From owner-freebsd-ports Mon Nov 27 21:10: 6 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2FA3137B4E5 for ; Mon, 27 Nov 2000 21:10:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id VAA22279; Mon, 27 Nov 2000 21:10:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from mail.westbend.net (ns1.westbend.net [209.224.254.131]) by hub.freebsd.org (Postfix) with ESMTP id 6523F37B479 for ; Mon, 27 Nov 2000 21:06:54 -0800 (PST) Received: (from admin@localhost) by mail.westbend.net (8.11.1/8.11.1) id eAS56rt33864; Mon, 27 Nov 2000 23:06:53 -0600 (CST) (envelope-from admin) Message-Id: <200011280506.eAS56rt33864@mail.westbend.net> Date: Mon, 27 Nov 2000 23:06:53 -0600 (CST) From: "Scot W. Hetzel" Reply-To: "Scot W. Hetzel" To: FreeBSD-gnats-submit@freebsd.org, hetzels@westbend.net X-Send-Pr-Version: 3.2 Subject: ports/23149: security/cyrus-sasl update Sendmail.README (MAINTAINER) Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23149 >Category: ports >Synopsis: Update Sendmail.README in security/cyrus-sasl (MAINTAINER) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Nov 27 21:10:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: System Administrator >Release: FreeBSD 4.2-BETA i386 >Organization: West Bend Internet >Environment: >Description: The port installs sasldb with permissins of 640 and owned by cyrus and group mail. When sendmail is compiled with SASL it complains with: error: safesasl(/usr/local/etc/sasldb.db) failed: Group readable file when trying to access the sasldb database. >How-To-Repeat: >Fix: The attached patch to the Sendmail.README instructions explains how to enable the GroupReadableSASLFile option for DONT_BLAME_SENDMAIL. diff -ruN cyrus-sasl.orig/files/Sendmail.README cyrus-sasl/files/Sendmail.README --- cyrus-sasl.orig/files/Sendmail.README Tue Sep 19 20:34:45 2000 +++ cyrus-sasl/files/Sendmail.README Mon Nov 27 22:14:43 2000 @@ -2,10 +2,10 @@ 1) Add the following to /etc/make.conf: -# Add SMTP AUTH support to Sendmail -SENDMAIL_CFLAGS+= -DSASL -I/usr/local/include/sasl -SENDMAIL_LDFLAGS+= -L/usr/local/lib -SENDMAIL_LDADD+= -lsasl + # Add SMTP AUTH support to Sendmail + SENDMAIL_CFLAGS+= -I/usr/local/include/sasl -DSASL -D_FFR_UNSAFE_SASL + SENDMAIL_LDFLAGS+= -L/usr/local/lib + SENDMAIL_LDADD+= -lsasl 2) Rebuild FreeBSD (make buildworld, ...) @@ -13,3 +13,28 @@ pwcheck_method: pwcheck +4) Add the following to your sendmail.mc file: + + TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')dnl + define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5')dnl + define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile')dnl + + ---- + + Additional AUTH Mechanisms are LOGIN, PLAIN, GSSAPI, and KERBEROS_V4. + These can be added to TRUST_AUTH_MECH and confAUTH_MECHANISMS as a space + seperated list. You may want to restrict LOGIN, and PLAIN authentication + methods for use with STARTTLS, as the password is not encrypted when + passed to sendmail. + + LOGIN is required for Outlook Express users. "My server requires + authentication" needs to be checked in the accounts properties to + use SASL Authentication. + + PLAIN is required for Netscape Communicator users. By default Netscape + Communicator will use SASL Authentication when sendmail is compiled with + SASL. + + The DONT_BLAME_SENDMAIL option GroupReadableSASLFile is needed when you + are using cyrus-imapd and sendmail on the same server that requires access + to the sasldb database. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message