Re: How to enable LOGIN PLAIN under TLS in Sendmail 250-AUTH advertisement (Sendmail 8.14.5 + Cyrys-SASL 2.1.25p2-ldap + cyrus-imapd-2.4.13p0)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/18/13 22:05 +0400, Denis Lapshin wrote:

Have working setup Sendmail 8.14.5 + Cyrys-SASL 2.1.25p2-ldap +
cyrus-imapd-2.4.13p0. The user's password getting from LDAP server which
authenticate users for other services.

The only one problem still not solved:

How to enable PLAIN LOGIN in 250-AUTH advertisement by Sendmail just after
STARTTLS session?



...
dnl The option below is blocking PLAIN and LOGIN attempts on unsecured
channels
dnl (i.e. port 25 w/o STARTTLS command issued first)
define('confAUTH_OPTIONS', 'A p y')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
dnl
dnl Tell sendmail not to bother to ask for client sertificates
dnl define('confTLS_SRV_OPTIONS', 'V')dnl
dnl
dnl STARTTLS support for SMTP-AUTH; uncomment and read starttls(8) to use
dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/ca.crt')dnl
define(`confSERVER_CERT', `CERT_DIR/server.crt')dnl
define(`confSERVER_KEY', `CERT_DIR/private/server.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/client.crt')dnl
define(`confCLIENT_KEY', `CERT_DIR/client.pem')dnl
...
dnl
MAILER(smtp)dnl
MAILER(local)dnl
dnl
define('confLOCAL_MAILER', 'cyrysv2')dnl
MAILER(cyrusv2)dnl
dnl
define('confLOG_LEVEL', '14')dnl
...


Have you also created a SASL Sendmail.conf file? It should either contain
no 'pwcheck_method' entry, or explicitly include your desired mechanisms.

Use pluginviewer to verify the PLAIN and LOGIN mechanisms were properly
compiled and installed.


#openssl s_client -starttls smtp -crlf -connect you.server.tld:587
...
---
250 HELP
ehlo localhost
250-mail.server.org

Hello root@xxxxxxxxxxxxxxxxxxxxxxxxx [50.0.1.5], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
but there is LOGIN PLAIN which mist be present according to Sendmail
config.mc

?
250-DELIVERBY
250 HELP

The same absence of advertisement of PLAIN LOGIN when connected


(smtptest is another way to test this)


TLS encryption of an connection is working properly, but Sendmail have not
issue 250-AUTH PLAIN LOGIN and still offers me some encrypted mechanisms
like GSSAPI CRAM-MD5 DIGEST-MD5 but I need PLAIN LOGIN.

What I'm doing wrong or maybe I have to rebuild Cyrus-SASL from ports
and/or sources with enabling PLAIN LOGIN options? Can it be a bug in
Cyrus-SASL and/or Sendmail?


Sendmail may (or may not) have the equivalent of Cyrus IMAP's
'allowplaintext'. You may also need to adjust your 'minimum_ssf' and
'maximum_ssf' values if they are exposed within Sendmail's configuration.

See:

http://cyrusimap.org/docs/cyrus-sasl/2.1.25/sysadmin.php
http://www.sendmail.org/~ca/email/auth.html

--
Dan White
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux