From owner-freebsd-questions@FreeBSD.ORG Fri Oct 8 10:30:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2FD616A4CE for ; Fri, 8 Oct 2004 10:30:56 +0000 (GMT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D19C143D46 for ; Fri, 8 Oct 2004 10:30:55 +0000 (GMT) (envelope-from andreas@wideroe.net) Received: from hangloose.wideroe.net (187.80-202-145.nextgentel.com [80.202.145.187]) by mail.broadpark.no (Postfix) with ESMTP id C7DAF3E42; Fri, 8 Oct 2004 12:31:38 +0200 (MEST) Message-Id: <6.1.2.0.2.20041008092742.089c6dc0@malibu.wideroe.net> X-Sender: awand@malibu.wideroe.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Fri, 08 Oct 2004 12:30:51 +0200 To: freebsd-questions@freebsd.org From: Andreas =?iso-8859-1?Q?Wider=F8e?= Andersen Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: hemi@puresimplicity.net cc: Michael.Walker2@capita.co.uk cc: mwalker@codegurus.org Subject: Need help with Saslauthd and Sendmail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2004 10:30:57 -0000 I'm using this guide http://www.puresimplicity.net/~hemi/freebsd/sendmail.html to install a secure mail server. The imap-uw part is working fine, but the sendmail part isn't. ========================================================================== My system: FreeBSD 4.7 STABLE Sendmail 8.12.10 Saslauthd 2.1.19 I just updated all ports before installing what's described in the guide above. I'm also using Spamassassin to filter out spam. ========================================================================== My Sendmail.conf: # cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd ========================================================================== My /etc/rc.conf file looks like this: # -- sysinstall generated deltas -- # Sun Sep 16 17:49:22 2001 # Created: Sun Sep 16 17:49:22 2001 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="xxx.xxx.xxx.xxx" font8x14="iso-8x14" font8x16="iso-8x16" font8x8="iso-8x8" hostname="server.hostname.net" ifconfig_xl0="inet xxx.xxx.xxx.xxx netmaskxxx.xxx.xxx.xxx" #ifconfig_xl0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx media 100baseTX mediaopt full-duplex" kern_securelevel_enable="NO" keymap="norwegian.iso" moused_enable="NO" nfs_reserved_port_only="NO" #sendmail_enable="YES" sshd_program=/usr/local/sbin/sshd sshd_enable="YES" usbd_enable="NO" portmap_enable="NO" lpd_enable="NO" # sasl_pwcheck_enable="YES" # sasl_pwcheck_program="/usr/local/sbin/pwcheck" saslauthd_runpath="/var/state/saslauthd" # Working directory saslauthd_program="/usr/local/sbin/saslauthd" # Location of saslauthd sasl_saslauthd_enable="YES" ========================================================================== The bottom of my /etc/make.conf: # Setting SENDMAIL_SET_USER_ID will install the sendmail binary as a # set-user-ID root binary instead of a set-group-ID smmsp binary and will # prevent the installation of /etc/mail/submit.cf. # This is a deprecated mode of operation. See etc/mail/README for more # information. # #SENDMAIL_SET_USER_ID= # # The permissions to use on alias and map databases generated using # /etc/mail/Makefile. Defaults to 0640. # #SENDMAIL_MAP_PERMS= #SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL #SENDMAIL_LDFLAGS=-L/usr/local/lib #SENDMAIL_LDADD=-lsasl # SASL (cyrus-sasl v2) sendmail build flags... SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 # Adding to enable alternate port (smtps) for sendmail... SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL Sendmail has been rebuilt/restarted according to the guide. ========================================================================== # ls -la /etc/mail/certs total 5 drwxr-xr-x 2 root wheel 512 Oct 6 14:51 . drwxr-xr-x 4 root wheel 512 Oct 8 00:21 .. -rw------- 1 root wheel 1460 Oct 6 14:51 mycert.pem -rw------- 1 root wheel 672 Oct 6 14:51 mykey.pem ========================================================================== My sendmail.mc file (FQDN.mc): divert(-1) # # Copyright (c) 1983 Eric P. Allman # [snip] divert(0) VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.18 2003/04/24 16:57:30 gshapiro Exp $') OSTYPE(freebsd4) DOMAIN(generic) FEATURE(access_db, `hash -o -T /etc/mail/access') FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') # [snip] # define(`confAUTH_OPTIONS', `A')dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl define(`CERT_DIR', `/etc/mail/certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl # define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl define(`confBIND_OPTS', `WorkAroundBrokenAAAA') define(`confNO_RCPT_ACTION', `add-to-undisclosed') define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') MAILER(local) MAILER(smtp) ========================================================================== If I telnet to my mailserver on port 25 the mailserver gives this back: ehlo localhost 250-server.hostname.net Hello server.hostname.net [xxx.xxx.xxx.xxx], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP ========================================================================== Anyway, I've been looking into the saslauthd and I just saw an error message in my logfile (/var/log/messages): Oct 7 23:45:20 server sendmail[1054]: cannot connect to saslauthd server: No such file or directory That tells me the saslauthd isn't running. So I try to start it manually, but first I check out the saslauthd version and its auth mechanisms: # ./saslauthd -v saslauthd 2.1.19 authentication mechanisms: sasldb getpwent pam rimap Does this seem right? Which auth mechanism is saslauthd suppose to use in this guide? I try to start saslauthd manually by doing a /usr/local/etc/rc.d/saslauthd.sh start, but nothing happens. ========================================================================== Here's the content of this file: #!/bin/sh # # $FreeBSD: ports/security/cyrus-sasl2-saslauthd/files/saslauthd.sh,v 1.6 2004/06/11 15:49:48 ume Exp $ # # PROVIDE: saslauthd # REQUIRE: DAEMON # BEFORE: mail imap # KEYWORD: FreeBSD shutdown # # NOTE for FreeBSD 5.0+: # If you want this script to start with the base rc scripts # move saslauthd.sh to /etc/rc.d/saslauthd prefix=/usr/local # Define these saslauthd_* variables in one of these files: # /etc/rc.conf # /etc/rc.conf.local # /etc/rc.conf.d/saslauthd # # DO NOT CHANGE THESE DEFAULT VALUES HERE # saslauthd_enable=${saslauthd_enable:-"NO"} # Enable saslauthd saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program #saslauthd_runpath="/var/state/saslauthd" # Working directory #saslauthd_program="${prefix}/sbin/saslauthd" # Location of saslauthd . /usr/local/etc/rc.subr name="saslauthd" rcvar=`set_rcvar` command="${prefix}/sbin/${name}" load_rc_config $name if [ -z "$saslauthd_runpath" ]; then pidfile="/var/state/saslauthd/${name}.pid" else pidfile="${saslauthd_runpath}/${name}.pid" command_args="-m ${saslauthd_runpath}" fi run_rc_command "$1" ========================================================================== Here's what my /var/log/maillog with LogLevel 25 reports: Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: <-- EHLO workpc.hostname.net Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: milter=spamassassin, action=helo, continue Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: Milter (spamassassin): time command (H), 0 Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-server.hostname.net Hello xxx.xxx.xxx.xxx.provider.net [80.202.145.187], pleased to meet you Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-ENHANCEDSTATUSCODES Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-PIPELINING Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-8BITMIME Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-SIZE Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-DSN Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-ETRN Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-AUTH PLAIN LOGIN Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-STARTTLS Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250-DELIVERBY Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 250 HELP Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: <-- STARTTLS Oct 8 00:08:18 server sendmail[1807]: i97M8Idv001807: --- 220 2.0.0 Ready to start TLS Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, get_verify: 0 get_peer: 0x0 Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, relay=xxx.xxx.xxx.xxx.provider.net [xxx.xxx.xxx.xxx], version=TLSv1/SSLv3, verify=NO, cipher=EDH-DSS-DES-CBC3-SHA, bits=168/168 Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, cert-subject=, cert-issuer= Oct 8 00:08:19 server sendmail[1807]: AUTH: available mech=NTLM LOGIN ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed mech=PLAIN LOGIN Oct 8 00:08:19 server sendmail[1807]: i97M8Idv001807: <-- EHLO hangloose.wideroe.net Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: milter=spamassassin, action=helo, continue Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: Milter (spamassassin): time command (H), 0 Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-server.hostname.net Hello xxx.xxx.xxx.xxx.provider.net [80.202.145.187], pleased to meet you Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-ENHANCEDSTATUSCODES Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-PIPELINING Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-8BITMIME Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-SIZE Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-DSN Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-ETRN Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-AUTH PLAIN LOGIN Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250-DELIVERBY Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250 HELP Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: <-- AUTH LOGIN Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 334 VXNlcm5hbWU6 Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 334 UGFzc3dvcmQ6 Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 535 5.7.0 authentication failed Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: <-- RSET Oct 8 00:08:19 server sendmail[1807]: i97M8Idw001807: --- 250 2.0.0 Reset state Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- MAIL FROM: Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter: senders: Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: milter=spamassassin, action=mail, continue Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter (spamassassin): time command (M), 0 Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 250 2.1.0 ... Sender ok Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- RCPT TO: Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 550 5.7.1 ... Relaying denied. Proper authentication required. Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: ruleset=check_rcpt, arg1=, relay=xxx.xxx.xxx.xxx.provider.net [80.202.145.187], reject=550 5.7.1 ... Relaying denied. Proper authentication required. Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: <-- QUIT Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: --- 221 2.0.0 server.hostname.net closing connection Oct 8 00:08:19 server sendmail[1807]: STARTTLS=server, SSL_shutdown not done Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: Milter (spamassassin): quit filter Oct 8 00:08:19 server sendmail[1807]: i97M8Idx001807: from=, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=xxx.xxx.xxx.xxx.provider.net [xxx.xxx.xxx.xxx] ========================================================================== I have rebooted the server a couple of times aswell. I looked at some docs at the sendmail.org site: http://www.sendmail.org/~ca/email/auth.html#authv2credit and under Patches there's a link to a patch (http://www.sendmail.org/~ca/email/patches/login.c.clt.p1) - Do I need it? It says (http://www.sendmail.org/~ca/email/sm-812.html) Note: the patches below are not needed for sendmail 8.12.10 or newer! If I need it, how do I install it? Any help is highly appreciated! Best regards, Andreas --- Andreas Wideroe Andersen Mobile: (+47) 90 92 61 21 http://www.filmshooting.com