Eric Ewanco schrieb:
I am having a heck of a time getting Sendmail 8.13.1 to authenticate
using Cyrus saslauthd 2.1.13. I need help isolating my problem to
either saslauthd or Sendmail.
Hopefully both Sendmail and Cyrus-SASL are patched to cover the security
issues the plain upstream versions have.
Saslauthd has worked fine with Cyrus imapd for years. If I test it
using testsaslauthd, it authenticates fine with a service name of smtp
or imap.
Sendmail, however, refuses to provide the AUTH command and complains
Jul 12 14:11:49 polycarp sendmail[1322]: AUTH warning: no mechanisms
I have followed several sets of instructions for configuring Sendmail
for saslauthd and none have worked.
I am invoking saslauthd with the -a shadow option.
Is there a way to determine which mechanisms are available? I did this:
Check which Cyrus-SASL libraries are installed, either by using your
package manager or just looking into the libraries directory. For
instance in your care /usr/lib/sasl2 has to contain liblogin.so and
libplain.so.
[root@polycarp eje]# /usr/local/sbin/saslauthd -v
saslauthd 2.1.13
authentication mechanisms: getpwent pam rimap shadow
How come the "mechanisms" cited by the -v option don't match up with
the mech_list in the configuration file (below), but rather match the
"methods"? Which type of mechanism is Sendmail complaining about?
"saslauthd -v" gives you a list of supported (compiled in) auth method
backends, which is not the same as the mechanism used.
/usr/lib/sasl2/Sendmail.conf says:
#pwcheck_method: saslauthd
pwcheck_method: shadow
mech_list: PLAIN CRAM-MD5 DIGEST-MD5
2 faults: a) with SASLv2 you can't use pwcheck_method shadow! It has
either to be saslauthd or auxprop. b) using saslauthd you can't use
shared secret mechs (CRAM-MD5 / DIGEST-MD5).
I tried running saslauthd in debug mode but it printed out nothing
when I invoked Sendmail.
sendmail.mc contains:
define(`confAUTH_MECHANISMS',`LOGIN PLAIN DIGEST-MD5')
define(`confAUTH_OPTIONS',`y,p,a')
You know what these parameters mean? If not please see in Sendmail's
op.me doc file. You specify "y" which means that LOGIN and PLAIN will
only be offered when a trusted connection is established: STARTTLS or
SMTPS. As said before, offering DIGEST-MD5 is useless if you run (or
need to run) saslauthd, because your auth credentials are stored in the
shadow file.
TRUST_AUTH_MECH(`LOGIN DIGEST-MD5 PLAIN')
Your mech list in sendmail.mc does not match the list in Sendmail.conf,
that is not good. Here because Sendmail now offers LOGIN while the SASL
setup by Sendmail.conf does not list LOGIN as a possible mech. An
attempt to use LOGIN will fail.
...
LOCAL_CONFIG
ESASL_PATH=/usr/lib/sasl2
Thanks!
Eric Ewanco
Hope it helps.
Alexander
