Re: question about SMTP-authentication (2nd )
Dear Matthew, According to your recommendation (as following). When I do make at /usr/src/sur.sbin/sendmail it show as following. ns1:kamolpat:/usr/src/usr.sbin/sendmailmake clean rm -f sm_os.h sendmail alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o mailq.1.gz newaliases.1.gz aliases.5.gz sendmail.8.gz mailq.1.cat.gz newaliases.1.cat.gz aliases.5.cat.gz sendmail.8.cat.gz ns1:kamolpat:/usr/src/usr.sbin/sendmailmake ln -sf /usr/src/usr.sbin/sendmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h sm_os.h cc -O2 -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS -D_FFR_TLS_1 -I/usr/local/include/sasl -DSASL=2 -std=gnu99 -fstack-protector -c /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c In file included from /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14: /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:135:25: error: sasl/sasl.h: No such file or directory /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:136:29: error: sasl/saslutil.h: No such file or directory In file included from /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14: /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:607: error: expected '=', ',', ';', 'asm' or '__attribute__' before ':' token /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:691: error: expected specifier-qualifier-list before 'sasl_conn_t' *** Error code 1 Stop in /usr/src/usr.sbin/sendmail. then I try to find where is sasl.h ns1:kamolpat:/usrfind . -name sasl.h ./local/include/sasl/sasl.h ./ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.25/include/sasl.h ./ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.25/include/sasl.h What should I do next? Shold I just copy the sasl.h to /usr/src/contrib/sendmail/src/sendmail ? Thanks Kamolpat On 3/9/2012 12:34 AM, Matthew Seaman wrote: On 08/03/2012 15:55, kamolpat wrote: Setup Reference == 1. I read the how to setup from FreeBSD Handbook (online)- Chapter 29 Electronic Mail - 29.10 SMTP Authentication from freebsd.org 2. setup for cyrus-sasl2 was fine (setup via usr/ports/security/cyrus-sasl2) 3. setup for openssl was 90% fine (setup via port) reference to FreeBSD Handbook (online)-Chapter 15 Security - 15.8 OpenSSL accept the STARTTLS line doesn't appear as mention on the last part of article. Did you rebuild sendmail with the right flags so that it would enable all the SASL bits? Apart from that you seem to have done all the right stuff that I can see. You need to add this to /etc/make.conf: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 and then rebuild sendmail -- assuming you have system sources installed: # cd /usr/src/usr.sbin/sendmail # make clean # make # make install If you haven't got the system sources installed, then you can get them easily enough with csup(1) or freebsd-update(8) or several other ways. Or you could just install sendmail from ports -- obviously, make sure to choose the option to enable SASL in the config dialogue. If you use the ports sendmail, so long as you set up mailer.conf(5) to point to the ports version -- like so: lucid-nonsense:/etc/mail:% cat mailer.conf # $FreeBSD: stable/8/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z gshapiro $ # # Execute the real sendmail program, named /usr/local/sbin/sendmail # sendmail/usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail hoststat/usr/local/sbin/sendmail purgestat /usr/local/sbin/sendmail and put the following in /etc/make.conf so it uses the latest configuration file bits: SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf MAKEMAP=/usr/local/sbin/makemap then the ports sendmail is pretty much a drop-in replacement for the system one, and you can use all the config bits in /etc/mail in exactly the same way as normal. Cheers, Matthew E-mail message checked by Internet Security (7.0.0.508) Database version: 6.19440 http://www.pctools.com/en/internet-security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: question about SMTP-authentication (2nd )
On 12/03/2012 13:26, kamolpat wrote: According to your recommendation (as following). When I do make at /usr/src/sur.sbin/sendmail it show as following. ns1:kamolpat:/usr/src/usr.sbin/sendmailmake clean rm -f sm_os.h sendmail alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o mailq.1.gz newaliases.1.gz aliases.5.gz sendmail.8.gz mailq.1.cat.gz newaliases.1.cat.gz aliases.5.cat.gz sendmail.8.cat.gz ns1:kamolpat:/usr/src/usr.sbin/sendmailmake ln -sf /usr/src/usr.sbin/sendmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h sm_os.h cc -O2 -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS -D_FFR_TLS_1 -I/usr/local/include/sasl -DSASL=2 -std=gnu99 -fstack-protector -c /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c In file included from /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14: /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:135:25: error: sasl/sasl.h: No such file or directory /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:136:29: error: sasl/saslutil.h: No such file or directory In file included from /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14: /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:607: error: expected '=', ',', ';', 'asm' or '__attribute__' before ':' token /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:691: error: expected specifier-qualifier-list before 'sasl_conn_t' *** Error code 1 Stop in /usr/src/usr.sbin/sendmail. then I try to find where is sasl.h ns1:kamolpat:/usrfind . -name sasl.h ./local/include/sasl/sasl.h ./ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.25/include/sasl.h ./ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.25/include/sasl.h What should I do next? Shold I just copy the sasl.h to /usr/src/contrib/sendmail/src/sendmail ? No. Don't do that. It won't help anything. You need to follow my instructions correctly. Specifically this line needs to be in /etc/make.conf in order to pick up the SASL header files: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 Where, you will note, this does *not* say /usr/local/include/sasl, which is what appears in your compiler output. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: question about SMTP-authentication (3rd )
Dear Matthew, Ok, I got sendmail complied. Thanks. But seem like ... POP3 still working in clear text usr/pwd sending to Server (but it work, I can get mail from server normal). When I chose option in ThunderBird to another mode, it doesn't work (accept connection security: none, authentication method: password transmitted insecurity this is the option that TB dectected during setting mail account) SMTP doesn't work it declare from Thunder Bird: Send Message Error The Kerberos/GSSAPI ticket was not accepted by the SMTP server mail.dmaccess.co.th Please check that you are logged in to the Kerberos/GSSAPI realm. (event I change authentication method: Kerberos/GSSAPI, it still inform this message) from /var/log/maillog Mar 12 22:38:04 ns1 sendmail[93331]: q2CMc4jF093331: ppp-58-8-130-33.revip2.asianet.co.th [58.8.130.33] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA this is my test on server = ns1:kamolpat:/etctelnet dmaccess.co.th 25 Trying 202.170.122.33... Connected to dmaccess.co.th. Escape character is '^]'. 220 ns1.dmaccess.co.th ESMTP Sendmail 8.14.4/8.14.4; Mon, 12 Mar 2012 22:23:14 GMT ehlo dmaccess.co.th 250-ns1.dmaccess.co.th Hello ns1.dmaccess.co.th [202.170.122.33], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN 250-DELIVERBY 250 HELP quit 221 2.0.0 ns1.dmaccess.co.th closing connection Connection closed by foreign host. this is my /etc/mail/freebsd.mc = Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=78 dnl Uncomment the first line to change the location of the default http://202.170.122.33:10099/sendmail/move.cgi?idx=78down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=78up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=79 dnl /etc/mail/local-host-names and comment out the second line. http://202.170.122.33:10099/sendmail/move.cgi?idx=79down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=79up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=80 dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw') http://202.170.122.33:10099/sendmail/move.cgi?idx=80down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=80up=1 *Define* http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=81 define(`confCW_FILE', `-o /etc/mail/local-host-names') http://202.170.122.33:10099/sendmail/move.cgi?idx=81down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=81up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=82 http://202.170.122.33:10099/sendmail/move.cgi?idx=82down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=82up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=83 dnl Enable for both IPv4 and IPv6 (optional) http://202.170.122.33:10099/sendmail/move.cgi?idx=83down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=83up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=84 DAEMON_OPTIONS(`Name=IPv4, Family=inet') http://202.170.122.33:10099/sendmail/move.cgi?idx=84down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=84up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=85 DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') http://202.170.122.33:10099/sendmail/move.cgi?idx=85down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=85up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=86 http://202.170.122.33:10099/sendmail/move.cgi?idx=86down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=86up=1 *Define* http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=87 define(`confBIND_OPTS', `WorkAroundBroken') http://202.170.122.33:10099/sendmail/move.cgi?idx=87down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=87up=1 *Define* http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=88 define(`confNO_RCPT_ACTION', `add-to-undisclosed') http://202.170.122.33:10099/sendmail/move.cgi?idx=88down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=88up=1 *Define* http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=89 define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') http://202.170.122.33:10099/sendmail/move.cgi?idx=89down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=89up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=90 http://202.170.122.33:10099/sendmail/move.cgi?idx=90down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=90up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=91 GENERICS_DOMAIN_FILE(`/etc/mail/genericdomains'); http://202.170.122.33:10099/sendmail/move.cgi?idx=91down=1http://202.170.122.33:10099/sendmail/move.cgi?idx=91up=1 Other http://202.170.122.33:10099/sendmail/edit_feature.cgi?idx=92
Re: question about SMTP-authentication (3rd )
On 12/03/2012 15:47, kamolpat wrote: Dear Matthew, Ok, I got sendmail complied. Thanks. But seem like ... POP3 still working in clear text usr/pwd sending to Server (but it work, I can get mail from server normal). When I chose option in ThunderBird to another mode, it doesn't work (accept connection security: none, authentication method: password transmitted insecurity this is the option that TB dectected during setting mail account) SMTP doesn't work it declare from Thunder Bird: Send Message Error The Kerberos/GSSAPI ticket was not accepted by the SMTP server mail.dmaccess.co.th Please check that you are logged in to the Kerberos/GSSAPI realm. (event I change authentication method: Kerberos/GSSAPI, it still inform this message) from /var/log/maillog Mar 12 22:38:04 ns1 sendmail[93331]: q2CMc4jF093331: ppp-58-8-130-33.revip2.asianet.co.th [58.8.130.33] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA what are you using as the authentication method for sasl? there are multiple authentication mechansims available for sasl(2), simplest is probably saslauthd *In /etc/rc.conf *saslauthd_enable=yes In /usr/local/lib/sasl2/Sendmail.conf have: pwcheck_method: saslauthd make sure its running /usr/local/etc/rc.d/saslauthd start add a user with saslpasswd2 Test your u/p locally with testsaslauthd testsaslauthd -u user -p PASS (if thats not working it won't work over the network either) have TB set to conn security to STARTTLS and password security set to normal password, (for non encrypted password obv) Paul. -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546PLEASE NOTE NEW MOBILE e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
question about SMTP-authentication
To whom it may concern: Hello, may I need your help about SMTP authentication? Problems: = SMTP-authen doesn't functioning, when I use ThunderBird I try to set authentication method as Kerberos/GSSAPI or Encrypted password, it doesn't work. Background: === I'm intermediate FreeBSD sysadmin. I used to run only normal mail service in my company, which use POP3 on myserver and SMTP from ISP. Now my ISP always get problem, so I prefer to set SMTP service on my server and provide to staffs in company. However to set pure SMTP is not safe, then I prefer to use SMTP-authenicate. Setup Reference == 1. I read the how to setup from FreeBSD Handbook (online)- Chapter 29 Electronic Mail - 29.10 SMTP Authentication from freebsd.org 2. setup for cyrus-sasl2 was fine (setup via usr/ports/security/cyrus-sasl2) 3. setup for openssl was 90% fine (setup via port) reference to FreeBSD Handbook (online)-Chapter 15 Security - 15.8 OpenSSL accept the STARTTLS line doesn't appear as mention on the last part of article. Raw info for considers from /var/log/maillog --- revip2.asianet.co.th is my provider , the dmaccess.co.th is my server Mar 8 22:35:35 ns1 sendmail[18640]: q28MZZ4l018640: ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Mar 8 22:37:29 ns1 sendmail[18644]: q28MbSv3018644: ruleset=check_rcpt, arg1=kamol...@dmaccess.net, relay=ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248], reject=550 5.7.1 kamolpa Mar 8 22:37:34 ns1 sendmail[18644]: q28MbSv3018644: from=smtpt...@dmaccess.co.th, size=778, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=ppp-58-8-163-248.revip2.asianet.co.th [58. Mar 8 22:38:31 ns1 sendmail[18646]: q28McVl2018646: ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Mar 8 22:39:55 ns1 sendmail[18650]: q28MdsOC018650: ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Mar 8 22:40:57 ns1 sendmail[18688]: q28MevLw018688: ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Mar 8 22:42:05 ns1 sendmail[18689]: q28Mffbd018689: ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 from /etc/mail/freebsd.mc -- dnl set SASL options TRUST_AUTH_MECH (`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl dnl SSL Options define(`confCACERT_PATH',`/etc/ssl')dnl define(`confCACERT',`/etc/ssl/dm_new.crt')dnl define(`confSERVER_CERT',`/etc/ssl/dm_new.crt')dnl define(`confSERVER_KEY',`/etc/ssl/dm_ca.key')dnl define(`confTLS_SRV_OPTIONS',`V')dnl MAILER(local) MAILER(smtp) Thanks in advance Kamolpat E-mail message checked by Internet Security (7.0.0.508) Database version: 6.19420 http://www.pctools.com/en/internet-security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: question about SMTP-authentication
On 08/03/2012 15:55, kamolpat wrote: Setup Reference == 1. I read the how to setup from FreeBSD Handbook (online)- Chapter 29 Electronic Mail - 29.10 SMTP Authentication from freebsd.org 2. setup for cyrus-sasl2 was fine (setup via usr/ports/security/cyrus-sasl2) 3. setup for openssl was 90% fine (setup via port) reference to FreeBSD Handbook (online)-Chapter 15 Security - 15.8 OpenSSL accept the STARTTLS line doesn't appear as mention on the last part of article. Did you rebuild sendmail with the right flags so that it would enable all the SASL bits? Apart from that you seem to have done all the right stuff that I can see. You need to add this to /etc/make.conf: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 and then rebuild sendmail -- assuming you have system sources installed: # cd /usr/src/usr.sbin/sendmail # make clean # make # make install If you haven't got the system sources installed, then you can get them easily enough with csup(1) or freebsd-update(8) or several other ways. Or you could just install sendmail from ports -- obviously, make sure to choose the option to enable SASL in the config dialogue. If you use the ports sendmail, so long as you set up mailer.conf(5) to point to the ports version -- like so: lucid-nonsense:/etc/mail:% cat mailer.conf # $FreeBSD: stable/8/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z gshapiro $ # # Execute the real sendmail program, named /usr/local/sbin/sendmail # sendmail/usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail hoststat/usr/local/sbin/sendmail purgestat /usr/local/sbin/sendmail and put the following in /etc/make.conf so it uses the latest configuration file bits: SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf MAKEMAP=/usr/local/sbin/makemap then the ports sendmail is pretty much a drop-in replacement for the system one, and you can use all the config bits in /etc/mail in exactly the same way as normal. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: question about SMTP-authentication
kamolpat wrote: To whom it may concern: I hope you get a more useful reply than mine later, no time here, sorry but I've had SASL-1 running fine for years FreeBSD both ends. Documented here, http://www.berklix.com/~jhs/txt/sasl.html There's various URLs there to SASL-2 Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, indent with . Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SMTP Authentication
Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http
Re: SMTP Authentication
Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr
Re: SMTP Authentication
Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list
Re: SMTP Authentication
The liblogin.so is in directory banyan# ll /usr/local/lib/sasl2/liblogin.so lrwxr-xr-x 1 root wheel 13 7 29 14:54 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2 banyan# ll /usr/local/lib/sasl2/liblogin.so.2 -rwxr-xr-x 1 root wheel 17172 7 29 14:54 /usr/local/lib/sasl2/liblogin.so.2 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS dnl set SASL options dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 4:58 PM To: FreeBSD Question Subject: Re: SMTP Authentication Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539
Re: SMTP Authentication
You may check the location of sasl2 lib which sendmail is compiled with - do ldd on sendmail executable. And verify if Sendmail.conf in the sasl2 lib folder doesn't have any restrictions on available mechs. Ihor Reed Lai wrote: The liblogin.so is in directory banyan# ll /usr/local/lib/sasl2/liblogin.so lrwxr-xr-x 1 root wheel 13 7 29 14:54 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2 banyan# ll /usr/local/lib/sasl2/liblogin.so.2 -rwxr-xr-x 1 root wheel 17172 7 29 14:54 /usr/local/lib/sasl2/liblogin.so.2 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS dnl set SASL options dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 4:58 PM To: FreeBSD Question Subject: Re: SMTP Authentication Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10
Re: SMTP Authentication
Both servers have same ldd outputs and Sendmail.conf contains only pwcheck_method: saslauthd banyan# ldd -a /usr/sbin/sendmail /usr/sbin/sendmail: libutil.so.7 = /lib/libutil.so.7 (0x2807d000) libc.so.7 = /lib/libc.so.7 (0x2808a000) /lib/libutil.so.7: libc.so.7 = /lib/libc.so.7 (0x2808a000) banyan# banyan# ll /usr/local/lib/sasl2/Sendmail.conf -rw-r--r-- 1 root wheel 26 7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf banyan# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd Reed From: Ihor Prystay Sent: Friday, July 31, 2009 2:55 AM To: FreeBSD Question Subject: Re: SMTP Authentication You may check the location of sasl2 lib which sendmail is compiled with - do ldd on sendmail executable. And verify if Sendmail.conf in the sasl2 lib folder doesn't have any restrictions on available mechs. Ihor Reed Lai wrote: The liblogin.so is in directory banyan# ll /usr/local/lib/sasl2/liblogin.so lrwxr-xr-x 1 root wheel 13 7 29 14:54 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2 banyan# ll /usr/local/lib/sasl2/liblogin.so.2 -rwxr-xr-x 1 root wheel 17172 7 29 14:54 /usr/local/lib/sasl2/liblogin.so.2 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS dnl set SASL options dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 4:58 PM To: FreeBSD Question Subject: Re: SMTP Authentication Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I
Re: SMTP Authentication
And there is LOGIN option selected (as ports default options) when installing the cyrus-sasl2. Reed From: Reed Lai Sent: Friday, July 31, 2009 10:14 AM To: FreeBSD Question Subject: Re: SMTP Authentication Both servers have same ldd outputs and Sendmail.conf contains only pwcheck_method: saslauthd banyan# ldd -a /usr/sbin/sendmail /usr/sbin/sendmail: libutil.so.7 = /lib/libutil.so.7 (0x2807d000) libc.so.7 = /lib/libc.so.7 (0x2808a000) /lib/libutil.so.7: libc.so.7 = /lib/libc.so.7 (0x2808a000) banyan# banyan# ll /usr/local/lib/sasl2/Sendmail.conf -rw-r--r-- 1 root wheel 26 7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf banyan# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd Reed From: Ihor Prystay Sent: Friday, July 31, 2009 2:55 AM To: FreeBSD Question Subject: Re: SMTP Authentication You may check the location of sasl2 lib which sendmail is compiled with - do ldd on sendmail executable. And verify if Sendmail.conf in the sasl2 lib folder doesn't have any restrictions on available mechs. Ihor Reed Lai wrote: The liblogin.so is in directory banyan# ll /usr/local/lib/sasl2/liblogin.so lrwxr-xr-x 1 root wheel 13 7 29 14:54 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2 banyan# ll /usr/local/lib/sasl2/liblogin.so.2 -rwxr-xr-x 1 root wheel 17172 7 29 14:54 /usr/local/lib/sasl2/liblogin.so.2 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS dnl set SASL options dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 4:58 PM To: FreeBSD Question Subject: Re: SMTP Authentication Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail
Re: SMTP Authentication
The test of saslauthd seems OK too: banyan# testsaslauthd -s smtp -u aNN -p 0: OK Success. The auth login in smtp connection is still not available: ehlo local 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you ... 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP auth login 504 5.3.3 AUTH mechanism login not available Reed From: Reed Lai Sent: Friday, July 31, 2009 10:26 AM To: FreeBSD Question Subject: Re: SMTP Authentication And there is LOGIN option selected (as ports default options) when installing the cyrus-sasl2. Reed From: Reed Lai Sent: Friday, July 31, 2009 10:14 AM To: FreeBSD Question Subject: Re: SMTP Authentication Both servers have same ldd outputs and Sendmail.conf contains only pwcheck_method: saslauthd banyan# ldd -a /usr/sbin/sendmail /usr/sbin/sendmail: libutil.so.7 = /lib/libutil.so.7 (0x2807d000) libc.so.7 = /lib/libc.so.7 (0x2808a000) /lib/libutil.so.7: libc.so.7 = /lib/libc.so.7 (0x2808a000) banyan# banyan# ll /usr/local/lib/sasl2/Sendmail.conf -rw-r--r-- 1 root wheel 26 7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf banyan# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd Reed From: Ihor Prystay Sent: Friday, July 31, 2009 2:55 AM To: FreeBSD Question Subject: Re: SMTP Authentication You may check the location of sasl2 lib which sendmail is compiled with - do ldd on sendmail executable. And verify if Sendmail.conf in the sasl2 lib folder doesn't have any restrictions on available mechs. Ihor Reed Lai wrote: The liblogin.so is in directory banyan# ll /usr/local/lib/sasl2/liblogin.so lrwxr-xr-x 1 root wheel 13 7 29 14:54 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2 banyan# ll /usr/local/lib/sasl2/liblogin.so.2 -rwxr-xr-x 1 root wheel 17172 7 29 14:54 /usr/local/lib/sasl2/liblogin.so.2 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS dnl set SASL options dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 4:58 PM To: FreeBSD Question Subject: Re: SMTP Authentication Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com
Re: SMTP Authentication
I am very sorry. I forgot to make install to install the /etc/mail/sendmail.cf, so it has only banyan..mc/cf files updated. I always forget the final target is sendmail.cf XD The new server is available for AUTH LOGIN now. The trouble is resolved. Ihor, thank you very mcuh for all helps! Reed Lai From: Reed Lai Sent: Friday, July 31, 2009 12:51 PM To: FreeBSD Question Subject: Re: SMTP Authentication The test of saslauthd seems OK too: banyan# testsaslauthd -s smtp -u aNN -p 0: OK Success. The auth login in smtp connection is still not available: ehlo local 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you ... 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP auth login 504 5.3.3 AUTH mechanism login not available Reed From: Reed Lai Sent: Friday, July 31, 2009 10:26 AM To: FreeBSD Question Subject: Re: SMTP Authentication And there is LOGIN option selected (as ports default options) when installing the cyrus-sasl2. Reed From: Reed Lai Sent: Friday, July 31, 2009 10:14 AM To: FreeBSD Question Subject: Re: SMTP Authentication Both servers have same ldd outputs and Sendmail.conf contains only pwcheck_method: saslauthd banyan# ldd -a /usr/sbin/sendmail /usr/sbin/sendmail: libutil.so.7 = /lib/libutil.so.7 (0x2807d000) libc.so.7 = /lib/libc.so.7 (0x2808a000) /lib/libutil.so.7: libc.so.7 = /lib/libc.so.7 (0x2808a000) banyan# banyan# ll /usr/local/lib/sasl2/Sendmail.conf -rw-r--r-- 1 root wheel 26 7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf banyan# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd Reed From: Ihor Prystay Sent: Friday, July 31, 2009 2:55 AM To: FreeBSD Question Subject: Re: SMTP Authentication You may check the location of sasl2 lib which sendmail is compiled with - do ldd on sendmail executable. And verify if Sendmail.conf in the sasl2 lib folder doesn't have any restrictions on available mechs. Ihor Reed Lai wrote: The liblogin.so is in directory banyan# ll /usr/local/lib/sasl2/liblogin.so lrwxr-xr-x 1 root wheel 13 7 29 14:54 /usr/local/lib/sasl2/liblogin.so - liblogin.so.2 banyan# ll /usr/local/lib/sasl2/liblogin.so.2 -rwxr-xr-x 1 root wheel 17172 7 29 14:54 /usr/local/lib/sasl2/liblogin.so.2 There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS dnl set SASL options dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 4:58 PM To: FreeBSD Question Subject: Re: SMTP Authentication Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to recompile sasl with LOGIN mech support. Check in your .mc file if you define confAUTH_OPTIONS macro. If you do make sure 'p' parameter is not on the list or LOGIN would be available only after TLS encryption which is not a case for you as your working configuration offers LOGIN during telnet session (it's actually a bad idea to do authentication clear text). Ihor Reed Lai wrote: Yes, the new server leaks LOGIN in the 250-AUTH list! New server = 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 Functional server == 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN I have checked the generated .cf file in the new server and there are class and option listed C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN The new server has same configuration to old server, but has not LOGIN in the 250-AUTH list. BTW, the new server has hostname changed once... I don't know if it does matter or not.. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 2:35 PM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication Tray telnet to port 25 of your working SMTP server and compare the output. Check 250-AUTH list of supported auth mech According to the provided log from the working server it should be LOGIN mech available in the list, which is not present on the new server. Ihor Reed Lai wrote: The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP
SMTP Authentication
Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SMTP Authentication
Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SMTP Authentication
your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SMTP Authentication
The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SMTP Authentication
The maillog does not log the sm-mta: AUTH=server action. The functional server has the AUTH=server action logged. How do I debug from this different? Reed From: Reed Lai Sent: Thursday, July 30, 2009 11:51 AM To: FreeBSD Questions Subject: Re: SMTP Authentication The mail client is Windows Live Mail and it work well with the functional server. Its SMTP authenication should be ok. Reed From: Ihor Prystay Sent: Thursday, July 30, 2009 10:49 AM To: freebsd-questions@freebsd.org Subject: Re: SMTP Authentication your working server does support LOGIN mech while other one dosn't. I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 auth, usually it's PLAIN or/and LOGIN. Ihor Reed Lai wrote: Instruction of the SMTP AUTO in sendmail 8.10-8.13 to test the Sendmail banyan# sendmail -d0.1 -bv root Version 8.14.2 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG SYSTEM IDENTITY (after readcf) (short domain name) $w = banyan (canonical domain name) $j = banyan...com (subdomain name) $m = ..com (node name) $k = banyan...com root... deliverable: mailer local, user root banyan# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 21:19:40 +0800 (CST) ehlo localhost 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP The Sendmail test seems OK But the SMTP authentication does not work from my mail client. Reed From: Reed Lai Sent: Wednesday, July 29, 2009 5:37 PM To: freebsd-questions@freebsd.org Subject: SMTP Authentication Hi, I have two freebsd mail servers both configured SMTP authentication: FreeBSD Handbook 28.10 SMTP Authenticatin http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html SMTP AUTO in sendmail 8.10-8.13 http://www.sendmail.org/~ca/email/auth.html One is functional, and the other one doesn't seem to work. Compare the maillogs of the two servers, there is an AUTH=server message appear in the functional server, but the other one has not. The maillog of functional server == Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-net [59...147], authid=a660407, mech=LOGIN, bits=0 Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: from=reed...@..., size=1430, class=0, nrcpts=1, msgid=40f9cc65e8874d128639a39c1eebd...@reedxp, proto=ESMTP, daemon=IPv4, relay=59-...net [59...147] The other one = Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: ruleset=check_rcpt, arg1=reed...@..., relay=59-...-147.HINET-IP.hinet.net [59...147], reject=550 5.7.1 reed...@.. Relaying denied Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: from=reed...@..., size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=59-...-147.HINET-IP.hinet.net [59...147] It seems the other one's smtp authentication is not trigged. Please help or tip me for something I forget. Thank you! Reed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: smtp authentication
David Southwell wrote: Hi I am really ignorant about this issue. I am running postfix on freebsd 7.0 using a dynamic IP address and am getting requests to turn on smtp authentication for outgoing mails to reach servers such as yahoo.com but do not know how to do it. I am using kmail as a client. If anyone could point me in the right direction I would be most grateful. Thank you David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Google can help http://www.google.de/search?q=postfix+smtp+authenticationie=utf-8oe=utf-8aq=trls=org.mozilla:de:officialclient=firefox-a http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ Sektion 16 http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html looks interesting. Hope, it work. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: smtp authentication
In [EMAIL PROTECTED], David Southwell wrote: Hi I am really ignorant about this issue. I am running postfix on freebsd 7.0 using a dynamic IP address and am getting requests to turn on smtp authentication for outgoing mails to reach servers such as yahoo.com but do not know how to do it. I think that is probably due to your MTA running on a dynamic IP connection, which are blacklisted for abuse by spammers most of the times. How about you using a smarthost (probably your ISP's mail-server) to deliver your mails from your postfix. I'm using the similar way with Postfix running on my local mail server, relaying all outgoing mails via Google's SMTP servers. HTH Ashish -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- pgpyqGOdNEHs3.pgp Description: PGP signature
smtp authentication
Hi I am really ignorant about this issue. I am running postfix on freebsd 7.0 using a dynamic IP address and am getting requests to turn on smtp authentication for outgoing mails to reach servers such as yahoo.com but do not know how to do it. I am using kmail as a client. If anyone could point me in the right direction I would be most grateful. Thank you David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: smtp authentication
David Southwell [EMAIL PROTECTED] wrote: I am running postfix on freebsd 7.0 using a dynamic IP address and am getting requests to turn on smtp authentication for outgoing mails to reach servers such as yahoo.com but do not know how to do it. This is a little unclear. Who is making these requests? And what do your logs currently show when you try to send email destined for yahoo.com? You might also want to take this discussion to the postfix-users mailing list. But in general, for help with SASL in Postfix, see: http://www.postfix.org/SASL_README.html -- Sahil Tandon [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Having problems with SMTP authentication
HI, I've followed the instructions @ http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html, but am still having problems with the authentication process. If I set my client to use either CRAM-MD5 or DIGEST-MD5, I get an error return of authentication failure, most likely the password is wrong. Now, to make sure that I'm understanding this correctly, this program (saslauthd) takes the username and passwords given it and attempts to verify them against what the system knows to be it's users, correct? Working under this assumption, it would seem that the user vmail (a user I created on the system) would be the user that I would want to use in the e-mail client. Well, I've done this and verified that the password is, in fact, correct; I'm unable to authenticate to the SMTP server. Another point of interest, I added these lines (from the handbook) to my freebsd.mc file (as per instructions): dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl But when I ask my e-mail client to check what the server supports, the returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5. Why is LOGIN not listed when it's included in this macro file? Is there anything missing from this section of the handbook that I've missed? Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Having problems with SMTP authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andrew Falanga wrote: dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl But when I ask my e-mail client to check what the server supports, the returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5. Why is LOGIN not listed when it's included in this macro file? Is there anything missing from this section of the handbook that I've missed? LOGIN will only be enabled over an encrypted connection. All you need to do to enable the stock sendmail to support STARTTLS is tell it to use one or more SSL certs. Adding something like this to /etc/mail/`hostname`.mc is how to do that: dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl Which means you'ld put the PEM encoded cacert, key and cert into /etc/mail/cacert.pem, /etc/mail/key.pem and /etc/mail/key.cert respectively. To generate all of those, there are some pithy instructions here: http://www.sendmail.org/~ca/email/other/cagreg.html When submitting a new message, most mail clients will automatically do STARTTLS if it's available. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHdrM68Mjk52CukIwRCHdTAJ9oUv7PNaV41xopL9/uw1UMcx1gDACghT4Z orlyowTjs5ZXPsv+7B/nebg= =LWRP -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Having problems with SMTP authentication
On Saturday 29 December 2007 13:51:06 Matthew Seaman wrote: Andrew Falanga wrote: dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl But when I ask my e-mail client to check what the server supports, the returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5. Why is LOGIN not listed when it's included in this macro file? Is there anything missing from this section of the handbook that I've missed? LOGIN will only be enabled over an encrypted connection. All you need to do to enable the stock sendmail to support STARTTLS is tell it to use one or more SSL certs. Adding something like this to /etc/mail/`hostname`.mc is how to do that: this seems to imply you want me to create a file named hostname.mc. The instructions I followed in the handbook also mentioned that, Many administrators choose to use the output from hostname(1) as the .mc file for uniqueness. Do I have to make this new file, paste into it all the stuff in freebsd.mc and then add these lines too? dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl Which means you'ld put the PEM encoded cacert, key and cert into /etc/mail/cacert.pem, /etc/mail/key.pem and /etc/mail/key.cert respectively. To generate all of those, there are some pithy instructions here: http://www.sendmail.org/~ca/email/other/cagreg.html Thanks for all this. Andy When submitting a new message, most mail clients will automatically do STARTTLS if it's available. Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Having problems with SMTP authentication
On Sat, 29 Dec 2007 15:24:42 -0700 Andrew Falanga [EMAIL PROTECTED] wrote: [snip] this seems to imply you want me to create a file named hostname.mc. The instructions I followed in the handbook also mentioned that, Many administrators choose to use the output from hostname(1) as the .mc file for uniqueness. Do I have to make this new file, paste into it all the stuff in freebsd.mc and then add these lines too? It has been ages since I worked with Sendmail; however, I believe all you have to do, after configuring the /etc/mail/*.mc files, is run: make all install restart in the /etc/mail directory. Be sure to read the documentation in each of the *.mc files. If you have not all ready done so, check out the aliases file and modify as required. Be sure to run 'newaliases' when finished. If I remember correctly, the new *.cf files will be in the form of hostname.cf. You could always use Postfix. It is a lot easier. -- Gerard [EMAIL PROTECTED] O give me a home, Where the buffalo roam, Where the deer and the antelope play, Where seldom is heard A discouraging word, 'Cause what can an antelope say? signature.asc Description: PGP signature
Re: Having problems with SMTP authentication
On Sat, Dec 29, 2007 at 03:24:42PM -0700, Andrew Falanga wrote: On Saturday 29 December 2007 13:51:06 Matthew Seaman wrote: Andrew Falanga wrote: dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl But when I ask my e-mail client to check what the server supports, the returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5. Why is LOGIN not listed when it's included in this macro file? Is there anything missing from this section of the handbook that I've missed? LOGIN will only be enabled over an encrypted connection. All you need to do to enable the stock sendmail to support STARTTLS is tell it to use one or more SSL certs. Adding something like this to /etc/mail/`hostname`.mc is how to do that: this seems to imply you want me to create a file named hostname.mc. The instructions I followed in the handbook also mentioned that, Many administrators choose to use the output from hostname(1) as the .mc file for uniqueness. Do I have to make this new file, paste into it all the stuff in freebsd.mc and then add these lines too? Just run `make` in /etc/mail, it will create `hostname`.mc for you, edit it, and run `make all install restart` (targets are described in /etc/mail/Makefile). dnl dnl TLS stuff dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl Which means you'ld put the PEM encoded cacert, key and cert into /etc/mail/cacert.pem, /etc/mail/key.pem and /etc/mail/key.cert respectively. To generate all of those, there are some pithy instructions here: http://www.sendmail.org/~ca/email/other/cagreg.html Thanks for all this. Andy When submitting a new message, most mail clients will automatically do STARTTLS if it's available. Cheers, Matthew HTH, Yuri ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail client side smtp authentication problem
At Mon, 5 Jun 2006 17:02:29 +0300 (EEST), �� ��� wrote: sendmail client side smtp authentication problem My ISP wants my MTA authenticate itself from now on. So, I read cf/README, added FEATURE(authinfo) in my localhost.mc, created the file authinfo with one line i added the following lines to /etc/mail/your.hostname.here.mc: define(`SMART_HOST',`your.isp.smart.host')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl then i created the dir /etc/mail/auth with mode 700 and the file client-info with mode 600. client-info has the following content: AuthInfo:your.isp.smart.host U:username I:username P:password M:PLAIN this worked for me. hth, toni -- If you understand what you're doing, you're | toni at stderror dot at not learning anything. | Toni Schmidbauer -- Anonymous| ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sendmail client side smtp authentication problem
sendmail client side smtp authentication problem My ISP wants my MTA authenticate itself from now on. So, I read cf/README, added FEATURE(authinfo) in my localhost.mc, created the file authinfo with one line AuthInfo:mail.ukrpost.ua U:[EMAIL PROTECTED] P:password where mail.ukrpost.ua is my ISP smtp server, [EMAIL PROTECTED] -- my id appoited by ISP; made and installed cf, restarted sendmail (at 9:17), and tried to send a mail with the command sendmail -f [EMAIL PROTECTED] [EMAIL PROTECTED] where [EMAIL PROTECTED] -- my mailbox on ISP directly. The mail was rejected by server. The next is in maillog: Jun 5 09:18:07 localhost sendmail[1321]: k556I72R001321: Authentication-Warning: localhost.my.domain: elisej set sender to [EMAIL PROTECTED] using -f Jun 5 09:18:17 localhost sendmail[1321]: k556I72R001321: [EMAIL PROTECTED], size=5, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Jun 5 09:18:17 localhost sm-mta[1322]: k556IHub001322: from=[EMAIL PROTECTED], size=443, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1] Jun 5 09:18:17 localhost sendmail[1321]: k556I72R001321: [EMAIL PROTECTED], [EMAIL PROTECTED] (1001/1001), delay=00:00:10, xdelay=00:00:00, mailer=relay, pri=30005, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (k556IHub001322 Message accepted for delivery) Jun 5 09:18:17 localhost sm-mta[1324]: k556IHub001322: to=[EMAIL PROTECTED], delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30443, relay=mail.ukrpost.ua. [195.5.6.41], dsn=5.1.1, stat=User unknown Jun 5 09:18:17 localhost sm-mta[1324]: k556IHub001322: k556IHub001324: DSN: User unknown Jun 5 09:18:22 localhost sm-mta[1324]: k556IHub001324: to=[EMAIL PROTECTED], delay=00:00:05, xdelay=00:00:05, mailer=relay, pri=31467, relay=mail.ukrpost.ua. [195.5.6.41], dsn=2.0.0, stat=Sent (OK id=1Fn8Q0-0006J4-G5) Then, I looked at the file authinfo with ls -lu and found that sendmail does not read it at all (see access time): -rw--- 1 root wheel 63 Jun 5 09:14 authinfo What is a problem? I have sendmail 8.13.6 on FreeBSD 6.1-RELEASE. Thank you in advance. Elisej Babenko -- Zeos: интернет + callback с лучшим отношением цена/качество http://zeos.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SMTP Authentication
How do I tell sendmail to provide an authentication string when I ask it to send messages to my ISP (a cable provider)? They use PLAIN authentication, and I did not have too much trouble getting the base 64 string by snooping with Ethereal when I sent mail from Evolution, and can send out emails by hand or from an Expect script. The relevant part of my sendmail config file is: define(`SMART_HOST', `smtp.broadband.rogers.com') set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl There doesn't seem any way to tell it what my userid and password for the ISP should be. I have tried reading various documentation, but haven't been able to find what is required. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMTP Authentication
On Sun, Oct 03, 2004 at 11:02:08AM -0400, Mike Jeays wrote: How do I tell sendmail to provide an authentication string when I ask it to send messages to my ISP (a cable provider)? They use PLAIN authentication, and I did not have too much trouble getting the base 64 string by snooping with Ethereal when I sent mail from Evolution, and can send out emails by hand or from an Expect script. The relevant part of my sendmail config file is: define(`SMART_HOST', `smtp.broadband.rogers.com') set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl That's fine as it goes, but that's mostly to do with the server side of SMTP AUTH. There doesn't seem any way to tell it what my userid and password for the ISP should be. I have tried reading various documentation, but haven't been able to find what is required. This is what the /etc/mail/authinfo file is for. This is the page you need to read -- specifically the second half: http://www.sendmail.org/m4/smtp_auth.html (or see the section Providing SMTP AUTH Data when sendmail acts as Client in /usr/share/sendmail/cf/README, which is basically the same text.) The define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl stuff is actually deprecated, but it still works for the time being. However, to be completely up to date and for maximum future proofing, instead of that line, you should use: FEATURE(`authinfo', `hash -o /etc/mail/authinfo')dnl Then edit the file /etc/mail/authinfo adding text as shown in the documentation: AuthInfo:other.dom U:user I:user P:secret R:other.dom M:DIGEST-MD5 AuthInfo:more.dom U:user P=c2VjcmV0 Then process that file into the db hash type read by Sendmail: # makemap hash authinfo.db authinfo and make sure that the authinfo data is properly secured: # chown root:wheel authinfo* # chmod 600 authinfo* Then restart sendmail and try a few tests. Note that if you're using PLAIN authentication you should also use privacy options 'goaway' to help prevent the password being trivially disclosed: define(`confPRIVACY_FLAGS', `authwarnings,goaway')dnl You can use this method (with certain small modifications) to authenticate your MSP sendmail instance to your MTA sendmail -- search for 'msp-authinfo' in /usr/share/sendmail/cf/README. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgprqVmzpvSc4.pgp Description: PGP signature
qmail +smtp authentication ?
Greetings, I want to setup a personal email server for my domain on my frebsd 4.7S box. I've heard great things about qmail. This lead me to wonder about smtp authentication with qmail as I think that would eliminate the open relay problem. is smtp authentication possible with qmail ? thanks (a link to the FM would be fine.) -Darryl ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail +smtp authentication ?
On Wed, 2003-08-06 at 10:06, Darryl Hoar wrote: Greetings, I want to setup a personal email server for my domain on my frebsd 4.7S box. I've heard great things about qmail. This lead me to wonder about smtp authentication with qmail as I think that would eliminate the open relay problem. is smtp authentication possible with qmail ? http://www.cuni.cz/~vhor/qmail/smtpauth-en.html This is what I used to get it working. It works just fine for the most part using login auth. The only problem I have it that on each email that is sent, qmail-smtpd exits abnormally. Nothing is destabilized, but if you ever figure it out, send me a line (if you use this). ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail +smtp authentication ?
I want to setup a personal email server for my domain on my frebsd 4.7S box. I've heard great things about qmail. This lead me to wonder about smtp authentication with qmail as I think that would eliminate the open relay problem. is smtp authentication possible with qmail ? What I do is add in an SMTP AUTH patch to the qmail source before installing. (I'm not sure if there is a clean way to do this with the port; make the port, patch in the changes, make again and then make install seems to work but is long winded!). We use Qmail-LDAP here, so I'm not sure which patch works best for a regular Qmail install - but there are several listed on http://www.qmail.org/top.html . A long time ago, I used Mrs Brisby's patch ( http://www.nimh.org/dl/qmail-smtpd.c ) and it worked okay. A friend of mine pointed me at http://www.qmail.org/qmail-auth-20010105.tar.gz - he said it worked for him. Incidentally, if you haven't found it yet, Life With Qmail (available online at http://www.lifewithqmail.com/lwq.html ) is a really excellent guide to getting everything working, and keeping it that way. -- Herbert. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SMTP Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I recently configured the mail server I administrate to do SMTP Authentication using sasl. sasl is configured to use PAM for authentication, and the smtp PAM service calls pam_mysql. I know it's rather convoluted, but it's the only solution that matched my needs. But I digress. Shortly after configuring this system, my logs began reporting the following error: Mar 20 00:31:01 rackspace postfix/smtpd[45892]: add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure This error repeats upwards of 70 times per day. Unfortunately, I cannot track down the cause of this problem. I am not use kerberos anywhere on my system, and I cannot find a reference to libkerberos in any of the configuration files. Any ideas what could be causing this error and how I might track it down? Thank you, Paul D. Lathrop -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+e0s+los2supvBQwRArpJAJ9LHT0se2NrmJdNZvRjVRo/vVgX6gCdFLsr 0dfTMrYK+mnP9W61jgNMBDE= =FpoJ -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP Authentication
msg.pgp Description: PGP message
Re: SMTP Authentication
On Friday, March 21, 2003, at 09:26 AM, Paul Lathrop wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I recently configured the mail server I administrate to do SMTP Authentication using sasl. sasl is configured to use PAM for authentication, and the smtp PAM service calls pam_mysql. I know it's rather convoluted, but it's the only solution that matched my needs. But I digress. Shortly after configuring this system, my logs began reporting the following error: Mar 20 00:31:01 rackspace postfix/smtpd[45892]: add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure This error repeats upwards of 70 times per day. Unfortunately, I cannot track down the cause of this problem. I am not use kerberos anywhere on my system, and I cannot find a reference to libkerberos in any of the configuration files. Any ideas what could be causing this error and how I might track it down? Did you install SASL from the package or from the port? IIRC, the package is compiled with Kerberos support. - jim -- - jim mock. email: [EMAIL PROTECTED] web: http://soupnazi.org - - freebsd project: [EMAIL PROTECTED]opendarwin: [EMAIL PROTECTED] - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did you install SASL from the package or from the port? IIRC, the package is compiled with Kerberos support. - jim I installed from the ports collection, but used just the default configuration. I have looked all through my Postfix config files and can't find a setting that says it accepts kerberos authentication, but that could be because it is a default I was unaware of. I am rooting through postfix docs now. - -Paul -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+e358los2supvBQwRAsmRAJ90W6yXYslwVvv0/3/1tjqYFAOuFgCfYQYE FtRhEZick63pHRujkJMZkWY= =T/Qt -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP Authentication
On Friday, March 21, 2003, at 01:04 PM, Paul Lathrop wrote: Did you install SASL from the package or from the port? IIRC, the package is compiled with Kerberos support. I installed from the ports collection, but used just the default configuration. I have looked all through my Postfix config files and can't find a setting that says it accepts kerberos authentication, but that could be because it is a default I was unaware of. I am rooting through postfix docs now. Both ports (cyrus-sasl and cyrus-sasl2) have the following: .if defined(KRB5_HOME) exists(${KRB5_HOME}) CONFIGURE_ARGS+=--enable-gssapi=${KRB5_HOME} .elif defined(HEIMDAL_HOME) exists(${HEIMDAL_HOME}) CONFIGURE_ARGS+=--enable-gssapi=${HEIMDAL_HOME} .else CONFIGURE_ARGS+=--disable-gssapi GSSAPI= @comment .endif .if exists(/usr/lib/libkrb.a) CONFIGURE_ARGS+=--enable-krb4 .else CONFIGURE_ARGS+=--disable-krb4 EBONES= @comment .endif Check to see if you have either KRB5_HOME or HEIMDAL_HOME set in your environment or if /usr/lib/libkrb.a exists. - jim -- - jim mock. email: [EMAIL PROTECTED] web: http://soupnazi.org - - freebsd project: [EMAIL PROTECTED]opendarwin: [EMAIL PROTECTED] - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP Authentication
On Fri, Mar 21, 2003 at 04:04:57PM -0500, Paul Lathrop wrote: Did you install SASL from the package or from the port? IIRC, the package is compiled with Kerberos support. - jim I installed from the ports collection, but used just the default configuration. I have looked all through my Postfix config files and can't find a setting that says it accepts kerberos authentication, but that could be because it is a default I was unaware of. I am rooting through postfix docs now. Paul, We (Jim and I) are pointing you in a good direction. Your problem has nothing to do with Postfix, it's SASL's. Cheers, greg -- Grzegorz Czaplinski [EMAIL PROTECTED] The Power to Serve, Right for the Power Users! - http://www.FreeBSD.org/ Fingerprint: EB77 E19D CFA2 5736 810F 847C A70F A275 2489 469F To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: SMTP Authentication
Hi, Please try these steps 1) cd /usr/local/lib/sasl (most probably libkerberos4* files willbe in the /usr/local/lib/sasl directory) 2) mkdir libkerberosMOVED 3) mv libkerberos4* libkerberosMOVED These were what I did. Cheers SSR From: Paul Lathrop [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SMTP Authentication Date: Fri, 21 Mar 2003 12:26:41 -0500 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I recently configured the mail server I administrate to do SMTP Authentication using sasl. sasl is configured to use PAM for authentication, and the smtp PAM service calls pam_mysql. I know it's rather convoluted, but it's the only solution that matched my needs. But I digress. Shortly after configuring this system, my logs began reporting the following error: Mar 20 00:31:01 rackspace postfix/smtpd[45892]: add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure This error repeats upwards of 70 times per day. Unfortunately, I cannot track down the cause of this problem. I am not use kerberos anywhere on my system, and I cannot find a reference to libkerberos in any of the configuration files. Any ideas what could be causing this error and how I might track it down? Thank you, Paul D. Lathrop -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+e0s+los2supvBQwRArpJAJ9LHT0se2NrmJdNZvRjVRo/vVgX6gCdFLsr 0dfTMrYK+mnP9W61jgNMBDE= =FpoJ -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message _ Cricket World Cup 2003- News, Views and Match Reports. http://server1.msn.co.in/msnspecials/worldcup03/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message