Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 08 Oct 2004 12:30:51 +0200
From:      Andreas =?iso-8859-1?Q?Wider=F8e?= Andersen <andreas@wideroe.net>
To:        freebsd-questions@freebsd.org
Cc:        mwalker@codegurus.org
Subject:   Need help with Saslauthd and Sendmail
Message-ID:  <6.1.2.0.2.20041008092742.089c6dc0@malibu.wideroe.net>

next in thread | raw e-mail | index | archive | help
I'm using this guide 
http://www.puresimplicity.net/~hemi/freebsd/sendmail.html to install a 
secure mail server. The imap-uw part is working fine, but the sendmail part 
isn't.

==========================================================================

My system:

FreeBSD 4.7 STABLE
Sendmail 8.12.10
Saslauthd 2.1.19

I just updated all ports before installing what's described in the guide above.

I'm also using Spamassassin to filter out spam.

==========================================================================

My Sendmail.conf:

# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd

==========================================================================

My /etc/rc.conf file looks like this:

# -- sysinstall generated deltas -- # Sun Sep 16 17:49:22 2001
# Created: Sun Sep 16 17:49:22 2001
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="xxx.xxx.xxx.xxx"
font8x14="iso-8x14"
font8x16="iso-8x16"
font8x8="iso-8x8"
hostname="server.hostname.net"
ifconfig_xl0="inet xxx.xxx.xxx.xxx netmaskxxx.xxx.xxx.xxx"
#ifconfig_xl0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx media
100baseTX mediaopt full-duplex"
kern_securelevel_enable="NO"
keymap="norwegian.iso"
moused_enable="NO"
nfs_reserved_port_only="NO"
#sendmail_enable="YES"
sshd_program=/usr/local/sbin/sshd
sshd_enable="YES"
usbd_enable="NO"
portmap_enable="NO"
lpd_enable="NO"
# sasl_pwcheck_enable="YES"
# sasl_pwcheck_program="/usr/local/sbin/pwcheck"
saslauthd_runpath="/var/state/saslauthd"       # Working directory
saslauthd_program="/usr/local/sbin/saslauthd"   # Location of saslauthd
sasl_saslauthd_enable="YES"

==========================================================================

The bottom of my /etc/make.conf:

# Setting SENDMAIL_SET_USER_ID will install the sendmail binary as a
# set-user-ID root binary instead of a set-group-ID smmsp binary and will
# prevent the installation of /etc/mail/submit.cf.
# This is a deprecated mode of operation.  See etc/mail/README for more
# information.
#
#SENDMAIL_SET_USER_ID=
#
# The permissions to use on alias and map databases generated using
# /etc/mail/Makefile.  Defaults to 0640.
#
#SENDMAIL_MAP_PERMS=
#SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL
#SENDMAIL_LDFLAGS=-L/usr/local/lib
#SENDMAIL_LDADD=-lsasl
# SASL (cyrus-sasl v2) sendmail build flags...
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

Sendmail has been rebuilt/restarted according to the guide.

==========================================================================

# ls -la /etc/mail/certs
total 5
drwxr-xr-x  2 root  wheel   512 Oct  6 14:51 .
drwxr-xr-x  4 root  wheel   512 Oct  8 00:21 ..
-rw-------  1 root  wheel  1460 Oct  6 14:51 mycert.pem
-rw-------  1 root  wheel   672 Oct  6 14:51 mykey.pem

==========================================================================

My sendmail.mc file (FQDN.mc):

divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# [snip]

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.18 2003/04/24 
16:57:30 gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, 
F=, T=C:15m;S:4m;R:4m;E:10m')

# [snip]

# define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

# define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)

==========================================================================

If I telnet to my mailserver on port 25 the mailserver gives this back:

ehlo localhost
250-server.hostname.net Hello server.hostname.net [xxx.xxx.xxx.xxx], pleased
to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP

==========================================================================

Anyway, I've been looking into the saslauthd and I just saw an error
message in my logfile (/var/log/messages):

Oct  7 23:45:20 server sendmail[1054]: cannot connect to saslauthd server:
No such file or directory

That tells me the saslauthd isn't running. So I try to start it manually,
but first I check out the saslauthd version and its auth mechanisms:

# ./saslauthd -v
saslauthd 2.1.19
authentication mechanisms: sasldb getpwent pam rimap

Does this seem right?

Which auth mechanism is saslauthd suppose to use in this guide?

I try to start saslauthd manually by doing a 
/usr/local/etc/rc.d/saslauthd.sh start, but nothing happens.

==========================================================================

Here's the content of this file:

#!/bin/sh
#
# $FreeBSD: ports/security/cyrus-sasl2-saslauthd/files/saslauthd.sh,v 1.6
2004/06/11 15:49:48 ume Exp $
#

# PROVIDE: saslauthd
# REQUIRE: DAEMON
# BEFORE: mail imap
# KEYWORD: FreeBSD shutdown
#
# NOTE for FreeBSD 5.0+:
# If you want this script to start with the base rc scripts
# move saslauthd.sh to /etc/rc.d/saslauthd

prefix=/usr/local

# Define these saslauthd_* variables in one of these files:
#       /etc/rc.conf
#       /etc/rc.conf.local
#       /etc/rc.conf.d/saslauthd
#
# DO NOT CHANGE THESE DEFAULT VALUES HERE
#
saslauthd_enable=${saslauthd_enable:-"NO"}      # Enable saslauthd
saslauthd_flags=${saslauthd_flags:-"-a pam"}    # Flags to saslauthd program
#saslauthd_runpath="/var/state/saslauthd"       # Working directory
#saslauthd_program="${prefix}/sbin/saslauthd"   # Location of saslauthd

. /usr/local/etc/rc.subr

name="saslauthd"
rcvar=`set_rcvar`
command="${prefix}/sbin/${name}"

load_rc_config $name

if [ -z "$saslauthd_runpath" ]; then
         pidfile="/var/state/saslauthd/${name}.pid"
else
         pidfile="${saslauthd_runpath}/${name}.pid"
         command_args="-m ${saslauthd_runpath}"
fi

run_rc_command "$1"

==========================================================================

Here's what my /var/log/maillog with LogLevel 25 reports:

Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: <-- EHLO
workpc.hostname.net
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807:
milter=spamassassin, action=helo, continue
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: Milter
(spamassassin): time command (H), 0
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: ---
250-server.hostname.net Hello xxx.xxx.xxx.xxx.provider.net
[80.202.145.187], pleased to meet you
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: ---
250-ENHANCEDSTATUSCODES
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-PIPELINING
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-8BITMIME
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-SIZE
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-DSN
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-ETRN
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-AUTH PLAIN
LOGIN
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-STARTTLS
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-DELIVERBY
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250 HELP
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: <-- STARTTLS
Oct  8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 220 2.0.0 Ready
to start TLS
Oct  8 00:08:19 server sendmail[1807]: STARTTLS=server, get_verify: 0
get_peer: 0x0
Oct  8 00:08:19 server sendmail[1807]: STARTTLS=server,
relay=xxx.xxx.xxx.xxx.provider.net [xxx.xxx.xxx.xxx], version=TLSv1/SSLv3,
verify=NO, cipher=EDH-DSS-DES-CBC3-SHA, bits=168/168
Oct  8 00:08:19 server sendmail[1807]: STARTTLS=server, cert-subject=,
cert-issuer=
Oct  8 00:08:19 server sendmail[1807]: AUTH: available mech=NTLM LOGIN
ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed mech=PLAIN LOGIN
Oct  8 00:08:19 server sendmail[1807]: i97M8Idv001807: <-- EHLO
hangloose.wideroe.net
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807:
milter=spamassassin, action=helo, continue
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: Milter
(spamassassin): time command (H), 0
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: ---
250-server.hostname.net Hello xxx.xxx.xxx.xxx.provider.net
[80.202.145.187], pleased to meet you
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: ---
250-ENHANCEDSTATUSCODES
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-PIPELINING
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-8BITMIME
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-SIZE
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-DSN
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-ETRN
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-AUTH PLAIN
LOGIN
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-DELIVERBY
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250 HELP
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: <-- AUTH LOGIN
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 334 VXNlcm5hbWU6
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 334 UGFzc3dvcmQ6
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 535 5.7.0
authentication failed
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication failure:
checkpass failed
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: <-- RSET
Oct  8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250 2.0.0 Reset
state
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- MAIL
FROM:<andreas@wideroe.net>
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter: senders:
<andreas@wideroe.net>
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807:
milter=spamassassin, action=mail, continue
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter
(spamassassin): time command (M), 0
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 250 2.1.0
<andreas@wideroe.net>... Sender ok
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- RCPT
TO:<andreas@eunet.no>
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 550 5.7.1
<andreas@eunet.no>... Relaying denied. Proper authentication required.
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: ruleset=check_rcpt,
arg1=<andreas@eunet.no>, relay=xxx.xxx.xxx.xxx.provider.net
[80.202.145.187], reject=550 5.7.1 <andreas@eunet.no>... Relaying denied.
Proper authentication required.
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- QUIT
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 221 2.0.0
server.hostname.net closing connection
Oct  8 00:08:19 server sendmail[1807]: STARTTLS=server, SSL_shutdown not done
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter
(spamassassin): quit filter
Oct  8 00:08:19 server sendmail[1807]: i97M8Idx001807:
from=<andreas@wideroe.net>, size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=xxx.xxx.xxx.xxx.provider.net [xxx.xxx.xxx.xxx]

==========================================================================

I have rebooted the server a couple of times aswell.

I looked at some docs at the sendmail.org site: 
http://www.sendmail.org/~ca/email/auth.html#authv2credit and under Patches 
there's a link to a patch 
(http://www.sendmail.org/~ca/email/patches/login.c.clt.p1) - Do I need it? 
It says (http://www.sendmail.org/~ca/email/sm-812.html) Note: the patches 
below are not needed for <http://www.sendmail.org/8.12.10.html>sendmail 
8.12.10 or newer! If I need it, how do I install it?

Any help is highly appreciated!

Best regards,
Andreas

---

Andreas Wideroe Andersen <andreas@wideroe.net>
Mobile: (+47) 90 92 61 21
http://www.filmshooting.com 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.1.2.0.2.20041008092742.089c6dc0>