Sendmail SMTP Auth and cyrus-sasl-2.1.17 glitch

[dan28088]

Hi -
I seem to have generated a problem in my efforts to follow the "Sendmail-SMTP-AUTH-TLS-Howto" for I have no authentication ability.

The sendmail part of the equation seems to be working ok, but it looks like my problem is related to saslauthd failing.

As set out in the HOW-To, I downloaded and built the three indicated files
cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget --passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-m...-2.1.17.tar.gz
wget --passive-ftp ftp://ftp.sendmail.org/pub/sendmail/...8.12.11.tar.gz

The build for sasl2 was exactly as indicated -
---------
3 Install Cyrus-sasl2

cd /tmp
tar xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure --enable-anon --enable-plain --enable-login --disable-krb4 --with-saslauthd=/var/run/saslauthd --with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2 --enable-cram --enable-digest --enable-otp (1 line!)
make
make install
---------

and the rests of the install seemed to progress without incident.

When I attempted to start both saslauthd and sendmail I didn't at first notice that there was no real indication that saslauthd was not running. What I did notice was that when I provided my password in the effort to send a message I got a failure.

To help localize the issue I edited my sendmail.cm to narrow the focus for the methods of authentication.
----------
[root@roadrunner cf]# cat sendmail.mc
dnl ### do SMTPAUTH
dnl ### define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
dnl ### define('confAUTH_OPTIONS', `A p y')dnl

dnl ### define('confAUTH_OPTIONS', `A')dnl
dnl ### define('confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
dnl ### TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

dnl ### TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

define('confLOG_LEVEL', `14')dnl

dnl ### do STARTTLS
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl

dnl ###
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define(`confMAX_MESSAGE_SIZE', `15000000')dnl Denial of Service Attacks
define(`confMAX_DAEMON_CHILDREN', `30')dnl Denial of Service Attacks
define(`confCONNECTION_RATE_THROTTLE', `2')dnl Denial of Service Attacks
define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks
define(`confSINGLE_LINE_FROM_HEADER', `True')dnl
define(`confSMTP_LOGIN_MSG', `$j')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`confTO_INITIAL', `6m')dnl
define(`confTO_CONNECT', `20s')dnl
define(`confTO_HELO', `5m')dnl
define(`confTO_HOSTSTATUS', `2m')dnl
define(`confTO_DATAINIT', `6m')dnl
define(`confTO_DATABLOCK', `35m')dnl
define(`confTO_DATAFINAL', `35m')dnl
define(`confDIAL_DELAY', `20s')dnl
define(`confNO_RCPT_ACTION', `add-apparently-to')dnl
define(`confALIAS_WAIT', `0')dnl
define(`confMAX_HOP', `35')dnl
define(`confQUEUE_LA', `5')dnl
define(`confREFUSE_LA', `12')dnl
define(`confSEPARATE_PROC', `False')dnl
define(`confCON_EXPENSIVE', `true')dnl
define(`confWORK_RECIPIENT_FACTOR', `1000')dnl
define(`confWORK_TIME_FACTOR', `3000')dnl
define(`confQUEUE_SORT_ORDER', `Time')dnl
define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,ne edmailhelo')dnl
OSTYPE(linux)dnl
FEATURE(`delay_checks')dnl
FEATURE(`generics_entire_domain')dnl
FEATURE(`local_procmail')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`nouucp',`reject')dnl
FEATURE(`redirect')dnl
FEATURE(`relay_entire_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`virtuser_entire_domain')dnl

FEATURE(dnsbl,`blackholes.mail-abuse.org',
` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}')dnl
FEATURE(dnsbl,`dialups.mail-abuse.org',
` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')dnl

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl
FEATURE(access_db)dnl
FEATURE(lookupdotdomain)dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
--------------

From this I then can make sendmail.cf and at least confirm the following:

[root@roadrunner mail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 roadrunner.jlazyh.com ESMTP
EHLO localhost
250-roadrunner.jlazyh.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 15000000
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

Converting a login and password to 64base and attempting to test the authentication I got an error -

From this I started to look for causes, and tested saslauthd.

I found that I had two versions on the system
/usr/sbin/saslauthd (dating from 2002)
/usr/local/sbin/saslauthd (Aug 3, 3006 - built yesterday)

The existance of different versions is more clearly seen here:
[root@roadrunner cf]# /usr/local/sbin/saslauthd -v
saslauthd 2.1.17
authentication mechanisms: getpwent pam rimap shadow

[root@roadrunner cf]# /usr/sbin/saslauthd -v
saslauthd 2.1.10
authentication mechanisms: getpwent kerberos5 pam rimap shadow

My /etc/init.d/saslauthd startup file initially referenced the /usr/sbin/saslauthd file - and when run would not indicate an error but
ps -ax | grep saslauthd didn't show anything.

Adjusting the path to the new file, and later copying the sasl* files into /usr/sbin/ directly, I find on startup I get an error - the same when I try to start it manually:

[root@roadrunner mail]# /usr/sbin/saslauthd -a shadow
saslauthd[24993] :detach_tty : Cannot start saslauthd
saslauthd[24993] :detach_tty : could not read from startup_pipe
[root@roadrunner mail]#

And now I am stuck - I can't find any paths to follow on this issue, and am at a loss as to what the issue is with the startup_pile and/or detach_tty.

I am sure there is more information that I can provide that would be helpful - but this note is long enough already.

Truly would appreciate some help and guidance in resolving this. Thanks in advance.

Cheers -

[falko]

Why don't you use the /etc/init.d/saslauthd file that'S provided in this tutorial? http://www.howtoforge.com/howto_sendmail_smtp_auth_tls

[dan28088]

That's a reprint of the tutorial that I did use -

The issue doesn't seem to be Sendmail itself - rather something with saslauthd

[root@roadrunner mail]# /usr/sbin/saslauthd -a shadow
saslauthd[24993] :detach_tty : Cannot start saslauthd
saslauthd[24993] :detach_tty : could not read from startup_pipe

I built it with the options presented in the how-to so as not to deviate from the example, but it seems that I should try again with fewer options. The thing is that I don't know is what options are truly necessary and what options I can try and leave out.

There may be someother thing to try as well as the build itself went fine - just the error above shows something not right.

I included the process that got me to this point as it seemed possible that I might have tripped up somewhere in route - so I thought it helpful to provide a summary of those steps.

I did strip it out and try again, but same result.

[falko]

The problem is that you already have another version of saslauthd installed on your system. That's why your version got installed to /usr/local/sbin/saslauthd instead of /usr/sbin/saslauthd. So in the saslauthd init script from the tutorial, replace

Code:

DAEMON="/usr/sbin/${NAME}"

with

Code:

DAEMON="/usr/local/sbin/${NAME}"

and try again.