From owner-freebsd-questions@FreeBSD.ORG Fri Jul 31 04:51:58 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB5AD1065672 for ; Fri, 31 Jul 2009 04:51:58 +0000 (UTC) (envelope-from reedlai@hotmail.com) Received: from snt0-omc4-s29.snt0.hotmail.com (snt0-omc4-s29.snt0.hotmail.com [65.55.90.232]) by mx1.freebsd.org (Postfix) with ESMTP id 8C9188FC0A for ; Fri, 31 Jul 2009 04:51:58 +0000 (UTC) (envelope-from reedlai@hotmail.com) Received: from SNT121-DS17 ([65.55.90.201]) by snt0-omc4-s29.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Jul 2009 21:51:53 -0700 X-Originating-IP: [59.125.83.147] X-Originating-Email: [reedlai@hotmail.com] Message-ID: From: "Reed Lai" To: "FreeBSD Question" References: <4A710A2F.1030407@cia.com> <4A713F34.5050404@cia.com> <4A7160C8.9050705@cia.com><4A71EC9F.2090001@cia.com> In-Reply-To: Date: Fri, 31 Jul 2009 12:51:21 +0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8064.206 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206 X-OriginalArrivalTime: 31 Jul 2009 04:51:53.0830 (UTC) FILETIME=[9FDEE060:01CA119A] Subject: Re: SMTP Authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 04:51:59 -0000 The test of saslauthd seems OK too: -------- banyan# testsaslauthd -s smtp -u aNNNNNN -p xxxxxxxx 0: OK "Success." -------- The auth login in smtp connection is still not available: -------- ehlo local 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you ... 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP auth login 504 5.3.3 AUTH mechanism login not available -------- Reed From: Reed Lai Sent: Friday, July 31, 2009 10:26 AM To: FreeBSD Question Subject: Re: SMTP Authentication And there is LOGIN option selected (as ports default options) when installing the cyrus-sasl2. Reed From: Reed Lai Sent: Friday, July 31, 2009 10:14 AM To: FreeBSD Question Subject: Re: SMTP Authentication Both servers have same ldd outputs and Sendmail.conf contains only "pwcheck_method: saslauthd" -------- banyan# ldd -a /usr/sbin/sendmail /usr/sbin/sendmail: libutil.so.7 => /lib/libutil.so.7 (0x2807d000) libc.so.7 => /lib/libc.so.7 (0x2808a000) /lib/libutil.so.7: libc.so.7 => /lib/libc.so.7 (0x2808a000) banyan# banyan# ll /usr/local/lib/sasl2/Sendmail.conf -rw-r--r-- 1 root wheel 26 7 29 14:56 /usr/local/lib/sasl2/Sendmail.conf banyan# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd -------- Reed From: Ihor Prystay Sent: Friday, July 31, 2009 2:55 AM To: FreeBSD Question Subject: Re: SMTP Authentication You may check the location of sasl2 lib which sendmail is compiled with - do ldd on sendmail executable. And verify if Sendmail.conf in the sasl2 lib folder doesn't have any restrictions on available mechs. Ihor Reed Lai wrote: > The liblogin.so is in directory > > banyan# ll /usr/local/lib/sasl2/liblogin.so > lrwxr-xr-x 1 root wheel 13 7 29 14:54 > /usr/local/lib/sasl2/liblogin.so -> liblogin.so.2 > banyan# ll /usr/local/lib/sasl2/liblogin.so.2 > -rwxr-xr-x 1 root wheel 17172 7 29 14:54 > /usr/local/lib/sasl2/liblogin.so.2 > > There is only confAUTH_MECHANISMS in .mc file, not confAUTH_OPTIONS > > dnl set SASL options > dnl -------------------------------- > TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl > define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl > > Reed > > From: Ihor Prystay > Sent: Thursday, July 30, 2009 4:58 PM > To: FreeBSD Question > Subject: Re: SMTP Authentication > > > Check if /usr/local/lib/sasl2/liblogin.so exists - if not you have to > recompile sasl with LOGIN mech support. > Check in your .mc file if you define confAUTH_OPTIONS macro. If you do > make sure 'p' parameter is not on the list or LOGIN would be available > only after TLS encryption which is not a case for you as your working > configuration offers LOGIN during telnet session (it's actually a bad > idea to do authentication clear text). > > Ihor > > > Reed Lai wrote: >> Yes, the new server leaks LOGIN in the 250-AUTH list! >> >> New server >> ========= >> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 >> >> Functional server >> ============== >> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN >> >> I have checked the generated .cf file in the new server and there are >> class and option listed >> >> C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN >> O AuthMechanisms=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN >> >> The new server has same configuration to old server, but has not LOGIN >> in the 250-AUTH list. >> BTW, the new server has hostname changed once... I don't know if it does >> matter or not.. >> >> Reed >> >> From: Ihor Prystay >> Sent: Thursday, July 30, 2009 2:35 PM >> To: freebsd-questions@freebsd.org >> Subject: Re: SMTP Authentication >> >> >> Tray telnet to port 25 of your working SMTP server and compare the >> output. >> Check >> 250-AUTH >> According to the provided log from the working server it should be LOGIN >> mech available in the list, which is not present on the new server. >> >> Ihor >> >> >> Reed Lai wrote: >>> The maillog does not log the sm-mta: AUTH=server action. The functional >>> server has the AUTH=server action logged. How do I debug from this >>> different? >>> >>> Reed >>> >>> From: Reed Lai >>> Sent: Thursday, July 30, 2009 11:51 AM >>> To: FreeBSD Questions >>> Subject: Re: SMTP Authentication >>> >>> >>> The mail client is Windows Live Mail and it work well with the >>> functional >>> server. Its SMTP authenication should be ok. >>> >>> Reed >>> >>> >>> From: Ihor Prystay >>> Sent: Thursday, July 30, 2009 10:49 AM >>> To: freebsd-questions@freebsd.org >>> Subject: Re: SMTP Authentication >>> >>> >>> your working server does support LOGIN mech while other one dosn't. >>> I doubt if your mail client has a support for GSSAPI DIGEST-MD5 CRAM-MD5 >>> auth, usually it's PLAIN or/and LOGIN. >>> >>> Ihor >>> >>> >>> >>> Reed Lai wrote: >>>> Instruction of the "SMTP AUTO in sendmail 8.10-8.13" to test the >>>> Sendmail >>>> >>>> banyan# sendmail -d0.1 -bv root >>>> Version 8.14.2 >>>> Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 >>>> NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING >>>> SASLv2 >>>> SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG >>>> >>>> ============ SYSTEM IDENTITY (after readcf) ============ >>>> (short domain name) $w = banyan >>>> (canonical domain name) $j = banyan...com >>>> (subdomain name) $m = ..com >>>> (node name) $k = banyan...com >>>> ======================================================== >>>> >>>> root... deliverable: mailer local, user root >>>> >>>> banyan# telnet localhost 25 >>>> Trying 127.0.0.1... >>>> Connected to localhost. >>>> Escape character is '^]'. >>>> 220 banyan...com ESMTP Sendmail 8.14.2/8.14.2; Wed, 29 Jul 2009 >>>> 21:19:40 >>>> +0800 (CST) >>>> ehlo localhost >>>> 250-banyan...com Hello localhost [127.0.0.1], pleased to meet you >>>> 250-ENHANCEDSTATUSCODES >>>> 250-PIPELINING >>>> 250-8BITMIME >>>> 250-SIZE >>>> 250-DSN >>>> 250-ETRN >>>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 >>>> 250-DELIVERBY >>>> 250 HELP >>>> >>>> The Sendmail test seems OK >>>> But the SMTP authentication does not work from my mail client. >>>> >>>> Reed >>>> >>>> >>>> From: Reed Lai >>>> Sent: Wednesday, July 29, 2009 5:37 PM >>>> To: freebsd-questions@freebsd.org >>>> Subject: SMTP Authentication >>>> >>>> >>>> Hi, >>>> >>>> I have two freebsd mail servers both configured SMTP authentication: >>>> >>>> FreeBSD Handbook 28.10 SMTP Authenticatin >>>> http://www.freebsd.org/doc/en/books/handbook/smtp-auth.html >>>> >>>> SMTP AUTO in sendmail 8.10-8.13 >>>> http://www.sendmail.org/~ca/email/auth.html >>>> >>>> One is functional, and the other one doesn't seem to work. Compare the >>>> maillogs of the two servers, there is an AUTH=server message appear in >>>> the >>>> functional server, but the other one has not. >>>> >>>> The maillog of functional server >>>> ====================== >>>> Jul 29 16:15:10 maple sm-mta[57825]: AUTH=server, relay=59-....net >>>> [59...147], authid=a660407, mech=LOGIN, bits=0 >>>> Jul 29 16:15:10 maple sm-mta[57825]: n6T8F9ej057825: >>>> from=, >>>> size=1430, class=0, nrcpts=1, >>>> msgid=<40F9CC65E8874D128639A39C1EEBD410@ReedXP>, proto=ESMTP, >>>> daemon=IPv4, >>>> relay=59-...net [59...147] >>>> >>>> The other one >>>> ========= >>>> Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: >>>> ruleset=check_rcpt, >>>> arg1=, relay=59-...-147.HINET-IP.hinet.net [59...147], >>>> reject=550 5.7.1 ... Relaying denied >>>> Jul 29 17:12:41 banyan sm-mta[2539]: n6T9Cf9q002539: >>>> from=, >>>> size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, >>>> relay=59-...-147.HINET-IP.hinet.net [59...147] >>>> >>>> It seems the other one's smtp authentication is not trigged. >>>> >>>> Please help or tip me for something I forget. >>>> >>>> Thank you! >>>> >>>> Reed _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"