Need help with Saslauthd and Sendmail
AndreasWiderøeAndersen
andreas at wideroe.net
Fri Oct 8 03:30:57 PDT 2004
I'm using this guide
http://www.puresimplicity.net/~hemi/freebsd/sendmail.html to install a
secure mail server. The imap-uw part is working fine, but the sendmail part
isn't.
==========================================================================
My system:
FreeBSD 4.7 STABLE
Sendmail 8.12.10
Saslauthd 2.1.19
I just updated all ports before installing what's described in the guide above.
I'm also using Spamassassin to filter out spam.
==========================================================================
My Sendmail.conf:
# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd
==========================================================================
My /etc/rc.conf file looks like this:
# -- sysinstall generated deltas -- # Sun Sep 16 17:49:22 2001
# Created: Sun Sep 16 17:49:22 2001
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="xxx.xxx.xxx.xxx"
font8x14="iso-8x14"
font8x16="iso-8x16"
font8x8="iso-8x8"
hostname="server.hostname.net"
ifconfig_xl0="inet xxx.xxx.xxx.xxx netmaskxxx.xxx.xxx.xxx"
#ifconfig_xl0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx media
100baseTX mediaopt full-duplex"
kern_securelevel_enable="NO"
keymap="norwegian.iso"
moused_enable="NO"
nfs_reserved_port_only="NO"
#sendmail_enable="YES"
sshd_program=/usr/local/sbin/sshd
sshd_enable="YES"
usbd_enable="NO"
portmap_enable="NO"
lpd_enable="NO"
# sasl_pwcheck_enable="YES"
# sasl_pwcheck_program="/usr/local/sbin/pwcheck"
saslauthd_runpath="/var/state/saslauthd" # Working directory
saslauthd_program="/usr/local/sbin/saslauthd" # Location of saslauthd
sasl_saslauthd_enable="YES"
==========================================================================
The bottom of my /etc/make.conf:
# Setting SENDMAIL_SET_USER_ID will install the sendmail binary as a
# set-user-ID root binary instead of a set-group-ID smmsp binary and will
# prevent the installation of /etc/mail/submit.cf.
# This is a deprecated mode of operation. See etc/mail/README for more
# information.
#
#SENDMAIL_SET_USER_ID=
#
# The permissions to use on alias and map databases generated using
# /etc/mail/Makefile. Defaults to 0640.
#
#SENDMAIL_MAP_PERMS=
#SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL
#SENDMAIL_LDFLAGS=-L/usr/local/lib
#SENDMAIL_LDADD=-lsasl
# SASL (cyrus-sasl v2) sendmail build flags...
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
Sendmail has been rebuilt/restarted according to the guide.
==========================================================================
# ls -la /etc/mail/certs
total 5
drwxr-xr-x 2 root wheel 512 Oct 6 14:51 .
drwxr-xr-x 4 root wheel 512 Oct 8 00:21 ..
-rw------- 1 root wheel 1460 Oct 6 14:51 mycert.pem
-rw------- 1 root wheel 672 Oct 6 14:51 mykey.pem
==========================================================================
My sendmail.mc file (FQDN.mc):
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# [snip]
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.18 2003/04/24
16:57:30 gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
F=, T=C:15m;S:4m;R:4m;E:10m')
# [snip]
# define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
# define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
==========================================================================
If I telnet to my mailserver on port 25 the mailserver gives this back:
ehlo localhost
250-server.hostname.net Hello server.hostname.net [xxx.xxx.xxx.xxx], pleased
to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
==========================================================================
Anyway, I've been looking into the saslauthd and I just saw an error
message in my logfile (/var/log/messages):
Oct 7 23:45:20 server sendmail[1054]: cannot connect to saslauthd server:
No such file or directory
That tells me the saslauthd isn't running. So I try to start it manually,
but first I check out the saslauthd version and its auth mechanisms:
# ./saslauthd -v
saslauthd 2.1.19
authentication mechanisms: sasldb getpwent pam rimap
Does this seem right?
Which auth mechanism is saslauthd suppose to use in this guide?
I try to start saslauthd manually by doing a
/usr/local/etc/rc.d/saslauthd.sh start, but nothing happens.
==========================================================================
Here's the content of this file:
#!/bin/sh
#
# $FreeBSD: ports/security/cyrus-sasl2-saslauthd/files/saslauthd.sh,v 1.6
2004/06/11 15:49:48 ume Exp $
#
# PROVIDE: saslauthd
# REQUIRE: DAEMON
# BEFORE: mail imap
# KEYWORD: FreeBSD shutdown
#
# NOTE for FreeBSD 5.0+:
# If you want this script to start with the base rc scripts
# move saslauthd.sh to /etc/rc.d/saslauthd
prefix=/usr/local
# Define these saslauthd_* variables in one of these files:
# /etc/rc.conf
# /etc/rc.conf.local
# /etc/rc.conf.d/saslauthd
#
# DO NOT CHANGE THESE DEFAULT VALUES HERE
#
saslauthd_enable=${saslauthd_enable:-"NO"} # Enable saslauthd
saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program
#saslauthd_runpath="/var/state/saslauthd" # Working directory
#saslauthd_program="${prefix}/sbin/saslauthd" # Location of saslauthd
. /usr/local/etc/rc.subr
name="saslauthd"
rcvar=`set_rcvar`
command="${prefix}/sbin/${name}"
load_rc_config $name
if [ -z "$saslauthd_runpath" ]; then
pidfile="/var/state/saslauthd/${name}.pid"
else
pidfile="${saslauthd_runpath}/${name}.pid"
command_args="-m ${saslauthd_runpath}"
fi
run_rc_command "$1"
==========================================================================
Here's what my /var/log/maillog with LogLevel 25 reports:
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: <-- EHLO
workpc.hostname.net
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807:
milter=spamassassin, action=helo, continue
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: Milter
(spamassassin): time command (H), 0
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: ---
250-server.hostname.net Hello xxx.xxx.xxx.xxx.provider.net
[80.202.145.187], pleased to meet you
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: ---
250-ENHANCEDSTATUSCODES
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-PIPELINING
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-8BITMIME
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-SIZE
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-DSN
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-ETRN
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-AUTH PLAIN
LOGIN
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-STARTTLS
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-DELIVERBY
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250 HELP
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: <-- STARTTLS
Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 220 2.0.0 Ready
to start TLS
Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, get_verify: 0
get_peer: 0x0
Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server,
relay=xxx.xxx.xxx.xxx.provider.net [xxx.xxx.xxx.xxx], version=TLSv1/SSLv3,
verify=NO, cipher=EDH-DSS-DES-CBC3-SHA, bits=168/168
Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, cert-subject=,
cert-issuer=
Oct 8 00:08:19 server sendmail[1807]: AUTH: available mech=NTLM LOGIN
ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed mech=PLAIN LOGIN
Oct 8 00:08:19 server sendmail[1807]: i97M8Idv001807: <-- EHLO
hangloose.wideroe.net
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807:
milter=spamassassin, action=helo, continue
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: Milter
(spamassassin): time command (H), 0
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: ---
250-server.hostname.net Hello xxx.xxx.xxx.xxx.provider.net
[80.202.145.187], pleased to meet you
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: ---
250-ENHANCEDSTATUSCODES
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-PIPELINING
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-8BITMIME
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-SIZE
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-DSN
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-ETRN
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-AUTH PLAIN
LOGIN
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-DELIVERBY
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250 HELP
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: <-- AUTH LOGIN
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 334 VXNlcm5hbWU6
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 334 UGFzc3dvcmQ6
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 535 5.7.0
authentication failed
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication failure:
checkpass failed
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: <-- RSET
Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250 2.0.0 Reset
state
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- MAIL
FROM:<andreas at wideroe.net>
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter: senders:
<andreas at wideroe.net>
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807:
milter=spamassassin, action=mail, continue
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter
(spamassassin): time command (M), 0
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 250 2.1.0
<andreas at wideroe.net>... Sender ok
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- RCPT
TO:<andreas at eunet.no>
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 550 5.7.1
<andreas at eunet.no>... Relaying denied. Proper authentication required.
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: ruleset=check_rcpt,
arg1=<andreas at eunet.no>, relay=xxx.xxx.xxx.xxx.provider.net
[80.202.145.187], reject=550 5.7.1 <andreas at eunet.no>... Relaying denied.
Proper authentication required.
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- QUIT
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 221 2.0.0
server.hostname.net closing connection
Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, SSL_shutdown not done
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter
(spamassassin): quit filter
Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807:
from=<andreas at wideroe.net>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=xxx.xxx.xxx.xxx.provider.net [xxx.xxx.xxx.xxx]
==========================================================================
I have rebooted the server a couple of times aswell.
I looked at some docs at the sendmail.org site:
http://www.sendmail.org/~ca/email/auth.html#authv2credit and under Patches
there's a link to a patch
(http://www.sendmail.org/~ca/email/patches/login.c.clt.p1) - Do I need it?
It says (http://www.sendmail.org/~ca/email/sm-812.html) Note: the patches
below are not needed for <http://www.sendmail.org/8.12.10.html>sendmail
8.12.10 or newer! If I need it, how do I install it?
Any help is highly appreciated!
Best regards,
Andreas
---
Andreas Wideroe Andersen <andreas at wideroe.net>
Mobile: (+47) 90 92 61 21
http://www.filmshooting.com
More information about the freebsd-questions
mailing list