Re: [gentoo-user] problem with saslauthd
On Thu, 12 May 2022 11:53:16 -0400, Grant Taylor wrote: > > On 5/12/22 8:42 AM, John Covici wrote: > > So, I went on to the sasl mailing list and someone found a > > patch -- seems to be available for the freebsd port, and the > > patch was specific to sendmail and dev-libs/cyrus-sasl 2.1.28. > > I modified it for gentoo and it fixed everything up! I wonder > > if I should file this somewhere -- funny no one else noticed > > this before -- I saw nothing on bgo. > > Hi John, > > I'm glad that you found a solution. > > I'm sorry that I've not responded to your detailed message yet. > Life / $WORK has been really busy this week. I was planing on > giving your message the attention it deserved this weekend. > > Yes, I suspect that a patch or at least a bug report to Gentoo > would be good. > > I'd suggest starting communications with the Gentoo package > maintainer if there is no better place. I expect that they will > receive the patch and / or redirect you somewhere better. OK, I will see if I can find the maintainer, I saw lots of references in the bug list to maintainer wanted, we shall see. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] problem with saslauthd
On 5/12/22 8:42 AM, John Covici wrote: So, I went on to the sasl mailing list and someone found a patch -- seems to be available for the freebsd port, and the patch was specific to sendmail and dev-libs/cyrus-sasl 2.1.28. I modified it for gentoo and it fixed everything up! I wonder if I should file this somewhere -- funny no one else noticed this before -- I saw nothing on bgo. Hi John, I'm glad that you found a solution. I'm sorry that I've not responded to your detailed message yet. Life / $WORK has been really busy this week. I was planing on giving your message the attention it deserved this weekend. Yes, I suspect that a patch or at least a bug report to Gentoo would be good. I'd suggest starting communications with the Gentoo package maintainer if there is no better place. I expect that they will receive the patch and / or redirect you somewhere better. -- Grant. . . . unix || die
Re: [gentoo-user] problem with saslauthd
So, I went on to the sasl mailing list and someone found a patch -- seems to be available for the freebsd port, and the patch was specific to sendmail and dev-libs/cyrus-sasl 2.1.28. I modified it for gentoo and it fixed everything up! I wonder if I should file this somewhere -- funny no one else noticed this before -- I saw nothing on bgo. On Fri, 06 May 2022 10:47:15 -0400, Grant Taylor wrote: > > On 5/6/22 4:09 AM, John Covici wrote: > > So, I restored all the files, I could like sendmail.mc and the > > Sendmail.conf, but no joy, still no authentication > > mechanisms. I restored them to about first of April. > > Well darn. :-/ > > > This still leads me to saslauthd. > > I didn't mean to imply that it /wasn't/ SASL, just that the two > are separate. > > Have you been maintaining your sendmail.cf via the sendmail.mc > file? Or are there unaccounted for hand edits? -- I'll often > test new things in sendmail.cf directly and then promote them to > sendmail.mc once I have identified what I want. > > Likewise with submit.cf / submit.mc. > > Would you be willing to share your sendmail.mc and submit.mc > files? Feel free to "REDACT" things as necessary. (Please make > sure it's easy to tell what is redacted.) > > > > -- > Grant. . . . > unix || die > -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] problem with saslauthd
On Fri, 06 May 2022 10:47:15 -0400, Grant Taylor wrote: > > On 5/6/22 4:09 AM, John Covici wrote: > > So, I restored all the files, I could like sendmail.mc and the > > Sendmail.conf, but no joy, still no authentication > > mechanisms. I restored them to about first of April. > > Well darn. :-/ > > > This still leads me to saslauthd. > > I didn't mean to imply that it /wasn't/ SASL, just that the two > are separate. > > Have you been maintaining your sendmail.cf via the sendmail.mc > file? Or are there unaccounted for hand edits? -- I'll often > test new things in sendmail.cf directly and then promote them to > sendmail.mc once I have identified what I want. > > Likewise with submit.cf / submit.mc. > > Would you be willing to share your sendmail.mc and submit.mc > files? Feel free to "REDACT" things as necessary. (Please make > sure it's easy to tell what is redacted.) > I do not usually modify my sendmail.cf, I probably would make a mistake somewhere. So, here is my sendmail.mc, no passwords or anything secret that I am aware of. divert(0)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl OSTYPE(mklinux) define(`confDONT_BLAME_SENDMAIL', `IncludeFileInUnsafeDirPath,AssumeSafeChown, GroupWritableForwardFileSafe, ForwardFileInGroupWritableDirPath,groupreadablekeyfile groupreadableSASLdbfile')dnl define(`LOCAL_MAILER_PATH', `/usr/sbin/mail.local')dnl define(`LOCAL_MAILER_FLAGS', `Ermn9')dnl define(`LOCAL_MAILER_ARGS', `mail $u')dnl FEATURE(`access_db')dnl FEATURE(`delay_checks', `friend')dnl dnl # The greet_pause feature stops some automail bots - but check the dnl # provided access db for details on excluding localhosts... FEATURE(`greet_pause', `1000')dnl 1 seconds dnl # Stop connections that overflow our concurrent and time connection rates FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl dnl # FEATURE(`mailertable')dnl FEATURE(`authinfo')dnl LOCAL_DOMAIN(`covici.com')dnl dnl # dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!! dnl # Remove `, Addr=' clauses to receive from any interface dnl # If you want to support IPv6, switch the commented/uncommentd lines FEATURE(`no_default_msa')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=587', `M=Ea')dnl dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, Addr=::1')dnl dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, Addr=127.0.0.1')dnl define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')dnl define(`confMAX_HEADERS_LENGTH', `65536')dnl define(`confDELAY_LA', `20')dnl define(`confQUEUE_LA', `30')dnl define(`confREFUSE_LA', `20')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confTO_MAIL', `10m')dnl define(`confTO_RCPT', `1h')dnl define(`confTO_DATAINIT', `10m')dnl define(`confTO_DATABLOCK', `1h')dnl define(`confTO_DATAFINAL', `1h')dnl define(`confTO_MISC', `5m')dnl define(`confTO_AUTH', `20m')dnl define(`confAUTH_OPTIONS', `A p y')dnl define(`TRUST_AUTH_MECH', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confTLS_SRV_OPTIONS', `V')dnl dnl # CRL not found... do not issue warnings on it! undefine(`confCRL')dnl define(`confCACERT_PATH', `/etc/letsencrypt/live/ccs.covici.com/')dnl define(`confCACERT',`/etc/letsencrypt/live/ccs.covici.com/fullchain.pem')dnl define(`confCLIENT_CERT', `/etc/letsencrypt/live/ccs.covici.com/cert.pem')dnl define(`confCLIENT_KEY', `/etc/letsencrypt/live/ccs.covici.com/privkey.pem')dnl define(`confSERVER_CERT', `/etc/letsencrypt/live/ccs.covici.com/cert.pem')dnl define(`confSERVER_KEY', `/etc/letsencrypt/live/ccs.covici.com/privkey.pem')dnl LOCAL_CONFIG OA/etc/mail/bfg_list.txt define(`SMTP_MAILER_ARGS', `TCP $h 587')dnl define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl FEATURE(`local_lmtp')dnl define(`LOCAL_MAILER_ARGS', `TCP $h 8024')dnl MAILER(local) MAILER(smtp) -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] problem with saslauthd
On 5/6/22 4:09 AM, John Covici wrote: So, I restored all the files, I could like sendmail.mc and the Sendmail.conf, but no joy, still no authentication mechanisms. I restored them to about first of April. Well darn. :-/ This still leads me to saslauthd. I didn't mean to imply that it /wasn't/ SASL, just that the two are separate. Have you been maintaining your sendmail.cf via the sendmail.mc file? Or are there unaccounted for hand edits? -- I'll often test new things in sendmail.cf directly and then promote them to sendmail.mc once I have identified what I want. Likewise with submit.cf / submit.mc. Would you be willing to share your sendmail.mc and submit.mc files? Feel free to "REDACT" things as necessary. (Please make sure it's easy to tell what is redacted.) -- Grant. . . . unix || die
Re: [gentoo-user] problem with saslauthd
So, I restored all the files, I could like sendmail.mc and the Sendmail.conf, but no joy, still no authentication mechanisms. I restored them to about first of April. This still leads me to saslauthd. On Thu, 05 May 2022 12:52:45 -0400, Grant Taylor wrote: > > On 5/5/22 10:39 AM, John Covici wrote: > > saslauthd is running, but it seems to ignore the Sendmail.conf . > > I think it's the other way around. > > Sendmail is told to support authentication via one or more > methods, one of which can be SASL and co. > > The actual SASL auth daemon just listens on a unix socket and / > or TCP port for clients to test authentication pairs, returning a > pass fail type message. > > > I used openssl s_client to connect to my sendmail, it was happy > > with the certs, but in response to the ehlo gives me no auth > > line at all. > > :-/ > > > Very strange. > > Very annoying, definitely. > > I don't know if it's strange yet or not. I think the strangeness > will be confirmed or refuted after finding out why Sendmail isn't > offering AUTH options. > > My favorite thing to turn to when things that used to work and > now don't is to restore a backup of the configuration file and > compare them. Can you do that with your sendmail.cf or > sendmail.mc file? > > There's also a chance that it's your submit.cf or submit.mc file > since we're talking about the MSA on port 587. (Unless you > aren't using the separate MSA which has been standard for 15+ > years.) > > > > -- > Grant. . . . > unix || die > -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] problem with saslauthd
On 5/5/22 1:24 PM, John Covici wrote: I do have a submit.mc file, but I have not changed this at all. What is strange to me is that if I do saslauthd -v should not I get everything that my Sendmail.conf has? I would not assume so. I say that based on my understanding of how SASL and Sendmail interact. In many ways, Sendmail and SASL are two entirely separate sub-systems. Sendmail (as I usually see it configured) wholesale outsources outsources testing authentication credentials. It does so by asking the completely independent SASL authentication daemon to test the credentials (nominally a username and password pair) to see if they are valid. SASL returns a yes / no to Sendmail. Sendmail alters what it does based on that answer. Since Sendmail and SASL are independent entities there is no reason for SASL to know anything about how Sendmail is configured. I can check an old backup and see if I have one for my sendmail.mc and get back. ACK -- Grant. . . . unix || die
Re: [gentoo-user] problem with saslauthd
On Thu, 05 May 2022 12:52:45 -0400, Grant Taylor wrote: > > On 5/5/22 10:39 AM, John Covici wrote: > > saslauthd is running, but it seems to ignore the Sendmail.conf . > > I think it's the other way around. > > Sendmail is told to support authentication via one or more > methods, one of which can be SASL and co. > > The actual SASL auth daemon just listens on a unix socket and / > or TCP port for clients to test authentication pairs, returning a > pass fail type message. > > > I used openssl s_client to connect to my sendmail, it was happy > > with the certs, but in response to the ehlo gives me no auth > > line at all. > > :-/ > > > Very strange. > > Very annoying, definitely. > > I don't know if it's strange yet or not. I think the strangeness > will be confirmed or refuted after finding out why Sendmail isn't > offering AUTH options. > > My favorite thing to turn to when things that used to work and > now don't is to restore a backup of the configuration file and > compare them. Can you do that with your sendmail.cf or > sendmail.mc file? > > There's also a chance that it's your submit.cf or submit.mc file > since we're talking about the MSA on port 587. (Unless you > aren't using the separate MSA which has been standard for 15+ > years.) I do have a submit.mc file, but I have not changed this at all. What is strange to me is that if I do saslauthd -v should not I get everything that my Sendmail.conf has? I can check an old backup and see if I have one for my sendmail.mc and get back. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] problem with saslauthd
On 5/5/22 10:39 AM, John Covici wrote: saslauthd is running, but it seems to ignore the Sendmail.conf . I think it's the other way around. Sendmail is told to support authentication via one or more methods, one of which can be SASL and co. The actual SASL auth daemon just listens on a unix socket and / or TCP port for clients to test authentication pairs, returning a pass fail type message. I used openssl s_client to connect to my sendmail, it was happy with the certs, but in response to the ehlo gives me no auth line at all. :-/ Very strange. Very annoying, definitely. I don't know if it's strange yet or not. I think the strangeness will be confirmed or refuted after finding out why Sendmail isn't offering AUTH options. My favorite thing to turn to when things that used to work and now don't is to restore a backup of the configuration file and compare them. Can you do that with your sendmail.cf or sendmail.mc file? There's also a chance that it's your submit.cf or submit.mc file since we're talking about the MSA on port 587. (Unless you aren't using the separate MSA which has been standard for 15+ years.) -- Grant. . . . unix || die
Re: [gentoo-user] problem with saslauthd
On Thu, 05 May 2022 12:22:55 -0400, Grant Taylor wrote: > > On 5/4/22 7:31 AM, John Covici wrote: > > Hi. I have been using various clients to connect to my sendmail > > server using port 587 and using starttls to encrypt the connections > > and then using the plain mechanism to send the user name and password > > to authenticate. > > > > Last day or so this has stopped working -- I don't know that I changed > > anything (famous last words), > > Assume that your configuration is at least acceptable until you > have a reason to think otherwise. > > > So, after all that, anyone have an idea as to how to fix? > > Start with the simpler thing first. > > Is the SASL authentication daemon running? > > Did your (START)TLS certificate expire? Contemporary clients may > silently refuse to use expired certs. > > > Thanks. > > You're welcome. > > Feel free to poke things and respond with more questions / > details / errors / etc. > saslauthd is running, but it seems to ignore the Sendmail.conf . I used openssl s_client to connect to my sendmail, it was happy with the certs, but in response to the ehlo gives me no auth line at all. Very strange. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] problem with saslauthd
On 5/4/22 7:31 AM, John Covici wrote: Hi. I have been using various clients to connect to my sendmail server using port 587 and using starttls to encrypt the connections and then using the plain mechanism to send the user name and password to authenticate. Last day or so this has stopped working -- I don't know that I changed anything (famous last words), Assume that your configuration is at least acceptable until you have a reason to think otherwise. So, after all that, anyone have an idea as to how to fix? Start with the simpler thing first. Is the SASL authentication daemon running? Did your (START)TLS certificate expire? Contemporary clients may silently refuse to use expired certs. Thanks. You're welcome. Feel free to poke things and respond with more questions / details / errors / etc. -- Grant. . . . unix || die
[gentoo-user] problem with saslauthd
Hi. I have been using various clients to connect to my sendmail server using port 587 and using starttls to encrypt the connections and then using the plain mechanism to send the user name and password to authenticate. Last day or so this has stopped working -- I don't know that I changed anything (famous last words), but I do see the following if I run saslauthd -v saslauthd 2.1.28 authentication mechanisms: sasldb getpwent pam rimap shadow but I have in my Sendmail.conf file in /usr/lib64/sasl2 pwcheck_method: saslauthd allowanonymouslogin: 0 allowplaintext: 1 mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN log_level: 3 # and this seems to be why if I run sendmail at a high enough loglevel I get the message saying authwarning: no mechanisms. So, after all that, anyone have an idea as to how to fix? Thanks. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com