 PM
 To: freebsd-questions@freebsd.org
 Subject: Re: SMTP Authentication


 Tray telnet to port 25 of your working SMTP server and compare the
 output.
 Check
 250-AUTH list of supported auth mech
 According to the provided log from the working server it should be LOGIN
 mech available in the list, which is not present on the new server.

 Ihor


 Reed Lai wrote:
 The maillog does not log the sm-mta: AUTH=server action. The functional
 server has the AUTH=server action logged. How do I debug from this
 different?

 Reed

 From: Reed Lai
 Sent: Thursday, July 30, 2009 11:51 AM
 To: FreeBSD Questions
 Subject: Re: SMTP Authentication


 The mail client is Windows Live Mail and it work well with the
 functional
 server. Its SMTP authenication should be ok.

 Reed


 From: Ihor Prystay
 Sent: Thursday, July 30, 2009 10:49 AM
 To: freebsd-questions@freebsd.org
 Subject: Re: SMTP Authentication


 your working server does support LOGIN mech while other one dosn't.
 I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
 auth, usually it's PLAIN or/and LOGIN.

 Ihor



 Reed Lai wrote:
 Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
 Sendmail

 banyan# sendmail -d0.1 -bv root
 Version 8.14.2
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
 SASLv2
SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

  SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = banyan
  (canonical domain name) $j = banyan...com
 (subdomain name) $m = ..com
  (node name) $k = banyan...com
 

 root... deliverable: mailer local, user root

 banyan# telnet localhost 25
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009
 21:19:40
 +0800 (CST)
 ehlo localhost
 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
 250-DELIVERBY
 250 HELP

 The Sendmail test seems OK
 But the SMTP authentication does not work from my mail client.

 Reed


 From: Reed Lai
 Sent: Wednesday, July 29, 2009 5:37 PM
 To: freebsd-questions@freebsd.org
 Subject: SMTP Authentication


 Hi,

 I have two freebsd mail servers both configured SMTP authentication:

FreeBSD Handbook 28.10 SMTP Authenticatin
http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

SMTP AUTO in sendmail 8.10-8.13
http://www.sendmail.org/~ca/email/auth.html

 One is functional, and the other one doesn't seem to work. Compare the
 maillogs of the two servers, there is an AUTH=server message appear in
 the
 functional server, but the other one has not.

 The maillog of functional server
 ==
 Jul 29 16:15:10

Re: SMTP Authentication

[Reed Lai]

Both servers have same ldd outputs and Sendmail.conf contains only 
pwcheck_method: saslauthd



banyan# ldd -a /usr/sbin/sendmail
/usr/sbin/sendmail:
   libutil.so.7 = /lib/libutil.so.7 (0x2807d000)
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
/lib/libutil.so.7:
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
banyan#
banyan# ll /usr/local/lib/sasl2/Sendmail.conf
-rw-r--r--  1 root  wheel  26  7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf
banyan# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd


Reed

From: Ihor Prystay
Sent: Friday, July 31, 2009 2:55 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:

The liblogin.so is in directory

banyan# ll /usr/local/lib/sasl2/liblogin.so
lrwxr-xr-x  1 root  wheel  13  7 29 14:54
/usr/local/lib/sasl2/liblogin.so - liblogin.so.2
banyan# ll /usr/local/lib/sasl2/liblogin.so.2
-rwxr-xr-x  1 root  wheel  17172  7 29 14:54
/usr/local/lib/sasl2/liblogin.so.2

There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS

dnl set SASL options
dnl 
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 4:58 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are
class and option listed

C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN
in the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does
matter or not..

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the
output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the
functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009
21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I

Re: SMTP Authentication

[Reed Lai]

And there is LOGIN option selected (as ports default options) when 
installing the cyrus-sasl2.


Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:14 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Both servers have same ldd outputs and Sendmail.conf contains only
pwcheck_method: saslauthd


banyan# ldd -a /usr/sbin/sendmail
/usr/sbin/sendmail:
   libutil.so.7 = /lib/libutil.so.7 (0x2807d000)
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
/lib/libutil.so.7:
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
banyan#
banyan# ll /usr/local/lib/sasl2/Sendmail.conf
-rw-r--r--  1 root  wheel  26  7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf
banyan# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd


Reed

From: Ihor Prystay
Sent: Friday, July 31, 2009 2:55 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:

The liblogin.so is in directory

banyan# ll /usr/local/lib/sasl2/liblogin.so
lrwxr-xr-x  1 root  wheel  13  7 29 14:54
/usr/local/lib/sasl2/liblogin.so - liblogin.so.2
banyan# ll /usr/local/lib/sasl2/liblogin.so.2
-rwxr-xr-x  1 root  wheel  17172  7 29 14:54
/usr/local/lib/sasl2/liblogin.so.2

There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS

dnl set SASL options
dnl 
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 4:58 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are
class and option listed

C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN
in the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does
matter or not..

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the
output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the
functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009
21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail

Re: SMTP Authentication

[Reed Lai]

The test of saslauthd seems OK too:


banyan# testsaslauthd -s smtp -u aNN -p 
0: OK Success.


The auth login in smtp connection is still not available:


ehlo local
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
...
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
auth login
504 5.3.3 AUTH mechanism login not available


Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:26 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


And there is LOGIN option selected (as ports default options) when
installing the cyrus-sasl2.

Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:14 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Both servers have same ldd outputs and Sendmail.conf contains only
pwcheck_method: saslauthd


banyan# ldd -a /usr/sbin/sendmail
/usr/sbin/sendmail:
   libutil.so.7 = /lib/libutil.so.7 (0x2807d000)
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
/lib/libutil.so.7:
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
banyan#
banyan# ll /usr/local/lib/sasl2/Sendmail.conf
-rw-r--r--  1 root  wheel  26  7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf
banyan# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd


Reed

From: Ihor Prystay
Sent: Friday, July 31, 2009 2:55 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:

The liblogin.so is in directory

banyan# ll /usr/local/lib/sasl2/liblogin.so
lrwxr-xr-x  1 root  wheel  13  7 29 14:54
/usr/local/lib/sasl2/liblogin.so - liblogin.so.2
banyan# ll /usr/local/lib/sasl2/liblogin.so.2
-rwxr-xr-x  1 root  wheel  17172  7 29 14:54
/usr/local/lib/sasl2/liblogin.so.2

There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS

dnl set SASL options
dnl 
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 4:58 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are
class and option listed

C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN
in the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does
matter or not..

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the
output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the
functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com

Re: SMTP Authentication

[Reed Lai]

I am very sorry. I forgot to make install to install the 
/etc/mail/sendmail.cf, so it has only banyan..mc/cf files updated.

I always forget the final target is sendmail.cf XD

The new server is available for AUTH LOGIN now.
The trouble is resolved.

Ihor, thank you very mcuh for all helps!

Reed Lai

From: Reed Lai
Sent: Friday, July 31, 2009 12:51 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


The test of saslauthd seems OK too:


banyan# testsaslauthd -s smtp -u aNN -p 
0: OK Success.


The auth login in smtp connection is still not available:


ehlo local
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
...
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
auth login
504 5.3.3 AUTH mechanism login not available


Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:26 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


And there is LOGIN option selected (as ports default options) when
installing the cyrus-sasl2.

Reed

From: Reed Lai
Sent: Friday, July 31, 2009 10:14 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Both servers have same ldd outputs and Sendmail.conf contains only
pwcheck_method: saslauthd


banyan# ldd -a /usr/sbin/sendmail
/usr/sbin/sendmail:
   libutil.so.7 = /lib/libutil.so.7 (0x2807d000)
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
/lib/libutil.so.7:
   libc.so.7 = /lib/libc.so.7 (0x2808a000)
banyan#
banyan# ll /usr/local/lib/sasl2/Sendmail.conf
-rw-r--r--  1 root  wheel  26  7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf
banyan# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd


Reed

From: Ihor Prystay
Sent: Friday, July 31, 2009 2:55 AM
To: FreeBSD Question
Subject: Re: SMTP Authentication


You may check the location of sasl2 lib which sendmail is compiled with
- do ldd on sendmail executable. And verify if Sendmail.conf in the
sasl2 lib folder doesn't have any restrictions on available mechs.

Ihor



Reed Lai wrote:

The liblogin.so is in directory

banyan# ll /usr/local/lib/sasl2/liblogin.so
lrwxr-xr-x  1 root  wheel  13  7 29 14:54
/usr/local/lib/sasl2/liblogin.so - liblogin.so.2
banyan# ll /usr/local/lib/sasl2/liblogin.so.2
-rwxr-xr-x  1 root  wheel  17172  7 29 14:54
/usr/local/lib/sasl2/liblogin.so.2

There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS

dnl set SASL options
dnl 
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 4:58 PM
To: FreeBSD Question
Subject: Re: SMTP Authentication


Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to
recompile sasl with LOGIN mech support.
Check in your .mc file if you define confAUTH_OPTIONS macro. If you do
make sure 'p' parameter is not on the list or LOGIN would be available
only after TLS encryption which is not a case for you as your working
configuration offers LOGIN during telnet session (it's actually a bad
idea to do authentication clear text).

Ihor


Reed Lai wrote:

Yes, the new server leaks LOGIN in the 250-AUTH list!

New server
=
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

Functional server
==
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

I have checked the generated .cf file in the new server and there are
class and option listed

C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN

The new server has same configuration to old server, but has not LOGIN
in the 250-AUTH list.
BTW, the new server has hostname changed once... I don't know if it does
matter or not..

Reed

From: Ihor Prystay
Sent: Thursday, July 30, 2009 2:35 PM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


Tray telnet to port 25 of your working SMTP server and compare the
output.
Check
250-AUTH list of supported auth mech
According to the provided log from the working server it should be LOGIN
mech available in the list, which is not present on the new server.

Ihor


Reed Lai wrote:

The maillog does not log the sm-mta: AUTH=server action. The functional
server has the AUTH=server action logged. How do I debug from this
different?

Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the
functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the
Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP

SMTP Authentication

[Reed Lai]

Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the 
maillogs of the two servers, there is an AUTH=server message appear in the 
functional server, but the other one has not.


The maillog of functional server
==
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net 
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., 
size=1430, class=0, nrcpts=1, 
msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, 
relay=59-...net [59...147]


The other one
=
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, 
arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], 
reject=550 5.7.1 reed...@.. Relaying denied
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., 
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, 
relay=59-...-147.HINET-IP.hinet.net [59...147]


It seems the other one's smtp authentication is not trigged.

Please help or tip me for something I forget.

Thank you!

Reed 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SMTP Authentication

[Reed Lai]

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING 
SASLv2

   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 
+0800 (CST)

ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the
maillogs of the two servers, there is an AUTH=server message appear in the
functional server, but the other one has not.

The maillog of functional server
==
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
size=1430, class=0, nrcpts=1,
msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4,
relay=59-...net [59...147]

The other one
=
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
reject=550 5.7.1 reed...@.. Relaying denied
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
relay=59-...-147.HINET-IP.hinet.net [59...147]

It seems the other one's smtp authentication is not trigged.

Please help or tip me for something I forget.

Thank you!

Reed

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SMTP Authentication

[Ihor Prystay]

your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:
 Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail
 
 banyan# sendmail -d0.1 -bv root
 Version 8.14.2
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
 SASLv2
SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
 
  SYSTEM IDENTITY (after readcf) 
  (short domain name) $w = banyan
  (canonical domain name) $j = banyan...com
 (subdomain name) $m = ..com
  (node name) $k = banyan...com
 
 
 root... deliverable: mailer local, user root
 
 banyan# telnet localhost 25
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
 +0800 (CST)
 ehlo localhost
 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
 250-DELIVERBY
 250 HELP
 
 The Sendmail test seems OK
 But the SMTP authentication does not work from my mail client.
 
 Reed
 
 
 From: Reed Lai
 Sent: Wednesday, July 29, 2009 5:37 PM
 To: freebsd-questions@freebsd.org
 Subject: SMTP Authentication
 
 
 Hi,
 
 I have two freebsd mail servers both configured SMTP authentication:
 
FreeBSD Handbook 28.10 SMTP Authenticatin
http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html
 
SMTP AUTO in sendmail 8.10-8.13
http://www.sendmail.org/~ca/email/auth.html
 
 One is functional, and the other one doesn't seem to work. Compare the
 maillogs of the two servers, there is an AUTH=server message appear in the
 functional server, but the other one has not.
 
 The maillog of functional server
 ==
 Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
 [59...147], authid=a660407, mech=LOGIN, bits=0
 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
 size=1430, class=0, nrcpts=1,
 msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4,
 relay=59-...net [59...147]
 
 The other one
 =
 Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
 arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
 reject=550 5.7.1 reed...@.. Relaying denied
 Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
 size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
 relay=59-...-147.HINET-IP.hinet.net [59...147]
 
 It seems the other one's smtp authentication is not trigged.
 
 Please help or tip me for something I forget.
 
 Thank you!
 
 Reed
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 freebsd-questions-unsubscr...@freebsd.org
 
 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SMTP Authentication

[Reed Lai]

The mail client is Windows Live Mail and it work well with the functional 
server. Its SMTP authenication should be ok.


Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the
maillogs of the two servers, there is an AUTH=server message appear in the
functional server, but the other one has not.

The maillog of functional server
==
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
size=1430, class=0, nrcpts=1,
msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4,
relay=59-...net [59...147]

The other one
=
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
reject=550 5.7.1 reed...@.. Relaying denied
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
relay=59-...-147.HINET-IP.hinet.net [59...147]

It seems the other one's smtp authentication is not trigged.

Please help or tip me for something I forget.

Thank you!

Reed

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: SMTP Authentication

[Reed Lai]

The maillog does not log the sm-mta: AUTH=server action. The functional 
server has the AUTH=server action logged. How do I debug from this 
different?


Reed

From: Reed Lai
Sent: Thursday, July 30, 2009 11:51 AM
To: FreeBSD Questions
Subject: Re: SMTP Authentication


The mail client is Windows Live Mail and it work well with the functional
server. Its SMTP authenication should be ok.

Reed


From: Ihor Prystay
Sent: Thursday, July 30, 2009 10:49 AM
To: freebsd-questions@freebsd.org
Subject: Re: SMTP Authentication


your working server does support LOGIN mech while other one dosn't.
I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5
auth, usually it's PLAIN or/and LOGIN.

Ihor



Reed Lai wrote:

Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail

banyan# sendmail -d0.1 -bv root
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
   NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SASLv2
   SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

 SYSTEM IDENTITY (after readcf) 
 (short domain name) $w = banyan
 (canonical domain name) $j = banyan...com
(subdomain name) $m = ..com
 (node name) $k = banyan...com


root... deliverable: mailer local, user root

banyan# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40
+0800 (CST)
ehlo localhost
250-banyan...com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The Sendmail test seems OK
But the SMTP authentication does not work from my mail client.

Reed


From: Reed Lai
Sent: Wednesday, July 29, 2009 5:37 PM
To: freebsd-questions@freebsd.org
Subject: SMTP Authentication


Hi,

I have two freebsd mail servers both configured SMTP authentication:

   FreeBSD Handbook 28.10 SMTP Authenticatin
   http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html

   SMTP AUTO in sendmail 8.10-8.13
   http://www.sendmail.org/~ca/email/auth.html

One is functional, and the other one doesn't seem to work. Compare the
maillogs of the two servers, there is an AUTH=server message appear in the
functional server, but the other one has not.

The maillog of functional server
==
Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net
[59...147], authid=a660407, mech=LOGIN, bits=0
Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@...,
size=1430, class=0, nrcpts=1,
msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4,
relay=59-...net [59...147]

The other one
=
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt,
arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147],
reject=550 5.7.1 reed...@.. Relaying denied
Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@...,
size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
relay=59-...-147.HINET-IP.hinet.net [59...147]

It seems the other one's smtp authentication is not trigged.

Please help or tip me for something I forget.

Thank you!

Reed

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: smtp authentication

[Lokadamus]

David Southwell wrote:

Hi

 I am really ignorant about this issue.

I am running postfix on freebsd 7.0 using a dynamic IP address and am getting 
requests to turn on smtp authentication for outgoing mails to reach servers 
such as yahoo.com but do not know how to do it.


I am using kmail as a client.

If anyone could point me in the right direction I would be most grateful.

Thank you

David
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

  

Google can help
http://www.google.de/search?q=postfix+smtp+authenticationie=utf-8oe=utf-8aq=trls=org.mozilla:de:officialclient=firefox-a

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
Sektion 16 
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html 
looks interesting.



Hope, it work.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: smtp authentication

[आशीष शुक्ल Ashish Shukla]

In [EMAIL PROTECTED], David Southwell wrote:

Hi

I am really ignorant about this issue.

I am running postfix on freebsd 7.0 using a dynamic IP address and am getting 
requests to turn on smtp authentication for outgoing mails to reach servers 
such as yahoo.com but do not know how to do it.


I think that is probably due to your MTA running on a dynamic IP connection, 
which are blacklisted for abuse by spammers most of the times. How about you 
using a smarthost (probably your ISP's mail-server) to deliver your mails from

your postfix. I'm using the similar way with Postfix running on my local mail
server, relaying all outgoing mails via Google's SMTP servers.

HTH
Ashish
--
·-- ·-  ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --


pgpyqGOdNEHs3.pgp
Description: PGP signature

smtp authentication

[David Southwell]

Hi

 I am really ignorant about this issue.

I am running postfix on freebsd 7.0 using a dynamic IP address and am getting 
requests to turn on smtp authentication for outgoing mails to reach servers 
such as yahoo.com but do not know how to do it.

I am using kmail as a client.

If anyone could point me in the right direction I would be most grateful.

Thank you

David
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: smtp authentication

[Sahil Tandon]

David Southwell [EMAIL PROTECTED] wrote:

 I am running postfix on freebsd 7.0 using a dynamic IP address and am 
 getting requests to turn on smtp authentication for outgoing mails to 
 reach servers such as yahoo.com but do not know how to do it.

This is a little unclear.  Who is making these requests?  And what do 
your logs currently show when you try to send email destined for 
yahoo.com?  You might also want to take this discussion to the 
postfix-users mailing list.  But in general, for help with SASL in 
Postfix, see:

http://www.postfix.org/SASL_README.html

-- 
Sahil Tandon [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Having problems with SMTP authentication

[Andrew Falanga]

HI,

I've followed the instructions @ 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html, but 
am still having problems with the authentication process.

If I set my client to use either CRAM-MD5 or DIGEST-MD5, I get an error return 
of authentication failure, most likely the password is wrong.  Now, to make 
sure that I'm understanding this correctly, this program (saslauthd) takes 
the username and passwords given it and attempts to verify them against what 
the system knows to be it's users, correct?

Working under this assumption, it would seem that the user vmail (a user I 
created on the system) would be the user that I would want to use in the 
e-mail client.  Well, I've done this and verified that the password is, in 
fact, correct; I'm unable to authenticate to the SMTP server.

Another point of interest, I added these lines (from the handbook) to my 
freebsd.mc file (as per instructions):

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

But when I ask my e-mail client to check what the server supports, the 
returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5.  Why is LOGIN not 
listed when it's included in this macro file?  Is there anything missing from 
this section of the handbook that I've missed?

Andy
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Having problems with SMTP authentication

[Matthew Seaman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andrew Falanga wrote:

 dnl set SASL options
 TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 
 But when I ask my e-mail client to check what the server supports, the 
 returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5.  Why is LOGIN not 
 listed when it's included in this macro file?  Is there anything missing from 
 this section of the handbook that I've missed?

LOGIN will only be enabled over an encrypted connection.  All you need
to do to enable the stock sendmail to support STARTTLS is tell it to
use one or more SSL certs.  Adding something like this to
/etc/mail/`hostname`.mc is how to do that:

dnl
dnl TLS stuff
dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

Which means you'ld put the PEM encoded cacert, key and cert into
/etc/mail/cacert.pem, /etc/mail/key.pem and /etc/mail/key.cert
respectively.  To generate all of those, there are some pithy
instructions here:

http://www.sendmail.org/~ca/email/other/cagreg.html

When submitting a new message, most mail clients will automatically
do STARTTLS if it's available.

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHdrM68Mjk52CukIwRCHdTAJ9oUv7PNaV41xopL9/uw1UMcx1gDACghT4Z
orlyowTjs5ZXPsv+7B/nebg=
=LWRP
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Having problems with SMTP authentication

[Andrew Falanga]

On Saturday 29 December 2007 13:51:06 Matthew Seaman wrote:
 Andrew Falanga wrote:
  dnl set SASL options
  TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
  define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 
  But when I ask my e-mail client to check what the server supports, the
  returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5.  Why is LOGIN not
  listed when it's included in this macro file?  Is there anything missing
  from this section of the handbook that I've missed?

 LOGIN will only be enabled over an encrypted connection.  All you need
 to do to enable the stock sendmail to support STARTTLS is tell it to
 use one or more SSL certs.  Adding something like this to
 /etc/mail/`hostname`.mc is how to do that:

this seems to imply you want me to create a file named hostname.mc.  The 
instructions I followed in the handbook also mentioned that, Many 
administrators choose to use the output from hostname(1) as the .mc file for 
uniqueness.  Do I have to make this new file, paste into it all the stuff 
in freebsd.mc and then add these lines too?


 dnl
 dnl TLS stuff
 dnl
 define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
 define(`confCACERT_PATH', `CERT_DIR')dnl
 define(`confCACERT', `CERT_DIR/cacert.pem')dnl
 define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
 define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
 define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
 define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

 Which means you'ld put the PEM encoded cacert, key and cert into
 /etc/mail/cacert.pem, /etc/mail/key.pem and /etc/mail/key.cert
 respectively.  To generate all of those, there are some pithy
 instructions here:

 http://www.sendmail.org/~ca/email/other/cagreg.html

Thanks for all this.

Andy


 When submitting a new message, most mail clients will automatically
 do STARTTLS if it's available.

   Cheers,

   Matthew


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Having problems with SMTP authentication

[Gerard]

On Sat, 29 Dec 2007 15:24:42 -0700
Andrew Falanga [EMAIL PROTECTED] wrote:

[snip]

 this seems to imply you want me to create a file named
 hostname.mc.  The instructions I followed in the handbook also
 mentioned that, Many administrators choose to use the output from
 hostname(1) as the .mc file for uniqueness.  Do I have to make this
 new file, paste into it all the stuff in freebsd.mc and then add
 these lines too?

It has been ages since I worked with Sendmail; however, I believe all
you have to do, after configuring the /etc/mail/*.mc files, is
run:

make all install restart

in the /etc/mail directory. Be sure to read the documentation in each of
the *.mc files. If you have not all ready done so, check out the
aliases file and modify as required. Be sure to run 'newaliases' when
finished. If I remember correctly, the new *.cf files will be in the
form of hostname.cf.

You could always use Postfix. It is a lot easier.

-- 

Gerard
[EMAIL PROTECTED]

O give me a home,
Where the buffalo roam,
Where the deer and the antelope play,
Where seldom is heard
A discouraging word,
'Cause what can an antelope say?



signature.asc
Description: PGP signature

Re: Having problems with SMTP authentication

[Yuri Pankov]

On Sat, Dec 29, 2007 at 03:24:42PM -0700, Andrew Falanga wrote:
 On Saturday 29 December 2007 13:51:06 Matthew Seaman wrote:
  Andrew Falanga wrote:
   dnl set SASL options
   TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
   define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
  
   But when I ask my e-mail client to check what the server supports, the
   returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5.  Why is LOGIN not
   listed when it's included in this macro file?  Is there anything missing
   from this section of the handbook that I've missed?
 
  LOGIN will only be enabled over an encrypted connection.  All you need
  to do to enable the stock sendmail to support STARTTLS is tell it to
  use one or more SSL certs.  Adding something like this to
  /etc/mail/`hostname`.mc is how to do that:
 
 this seems to imply you want me to create a file named hostname.mc.  The 
 instructions I followed in the handbook also mentioned that, Many 
 administrators choose to use the output from hostname(1) as the .mc file for 
 uniqueness.  Do I have to make this new file, paste into it all the stuff 
 in freebsd.mc and then add these lines too?
 

Just run `make` in /etc/mail, it will create `hostname`.mc for you, edit
it, and run `make all install restart` (targets are described in
/etc/mail/Makefile).

 
  dnl
  dnl TLS stuff
  dnl
  define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
  define(`confCACERT_PATH', `CERT_DIR')dnl
  define(`confCACERT', `CERT_DIR/cacert.pem')dnl
  define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
  define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
  define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
  define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
 
  Which means you'ld put the PEM encoded cacert, key and cert into
  /etc/mail/cacert.pem, /etc/mail/key.pem and /etc/mail/key.cert
  respectively.  To generate all of those, there are some pithy
  instructions here:
 
  http://www.sendmail.org/~ca/email/other/cagreg.html
 
 Thanks for all this.
 
 Andy
 
 
  When submitting a new message, most mail clients will automatically
  do STARTTLS if it's available.
 
  Cheers,
 
  Matthew

HTH,
Yuri
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sendmail client side smtp authentication problem

[Toni Schmidbauer]

At Mon,  5 Jun 2006 17:02:29 +0300 (EEST),
�� ��� wrote:
 sendmail client side smtp authentication problem
 
 My ISP wants my MTA authenticate itself from now on.
 So, I read cf/README, added FEATURE(authinfo) in my localhost.mc,
 created the file authinfo with one line

i added the following lines to /etc/mail/your.hostname.here.mc:

define(`SMART_HOST',`your.isp.smart.host')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

then i created the dir /etc/mail/auth with mode 700 and the
file client-info with mode 600.

client-info has the following content:

AuthInfo:your.isp.smart.host U:username I:username P:password M:PLAIN

this worked for me.

hth,
toni
-- 
If you understand what you're doing, you're | toni at stderror dot at
not learning anything.  | Toni Schmidbauer
-- Anonymous|
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

sendmail client side smtp authentication problem

[������ ������]

sendmail client side smtp authentication problem

My ISP wants my MTA authenticate itself from now on.
So, I read cf/README, added FEATURE(authinfo) in my localhost.mc,
created the file authinfo with one line

AuthInfo:mail.ukrpost.ua U:[EMAIL PROTECTED] P:password

where   mail.ukrpost.ua is my ISP smtp server,
[EMAIL PROTECTED] -- my id appoited by ISP;

made and installed cf, restarted sendmail (at 9:17),
and tried to send a mail with the command

sendmail -f [EMAIL PROTECTED] [EMAIL PROTECTED]

where [EMAIL PROTECTED] -- my mailbox on ISP directly.

The mail was rejected by server.

The next is in maillog:

Jun  5 09:18:07 localhost sendmail[1321]: k556I72R001321:
Authentication-Warning: localhost.my.domain: elisej set sender to
[EMAIL PROTECTED] using -f

Jun  5 09:18:17 localhost sendmail[1321]: k556I72R001321:
[EMAIL PROTECTED], size=5, class=0, nrcpts=1,
msgid=[EMAIL PROTECTED],
[EMAIL PROTECTED]

Jun  5 09:18:17 localhost sm-mta[1322]:
k556IHub001322: from=[EMAIL PROTECTED], size=443, class=0,
nrcpts=1,
msgid=[EMAIL PROTECTED],
proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

Jun  5 09:18:17 localhost sendmail[1321]: k556I72R001321:
[EMAIL PROTECTED], [EMAIL PROTECTED]
(1001/1001), delay=00:00:10, xdelay=00:00:00,
mailer=relay, pri=30005, relay=[127.0.0.1] [127.0.0.1],
dsn=2.0.0, stat=Sent (k556IHub001322 Message accepted for
delivery)

Jun  5 09:18:17 localhost sm-mta[1324]: k556IHub001322:
to=[EMAIL PROTECTED], delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=30443, relay=mail.ukrpost.ua. [195.5.6.41],
dsn=5.1.1, stat=User unknown

Jun  5 09:18:17 localhost sm-mta[1324]: k556IHub001322:
k556IHub001324: DSN: User unknown

Jun  5 09:18:22 localhost sm-mta[1324]: k556IHub001324:
to=[EMAIL PROTECTED], delay=00:00:05, xdelay=00:00:05,
mailer=relay, pri=31467, relay=mail.ukrpost.ua. [195.5.6.41],
dsn=2.0.0, stat=Sent (OK id=1Fn8Q0-0006J4-G5)

Then, I looked at the file authinfo with

ls -lu

and found that sendmail does not read it at all (see access
time):

-rw---  1 root  wheel 63 Jun  5 09:14 authinfo

What is a problem?

I have sendmail 8.13.6 on FreeBSD 6.1-RELEASE.

Thank you in advance.

Elisej Babenko

--
Zeos: интернет + callback с лучшим отношением цена/качество http://zeos.net

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

SMTP Authentication

[Mike Jeays]

How do I tell sendmail to provide an authentication string when I ask it
to send messages to my ISP (a cable provider)?  They use PLAIN
authentication, and I did not have too much trouble getting the base 64
string by snooping with Ethereal when I sent mail from Evolution, and
can send out emails by hand or from an Expect script.

The relevant part of my sendmail config file is:

define(`SMART_HOST', `smtp.broadband.rogers.com')

set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl

There doesn't seem any way to tell it what my userid and password for
the ISP should be.

I have tried reading various documentation, but haven't been able to
find what is required.



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMTP Authentication

[Matthew Seaman]

On Sun, Oct 03, 2004 at 11:02:08AM -0400, Mike Jeays wrote:
 How do I tell sendmail to provide an authentication string when I ask it
 to send messages to my ISP (a cable provider)?  They use PLAIN
 authentication, and I did not have too much trouble getting the base 64
 string by snooping with Ethereal when I sent mail from Evolution, and
 can send out emails by hand or from an Expect script.
 
 The relevant part of my sendmail config file is:
 
 define(`SMART_HOST', `smtp.broadband.rogers.com')
 
 set SASL options
 TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl

That's fine as it goes, but that's mostly to do with the server side
of SMTP AUTH.
 
 There doesn't seem any way to tell it what my userid and password for
 the ISP should be.
 
 I have tried reading various documentation, but haven't been able to
 find what is required.

This is what the /etc/mail/authinfo file is for.  This is the page
you need to read -- specifically the second half:

http://www.sendmail.org/m4/smtp_auth.html

(or see the section Providing SMTP AUTH Data when sendmail acts as
Client in /usr/share/sendmail/cf/README, which is basically the same
text.)

The define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl stuff is
actually deprecated, but it still works for the time being.  However,
to be completely up to date and for maximum future proofing, instead
of that line, you should use:

FEATURE(`authinfo', `hash -o /etc/mail/authinfo')dnl

Then edit the file /etc/mail/authinfo adding text as shown in the
documentation:

AuthInfo:other.dom U:user I:user P:secret R:other.dom M:DIGEST-MD5
AuthInfo:more.dom U:user P=c2VjcmV0

Then process that file into the db hash type read by Sendmail:

# makemap hash authinfo.db  authinfo

and make sure that the authinfo data is properly secured:

# chown root:wheel authinfo*
# chmod 600 authinfo*

Then restart sendmail and try a few tests.

Note that if you're using PLAIN authentication you should also use
privacy options 'goaway' to help prevent the password being trivially
disclosed:

define(`confPRIVACY_FLAGS', `authwarnings,goaway')dnl

You can use this method (with certain small modifications) to
authenticate your MSP sendmail instance to your MTA sendmail -- search
for 'msp-authinfo' in /usr/share/sendmail/cf/README.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgprqVmzpvSc4.pgp
Description: PGP signature

qmail +smtp authentication ?

[Darryl Hoar]

Greetings,
I want to setup a personal email server for my domain
on my frebsd 4.7S box.  I've heard great things about
qmail.  This lead me to wonder about smtp authentication
with qmail as I think that would eliminate the open relay
problem.

is smtp authentication possible with qmail ?

thanks

(a link to the FM would be fine.)

-Darryl
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: qmail +smtp authentication ?

[Derrick Ryalls]

On Wed, 2003-08-06 at 10:06, Darryl Hoar wrote:
 Greetings,
 I want to setup a personal email server for my domain
 on my frebsd 4.7S box.  I've heard great things about
 qmail.  This lead me to wonder about smtp authentication
 with qmail as I think that would eliminate the open relay
 problem.
 
 is smtp authentication possible with qmail ?
 

http://www.cuni.cz/~vhor/qmail/smtpauth-en.html

This is what I used to get it working.  It works just fine for the most
part using login auth.  The only problem I have it that on each email
that is sent, qmail-smtpd exits abnormally.  Nothing is destabilized,
but if you ever figure it out, send me a line (if you use this).

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: qmail +smtp authentication ?

[Herbert Wolverson]

 I want to setup a personal email server for my domain
 on my frebsd 4.7S box.  I've heard great things about
 qmail.  This lead me to wonder about smtp authentication
 with qmail as I think that would eliminate the open relay
 problem.
 
 is smtp authentication possible with qmail ?

What I do is add in an SMTP AUTH patch to the qmail source before installing. 
(I'm not sure if there is a clean way to do this with the port; make the port,
patch in the changes, make again and then make install seems to work but is
long winded!). We use Qmail-LDAP here, so I'm not sure which patch works
best for a regular Qmail install - but there are several listed on 
http://www.qmail.org/top.html . A long time ago, I used Mrs Brisby's patch
( http://www.nimh.org/dl/qmail-smtpd.c ) and it worked okay. A friend of
mine pointed me at http://www.qmail.org/qmail-auth-20010105.tar.gz - he
said it worked for him.

Incidentally, if you haven't found it yet, Life With Qmail (available online
at http://www.lifewithqmail.com/lwq.html ) is a really excellent guide to
getting everything working, and keeping it that way.

-- Herbert.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

SMTP Authentication

[Paul Lathrop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I recently configured the mail server I administrate to do SMTP 
Authentication using sasl. sasl is configured to use PAM for 
authentication, and the smtp PAM service calls pam_mysql. I know it's 
rather convoluted, but it's the only solution that matched my needs. 
But I digress. Shortly after configuring this system, my logs began 
reporting the following error:

Mar 20 00:31:01 rackspace postfix/smtpd[45892]: 
add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure

This error repeats upwards of 70 times per day. Unfortunately, I cannot 
track down the cause of this problem. I am not use kerberos anywhere on 
my system, and I cannot find a reference to libkerberos in any of the 
configuration files.

Any ideas what could be causing this error and how I might track it 
down?

Thank you,
Paul D. Lathrop
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+e0s+los2supvBQwRArpJAJ9LHT0se2NrmJdNZvRjVRo/vVgX6gCdFLsr
0dfTMrYK+mnP9W61jgNMBDE=
=FpoJ
-END PGP SIGNATURE-
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: SMTP Authentication

[Grzegorz Czaplinski]

msg.pgp
Description: PGP message

Re: SMTP Authentication

[Jim Mock]

On Friday, March 21, 2003, at 09:26  AM, Paul Lathrop wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I recently configured the mail server I administrate to do SMTP 
Authentication using sasl. sasl is configured to use PAM for 
authentication, and the smtp PAM service calls pam_mysql. I know it's 
rather convoluted, but it's the only solution that matched my needs. 
But I digress. Shortly after configuring this system, my logs began 
reporting the following error:

Mar 20 00:31:01 rackspace postfix/smtpd[45892]: 
add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic  failure

This error repeats upwards of 70 times per day. Unfortunately, I 
cannot track down the cause of this problem. I am not use kerberos 
anywhere on my system, and I cannot find a reference to libkerberos in 
any of the configuration files.

Any ideas what could be causing this error and how I might track it 
down?
Did you install SASL from the package or from the port?  IIRC, the 
package is compiled with Kerberos support.

- jim

--
- jim mock. email: [EMAIL PROTECTED] web: http://soupnazi.org -
- freebsd project: [EMAIL PROTECTED]opendarwin: [EMAIL PROTECTED] -
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: SMTP Authentication

[Paul Lathrop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Did you install SASL from the package or from the port?  IIRC, the 
package is compiled with Kerberos support.

- jim

I installed from the ports collection, but used just the default 
configuration.
I have looked all through my Postfix config files and can't find a 
setting that says it accepts kerberos authentication, but that could be 
because it is a default I was unaware of. I am rooting through postfix 
docs now.

- -Paul
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+e358los2supvBQwRAsmRAJ90W6yXYslwVvv0/3/1tjqYFAOuFgCfYQYE
FtRhEZick63pHRujkJMZkWY=
=T/Qt
-END PGP SIGNATURE-
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: SMTP Authentication

[Jim Mock]

On Friday, March 21, 2003, at 01:04  PM, Paul Lathrop wrote:
Did you install SASL from the package or from the port?  IIRC, the 
package is compiled with Kerberos support.
I installed from the ports collection, but used just the default 
configuration.  I have looked all through my Postfix config files and 
can't find a setting that says it accepts kerberos authentication, but 
that could be because it is a default I was unaware of. I am rooting 
through postfix docs now.
Both ports (cyrus-sasl and cyrus-sasl2) have the following:

.if defined(KRB5_HOME)  exists(${KRB5_HOME})
CONFIGURE_ARGS+=--enable-gssapi=${KRB5_HOME}
.elif defined(HEIMDAL_HOME)  exists(${HEIMDAL_HOME})
CONFIGURE_ARGS+=--enable-gssapi=${HEIMDAL_HOME}
.else
CONFIGURE_ARGS+=--disable-gssapi
GSSAPI= @comment 
.endif
.if exists(/usr/lib/libkrb.a)
CONFIGURE_ARGS+=--enable-krb4
.else
CONFIGURE_ARGS+=--disable-krb4
EBONES= @comment 
.endif
Check to see if you have either KRB5_HOME or HEIMDAL_HOME set in your 
environment or if /usr/lib/libkrb.a exists.

- jim

--
- jim mock. email: [EMAIL PROTECTED] web: http://soupnazi.org -
- freebsd project: [EMAIL PROTECTED]opendarwin: [EMAIL PROTECTED] -
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: SMTP Authentication

[Grzegorz Czaplinski]

On Fri, Mar 21, 2003 at 04:04:57PM -0500, Paul Lathrop wrote:
  Did you install SASL from the package or from the port?  IIRC, the 
  package is compiled with Kerberos support.
 
  - jim
 
 
 I installed from the ports collection, but used just the default 
 configuration.
 I have looked all through my Postfix config files and can't find a 
 setting that says it accepts kerberos authentication, but that could be 
 because it is a default I was unaware of. I am rooting through postfix 
 docs now.
 

Paul,
We (Jim and I) are pointing you in a good direction. Your problem has
nothing to do with Postfix, it's SASL's.

Cheers,
greg
--
Grzegorz Czaplinski [EMAIL PROTECTED]
The Power to Serve, Right for the Power Users! - http://www.FreeBSD.org/
 Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: SMTP Authentication

[Sunil Sunder Raj]

Hi,

Please try these steps
1) cd /usr/local/lib/sasl (most probably libkerberos4* files willbe in the 
/usr/local/lib/sasl directory)
2) mkdir libkerberosMOVED
3) mv libkerberos4* libkerberosMOVED

These were what I did.

Cheers
SSR







From: Paul Lathrop [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: SMTP Authentication
Date: Fri, 21 Mar 2003 12:26:41 -0500
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I recently configured the mail server I administrate to do SMTP 
Authentication using sasl. sasl is configured to use PAM for 
authentication, and the smtp PAM service calls pam_mysql. I know it's 
rather convoluted, but it's the only solution that matched my needs. But I 
digress. Shortly after configuring this system, my logs began reporting the 
following error:

Mar 20 00:31:01 rackspace postfix/smtpd[45892]: 
add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure

This error repeats upwards of 70 times per day. Unfortunately, I cannot 
track down the cause of this problem. I am not use kerberos anywhere on my 
system, and I cannot find a reference to libkerberos in any of the 
configuration files.

Any ideas what could be causing this error and how I might track it down?

Thank you,
Paul D. Lathrop
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+e0s+los2supvBQwRArpJAJ9LHT0se2NrmJdNZvRjVRo/vVgX6gCdFLsr
0dfTMrYK+mnP9W61jgNMBDE=
=FpoJ
-END PGP SIGNATURE-
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


_
Cricket World Cup 2003- News, Views and Match Reports. 
http://server1.msn.co.in/msnspecials/worldcup03/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message