On Sat, Dec 16, 2017 at 08:42:26AM -0600, Edgar Pettijohn wrote: > On Fri, Dec 15, 2017 at 12:21:42PM -0500, Mark Foley wrote: > > On Fri, 15 Dec 2017 10:19:21 -0600 Dan White <dwhite@xxxxxxx> wrote: > > > > > On 12/12/17?18:19?-0500, Mark Foley wrote: > > > >It then goes on to discuss downloading cyrus-sasl, verifying SASL is configured > > > >in Sendmail (mine is), etc.. Are you suggesting that SASL and saslauthd are > > > >separate things and that I can use one (SASL) without the other (saslauthd)? > > Sorry, I'm coming in to the conversation late and I think I missed the > first message. I was just checking out the source for Slackware and it > didn't look to me like `sendmail' is being built with sasl support at > least not looking at the site.config.m4 provided with the distro. Take a > look at: > > http://www.sendmail.org/~ca/email/auth.html > > https://dfw.mirror.rackspace.com/slackware/slackware64-current/source/n/libmilter/site.config.m4 > APPENDDEF(`conf_libmilter_ENVDEF',`-DNETINET6=1') > APPENDDEF(`conf_libmilter_ENVDEF',`-D_FFR_WORKERS_POOL=1 -DMIN_WORKERS=4') > APPENDDEF(`conf_libmilter_ENVDEF',`-DSM_CONF_POLL=1') > APPENDDEF(`conf_libmilter_ENVDEF', `-DMILTER') > APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE ') > APPENDDEF(`confLIBDIR', `/usr/lib@LIBDIRSUFFIX@ ') > > Here is the site.config.m4 stuff from the SlackBuild > cat $CWD/site.config.m4 | sed "s,@LIBDIRSUFFIX@,$LIBDIRSUFFIX," \ > > devtools/Site/site.config.m4 > > $ grep SASL devtools/Site/site.config.m4.sample > $ > > I'm not sure why one would include cyrus-sasl and not implement it with > sendmail. My only guess would be since you have the option at install > time not to install cyrus-sasl they don't want it to break the install > of sendmail perhaps. > > On the plus side it looks like cyrus-sasl enables `gssapi' by default in > the configure script. However, you may want to add a line to the cyrus > slackbuild to choose your preferred gssapi mech. > > --with-gss_impl={heimdal|mit|cybersafe|seam|auto} > > The default is auto and without going further down the rabbit hole I > don't know what auto would be on Slack and it may not be what you want. > > > > > > saslauthd is part of Cyrus SASL, but Cyrus SASL does not require running > > > saslauthd, and saslauthd cannot be used to perform direct SASL GSSAPI for > > > server authentication. > > > > > > For documentation, consult /doc in the source, and: > > > > > > https://www.cyrusimap.org/sasl/ > > > > > > > Dan - thanks for your response. > > > > Yes, that's the exact page I've been consulting. > > > > This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html > > further advises downloading and applying *REQUIRED* patches: > > > > cyrus-sasl-2.1.26-fixes-3.patch > > cyrus-sasl-2.1.26-openssl-1.1.0-1.patch > > > > Do you agree? > > > > The first listed patch is described as, "various package fixes, including > > autotools fixes, plugin fixes, security fixes, parallel build fixes, etc.", and > > was created Aug-24-2014. > > > > The 2nd patch has no description, but patches > > cyrus-sasl-2.1.26-orig/plugins/ntlm.c and is dated May-07-2017 It applies to > > openssl 1.1.0 whereas I have 1.0.2k (although it's patching plugin/ntlm.c, not > > openssl, so I'm not sure my openssl version matters). > > > > Finally, if you've read this far! You wrote in a previous message: > > > > > I would personally not use saslauthd in the above manner [authenticating with > > > sendmail]. If you have a controlled environment where your clients > > > (Thunderbird) are known to support GSSAPI negotiation over the network, then > > > configuring Sendmail to support GSSAPI directly is secure and recommended. > > > > The "configuring Sendmail to support GSSAPI directly" is the bit that got my > > attention. To clarify, in order to do Sendmail and GSSAPI directly I *do* need > > SASL, but *do not* need saslauthd, right? > > > > Thanks, Mark > > Disregard most of what I said. I installed slackware as a qemu guest which was more difficult than expected. Most linux guests networking works out of the box. I had to set up a dhcp server and use a tap and bridge to get it working. Here are the steps to get it going. 1. install your preferred kerberos. I chose heimdal for this. http://slackbuilds.org/repository/14.2/network/heimdal/ 2. download the slackware official cyrus-sasl build stuff and remember you need all of the files. https://dfw.mirror.rackspace.com/slackware/slackware64-14.2/source/n/cyrus-sasl/ 3. edit the build script $ diff -u cyrus-sasl.SlackBuild.orig cyrus-sasl.SlackBuild --- cyrus-sasl.SlackBuild.orig Tue Dec 19 22:16:18 2017 +++ cyrus-sasl.SlackBuild Tue Dec 19 22:17:42 2017 @@ -80,6 +80,8 @@ --disable-anon \ --without-ldap \ --with-saslauthd \ + --enable-gssapi \ + --with-gss_impl=heimdal \ --with-gdbm \ --with-dblib=gdbm # How stupid that I need to specify 'sasldir' again for 'make' or else you get 4. rebuild cyrus sasl and install it # ./cyrus-sasl.Slackbuild # installpkg /tmp/cyrus... 5. download the slackware official sendmail build stuff https://dfw.mirror.rackspace.com/slackware/slackware64-14.2/source/n/sendmail/ rebuild it so it picks up the new sasl and install it 6. cd /usr/share/sendmail/cf/cf edit sendmail-slackware-tls-sasl.mc and add GSSAPI to the confAUTH_MECHANISMS as well as the TRUST_AUTH_MECHANISMS and perhaps make other changes as needed. 7. ./Build sendmail-slackware-tls-sasl.mc cp sendmail-slackware-tls-sasl.cf /etc/mail && cd /etc/mail cp sendmail.cf sendmail.cf.orig cp sendmail-slackware-tls-sasl.cf sendmail.cf /etc/rc.d/rc.sendmail restart telnet localhost 25 ehlo test.org and you should see GSSAPI listed next to AUTH
