# SASL,SENDMAIL,SMTP AUTH,PAM doesn't want to play nice at all

## akakul

Hi Guys,

Hope you can help me with this problem I have been having for two days now:

Running Sendmail under Gentoo for delivery to local accounts, and forwarding mail on to other servers (its also a backup mx).  Using a number of Sendmail MILTERS etc, all been fine for a while.

Now adding SMTP AUTH using cyrus-sasl via PAM for auth - except it doesnt work   :Crying or Very sad: 

Ive spent two days reading half the net on this and getting nowhere fast.  

(sasl2 not been used before on this server, so a virgin install)

Checked SASL compiled into sendmail:

```
7 mail # sendmail -d0.20 -bv | grep -i sasl

                SASLv2 SCANF STARTTLS USERDB USE_LDAP_INIT XDEBUG
```

Also checked the USE flags in /etc/make.conf includes "SASL" & "SSL" etc.

I have created:

```
7 ~ # cat /etc/sasl2/Sendmail.conf

pwcheck_method: saslauthd

mech_list: login plain
```

Created a pem file for Sendmail: (not sure this is correct? & using default /etc/ssl/ca-cert.pem <- hope thats correct file to use)

```
mkdir /etc/mail/certs

cd /etc/mail/certs

openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365
```

Checked /etc/conf.d/saslauthd contains PAM options (defaults):

```
SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"
```

Added bits to sendmail.mc file: (tried all sorts of combinations)

```
define(`confAUTH_OPTIONS', `A p')dnl

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

define(`confCACERT_PATH',`/etc/ssl/certs')dnl

define(`confCACERT',`/etc/ssl/certs/ca-cert.pem')dnl

define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl

define(`confCLIENT_CERT',`localCERT')dnl

define(`confCLIENT_KEY',`localCERT')dnl

define(`confSERVER_CERT',`localCERT')dnl

define(`confSERVER_KEY',`localCERT')dnl
```

Also added anal logging to assist with debugging:

```
define(`confLOG_LEVEL', `17')dnl
```

Rebuilt .cf and restarted services:

```
(cd /etc/mail;m4 sendmail.mc > sendmail.cf)

/etc/init.d/saslauthd restart

/etc/init.d/sendmail restart
```

The /var/log/mail.log tells me a number of things that im most unhappy with and cant seem to solve (or find any decent help in google & gentoo pages):

Extract from log:

```
NOQUEUE: connect from (my connection details)

AUTH warning: no mechanisms

jBU3wNdU019610: --- 220 (my server name) ESMTP Sendmail 8.13.4/8.13.4; Fri, 30 Dec 2005 03:58:23 GMT

jBU3wNdU019610: <-- EHLO (my NAT ip)

jBU3wNdU019610: --- 250-(my server name) Hello (my connection details), pleased to meet you

jBU3wNdU019610: --- 250-ENHANCEDSTATUSCODES

jBU3wNdU019610: --- 250-PIPELINING

jBU3wNdU019610: --- 250-8BITMIME

jBU3wNdU019610: --- 250-SIZE

jBU3wNdU019610: --- 250-DSN

jBU3wNdU019610: --- 250-ETRN

jBU3wNdU019610: --- 250-STARTTLS

jBU3wNdU019610: --- 250-DELIVERBY

jBU3wNdU019610: --- 250 HELP

jBU3wNdU019610: <-- STARTTLS

jBU3wNdU019610: --- 220 2.0.0 Ready to start TLS

STARTTLS=server, get_verify: 0 get_peer: 0x0

STARTTLS=server, relay=(my connection details), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256

STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok

AUTH: available mech=LOGIN PLAIN, allowed mech=LOGIN PLAIN

jBU3wNdU019610: <-- EHLO (my NAT ip)

jBU3wNdV019610: --- 250-(my server name) Hello (my connection details), pleased to meet you

jBU3wNdV019610: --- 250-ENHANCEDSTATUSCODES

jBU3wNdV019610: --- 250-PIPELINING

jBU3wNdV019610: --- 250-8BITMIME

jBU3wNdV019610: --- 250-SIZE

jBU3wNdV019610: --- 250-DSN

jBU3wNdV019610: --- 250-ETRN

jBU3wNdV019610: --- 250-AUTH LOGIN PLAIN

jBU3wNdV019610: --- 250-DELIVERBY

jBU3wNdV019610: --- 250 HELP

jBU3wNdV019610: <-- AUTH PLAIN AHRlc3QAdGVzdA==

jBU3wNdV019610: --- 535 5.7.0 authentication failed

jBU3wNdV019610: AUTH failure (PLAIN): authentication failure (-13) SASL(-13): authentication failure: Password verification failed

jBU3wNdV019610: <-- AUTH LOGIN

jBU3wNdV019610: --- 334 VXNlcm5hbWU6

jBU3wNdV019610: --- 334 UGFzc3dvcmQ6

jBU3wNdV019610: --- 535 5.7.0 authentication failed

jBU3wNdV019610: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed

jBU3wNdV019610: <-- AUTH PLAIN AHRlc3QAY2FtZWwz

jBU3wNdV019610: (my connection details): possible SMTP attack: command=AUTH, count=3

jBU3wNdV019610: --- 535 5.7.0 authentication failed

jBU3wNdV019610: AUTH failure (PLAIN): authentication failure (-13) SASL(-13): authentication failure: Password verification failed

jBU3wNdV019610: <-- AUTH LOGIN

jBU3wNdV019610: --- 334 VXNlcm5hbWU6

jBU3wNdV019610: --- 334 UGFzc3dvcmQ6

jBU3wNdV019610: --- 535 5.7.0 authentication failed

jBU3wNdV019610: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed

jBU3wNdV019610: --- 421 4.4.1 (my server name) Lost input channel from (my connection details)

jBU3wNdV019610: (my connection details) did not issue MAIL/EXPN/VRFY/ETRN during connection to (my server name)
```

What appears to happen, is that I cant auth any user (even setup a unix user/pass test/test which didnt work either).  The key to this I think is the second line (AUTH warning: no mechanisms), but i can't find any decent info anywhere about checking this manually.  Though I have checked that the .so files exist for plain & login (/usr/lib/sasl2/libplain.so* & liblogin.so*)

This appears to connect OK and displays the correct pem cert I created.

```
openssl s_client -starttls smtp -connect localhost:25
```

Have been testing remote SMTP AUTH with "Mozilla 1.7.12 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915", with "TLS, if available" ticked & entering username - and password when prompted.

Ultimatly I want TLS working for all connections that have a correct user/pass to present sendmail in advance of allowing relaying, and to be able to prevent non TLS/auth'd connections from relaying through this server.

Any help would be greatly appreciated, as this combination on Gentoo is driving me nutts.  I have this working on a number of RHEL boxes (same software combos) without issues, or two days googling   :Shocked:    I'd like to avoid reverting to RHEL on this box just to get SMTP AUTH working. - HELP!!

----------

## magic919

I don't do any Sendmail as I'm a Postfix guy but I did find a page that may help you troubleshoot it http://www.sendmail.org/~ca/email/auth.html  Worth a look.

----------

## akakul

Yeah, been to that page a few times already, its of no help unfortunatly.

My gut feeling is this is likely to be a SASL problem (but i could be very wrong).

And with Gentoo(and followers) seemingly prefering Postfix, ive even read half the Gentoo Postfix SASL setup guides/notes on the net in an attempt to work out how to solve this.  

Though I never did find a comprehensive install/testing guide for SASL under Gentoo - only info ive found at all is mostly non Gentoo, and thats been of little help as Gentoo puts pretty much every system file in its own special places.   :Rolling Eyes: 

----------

## magic919

Sorry to hear this is not going well.  Are you sure it's Gentoo with the funny ideas about where to put files?  Coming from RH (as I have)  :Smile:   Anyways...

We can see Sendmail with no auth mechanisms.  Then TLS server starts and hey presto we have a mechanism.  This all looks good but the login fails.

Is there a way you can concentrate your troubleshooting on SASL.  Can you run the saslauthd on commandline and not daemonise to get debug?

Can you run the sample SASL server and client I see mentioned and get that to use saslauthd successfully?

----------

## akakul

Unfortunatly, I know very little about SASL, and the man pages lend themselves more to setup than debug.  So I have few ideas on how to confirm the problem is SASL and exactly where the problem is.

----------

## Pete M

Perhaps one of my old posts may help

https://forums.gentoo.org/viewtopic-t-357913-highlight-.html

Pete

----------

## akakul

Yes, ive come accross that post of yours a few times in the last 2-3 days of searching, and its confirmed for me a number of my config options were correct - but still I have a no go :-\

----------

## sunckell

I realize just throwing links at you isn't the greatest help of all time....  But I was able to get it working with.

http://info.ccone.at/INFO/RH-sendmail-HOWTO/c239.html#AEN242

and

http://www.falkotimme.com/howtos/sendmail_smtp_auth_tls/   * this one especially.

Ok course there were some changes that needed to be done to compensate for the gentoo distro.  It's been a while since I did it.  If I can find my notes I'll post them later.

Good luck,

SunCkell

----------

## Pete M

Have you added users to sasl ?

```
# saslpasswd2 -c user
```

Pete

----------

## Robert S

I have spent several days on this and got it working.

I note that you have the options in sendmail in the wrong order.  Here's what works for me:

 *Quote:*   

> dnl ### do SMTPAUTH
> 
> define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5 NTLM')dnl
> 
> TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5 NTLM')dnl
> ...

 

I think the order is important.

Also (see my recent post), some of the mechanisms (CRAM-MD5 etc) don't work in the latest version.  I downgraded to 2.1.19-r1 and finally got everything working properly.  See https://forums.gentoo.org/viewtopic-t-418879-highlight-.html

I found this exceptionally difficult to get to work in gentoo.  In comparison, I set it up on my debian machine at work and it worked "out of the box"   :Confused: 

----------

