Hello folks,
I have a CentOS 6.4 installation running Sendmail, and after some serious hair tear stare and compare I'm a bit stumped. When I connect to the server either with telnet or SSL, sendmail is not presenting the AUTH capability after an EHLO. Everything looks like it should be working, but no amount of tweaking is getting the AUTH capability advertised (and it doesn't work if you just try it anyway).
Here's the config bits from sendmail.mc--
define(`confAUTH_OPTIONS', `A p')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Note: Also tried define(`confAUTH_OPTIONS', `A')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl just to keep things simple.
saslauthd is running, and configured--/etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd MECH=pam FLAGS=
/etc/sasl2/Sendmail.conf contains-- pwcheck_method:saslauthd
/etc/pam.d/smtp contains-- #%PAM-1.0 auth include password-auth account include password-auth
But when I do "openssl s_client -starttls smtp -connect localhost:587" I don't get any AUTH capability--
ehlo localhost 250-pennzoil.gizmopartners.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-DELIVERBY 250 HELP quit
All the certs are built, and if I connect via telnet, the server does advertise STARTTLS.
So anyone able to point out the obvious or not so obvious config mistakes?
Am 08.10.2013 23:50, schrieb Chris Boyd:
Hello folks,
I have a CentOS 6.4 installation running Sendmail, and after some serious hair tear stare and compare I'm a bit stumped. When I connect to the server either with telnet or SSL, sendmail is not presenting the AUTH capability after an EHLO. Everything looks like it should be working, but no amount of tweaking is getting the AUTH capability advertised (and it doesn't work if you just try it anyway).
Here's the config bits from sendmail.mc--
define(`confAUTH_OPTIONS', `A p')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
General advise: only offer those mechanisms your SASL backend can provide. As you are using saslauthd the shared secret mechanisms do not work.
Note: Also tried define(`confAUTH_OPTIONS', `A')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl just to keep things simple.
saslauthd is running, and configured--/etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd MECH=pam FLAGS=
/etc/sasl2/Sendmail.conf contains-- pwcheck_method:saslauthd
/etc/pam.d/smtp contains-- #%PAM-1.0 auth include password-auth account include password-auth
But when I do "openssl s_client -starttls smtp -connect localhost:587" I don't get any AUTH capability--
ehlo localhost 250-pennzoil.gizmopartners.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-DELIVERBY 250 HELP quit
All the certs are built, and if I connect via telnet, the server does advertise STARTTLS.
So anyone able to point out the obvious or not so obvious config mistakes?
I see no mistake. Make sure you have the sendmail-cf package installed, else the .cf files can't be rebuild based on modified .mc files. Make too sure that you have the necessary cyrus-* packages installed.
Regards
Alexander
So anyone able to point out the obvious or not so obvious config mistakes?
I see no mistake. Make sure you have the sendmail-cf package installed, else the .cf files can't be rebuild based on modified .mc files. Make too sure that you have the necessary cyrus-* packages installed.
Regards
Alexander
Sorry, missed to note that for your issue it is important to have following 2 settings in your sendmail.mc as well:
FEATURE(`no_default_msa', `dnl')dnl -> this is default in the sendmail.mc shipped with CentOS
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl -> this is commented out with a leading dnl in default sendmail.mc the important part is the modifier "M=Ea": the "a" bit enforces the requirement for AUTH on the MSA (port 587)
Alexander
On Oct 9, 2013, at 3:33 AM, Alexander Dalloz wrote:
Make sure you have the sendmail-cf package installed, else the .cf files can't be rebuild based on modified .mc files. Make too sure that you have the necessary cyrus-* packages installed.
Yes, got those.
[root@pennzoil mail]# yum list installed | grep sendmail sendmail.x86_64 8.14.4-8.el6 @base sendmail-cf.noarch 8.14.4-8.el6 @base sendmail-milter.x86_64 8.14.4-8.el6 @base
[root@pennzoil mail]# yum list installed | grep cyrus cyrus-sasl.x86_64 2.1.23-13.el6_3.1 @updates cyrus-sasl-lib.x86_64 2.1.23-13.el6_3.1 @updates
FEATURE(`no_default_msa', `dnl')dnl -> this is default in the sendmail.mc shipped with CentOS
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl -> this is commented out with a leading dnl in default sendmail.mc the important part is the modifier "M=Ea": the "a" bit enforces the requirement for AUTH on the MSA (port 587)
Yes, I have those lines enabled as well. I can connect SSL to 587, but just not getting the AUTH capability.
--Chris
Am 09.10.2013 16:17, schrieb Chris Boyd:
On Oct 9, 2013, at 3:33 AM, Alexander Dalloz wrote:
Make sure you have the sendmail-cf package installed, else the .cf files can't be rebuild based on modified .mc files. Make too sure that you have the necessary cyrus-* packages installed.
Yes, got those.
[root@pennzoil mail]# yum list installed | grep sendmail sendmail.x86_64 8.14.4-8.el6 @base sendmail-cf.noarch 8.14.4-8.el6 @base sendmail-milter.x86_64 8.14.4-8.el6 @base
[root@pennzoil mail]# yum list installed | grep cyrus cyrus-sasl.x86_64 2.1.23-13.el6_3.1 @updates cyrus-sasl-lib.x86_64 2.1.23-13.el6_3.1 @updates
You miss at least to have cyrus-sasl-plain.
FEATURE(`no_default_msa', `dnl')dnl -> this is default in the sendmail.mc shipped with CentOS
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl -> this is commented out with a leading dnl in default sendmail.mc the important part is the modifier "M=Ea": the "a" bit enforces the requirement for AUTH on the MSA (port 587)
Yes, I have those lines enabled as well. I can connect SSL to 587, but just not getting the AUTH capability.
On localhost port 587 really Sendmail is listening? I doubt! It is Postfix. Sendmail would have a different greeting statement than
250-pennzoil.gizmopartners.com Hello localhost [127.0.0.1], pleased to meet you
On CentOS 6 the default MTA is Postfix. You can change that by using the alternatives mechanism, stopping the postfix service and starting the sendmail service. You haven't followed your /var/log/mail, else you would have seen what's happening.
--Chris
Alexander
On Oct 9, 2013, at 11:24 AM, Alexander Dalloz wrote:
You miss at least to have cyrus-sasl-plain.
Bingo! We have a winner! Installing that package and restarting saslauthd and sendmail fixed it.
On localhost port 587 really Sendmail is listening? I doubt! It is Postfix. Sendmail would have a different greeting statement than
250-pennzoil.gizmopartners.com Hello localhost [127.0.0.1], pleased to meet you
Yes, I'm definitely talking to sendmail. I use greetpause and a custom greeting:
[root@pennzoil mail]# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220-pennzoil.gizmopartners.com ESMTP 220-Authorized use only. Spammers who send email 220-using this system agree that they will pay Five Hundred 220-US Dollars per message. Please send small unmarked bills. 220-Thanks for paying attention. 220 Have a good day.
I have yet to collect from a spammer, but you never know.
Thanks much for your help.
--Chris
-
Alexander Dalloz -
Chris Boyd