Sendmail SMTP Problem

Frederic Herman fherman at inferential.com
Sat Apr 10 23:01:40 UTC 2004


Am Sa, den 10.04.2004 schrieb Frederic Herman um 13:02:


>> After upgrading from RedHat 9 to Fedora core, I have a problem with 
>> smtp, due to sendmail now using sasl for authentication.  I have 
>> saslauthd running as:
>  
>

SASL(2) was used for authentification before too.


>> /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
>  
>

That is hopefully just the line you get by "ps axuw". Run the saslauthd
service through its init script. Therein the MECH is specified and by
default it's using shadow. You can overwrite that by setting the MECH in
/etc/sysconfig/saslauthd (create that file if not there). To start the
saslauthd run "service saslauthd start". To be sure it is automagically
running in the desired runlevels use "chkconfig --list saslauthd".

Yes-- that's what I was doing. 

>> which should use the /etc/shadow file for authentication.  However, what 
>> actually happens is that each user must have their username & password 
>> in the /etc/sasldb2 file.  As far as I can tell, the shadow password 
>> file isn't being used for authentication.  The only configuration file 
>> that I'm aware of the sasl should be using is 
>> /usr/lib/sasl2/Sendmail.conf which contains:
>> 
>> pwcheck_method: sasluathd
>  
>

saslauthd as pwcheck_method is correct. But it matters which client you
use to talk with the Sendmail daemon and which auth mech that one uses.
If your mail client is using i.e. CRAM-MD5 then this will not work with
saslauthd against shadow. That will always require authentification
against a sasldb2. Only PLAIN and LOGIN run with shadow.

You should check your sendmail.mc configuration which authentification
mechanisms your Sendmail offers to clients. You can see that too if you
"telnet sendmail_IP 25" and after greeting sending a "EHLO foo".
Sendmail shows you then along with other information a line "250 AUTH
...". 


>> I'd actually like to not use passwords for this since I already restrict 
>> smtp to a very limited number of ip's, because everytime a user start's 
>> their browser, they have to reenter their password.
>  
>

If you do not require Sendmail authentification at all, because your
SMTP restriction is already for few very specific IPs (i.e. from private
address area, static IPs) - you can switch off SMTP AUTH in your
sendmail.mc and using "IP RELAY" in the access_db map. On the other hand
you could switch off SMTP AUTH too on a per IP basis.


>> Any help would be appreciated.
>> 
>> Fred
>  
>

Alexander

I tested sendmail via your suggestion and confirmed that it was only offering the auth methods that you said would not work with shadow passwords.  I changed sendmail.mc to use PLAIN and LOGIN, and now the server is using the shadow passwords.  

Rather than shutting off auth, I decided that using it would be a better idea even though I currently only service fixed and limited ip's.  The reason is that I will be going through this drill for another mail server that in the past restricted what a roaming client could do.  We will just instruct our mail clients to be prepared to enter a password, and have their browser remember it.

Thank you for your help.

Fred






More information about the fedora-list mailing list