<div dir="ltr"><div dir="ltr"><div><div><div>Have working setup Sendmail 8.14.5 +
Cyrys-SASL 2.1.25p2-ldap + cyrus-imapd-2.4.13p0. The user's password
getting from LDAP server which authenticate users for other services.<br><br>The only one problem still not solved:<br>
<br>How to enable PLAIN LOGIN in 250-AUTH advertisement by Sendmail just after STARTTLS session?<br>
<br></div>Plain login has been enabled in Sendmail <a href="http://config.mc" target="_blank">config.mc</a><div style="width:16px;height:16px;display:inline-block"> </div> (sendmail was built with SASLv2 and STARTTLS support)<br>
<br></div><div>#cat /etc/imapd.conf<br>...<br>sasl_pwcheck_method: saslauthd<br>
tls_ca_file: /etc/mail/certs/ca.crt<br>tls_cert_file: /etc/mail/certs/client.crt<br>tls_key_file: /etc/mail/certs/client.pem<br></div><div><br></div>#sendmail -d0.1 -dv<br>Version 8.14.5<br> Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8<br>
MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS<br> PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB<br> USE_LDAP_INIT XDEBUG<br><br>============ SYSTEM IDENTITY (after readcf) ============<br>
<br></div># cat /usr/share/sendmail/cf/<a href="http://openbsd-proto.mc" target="_blank">openbsd-proto.mc</a><div style="width:16px;height:16px;display:inline-block"> </div><br>...<br>dnl The option below is blocking PLAIN and LOGIN attempts on unsecured channels<br>
dnl (i.e. port 25 w/o STARTTLS command issued first)<br>
define('confAUTH_OPTIONS', 'A p y')dnl<br>define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl<br>TRUST_AUTH_MECH('LOGIN PLAIN')dnl<br>dnl<br>dnl Tell sendmail not to bother to ask for client sertificates<br>
dnl define('confTLS_SRV_OPTIONS', 'V')dnl<br>dnl<br>dnl STARTTLS support for SMTP-AUTH; uncomment and read starttls(8) to use<br>dnl<br>define(`CERT_DIR', `MAIL_SETTINGS_DIR/certs')dnl<br>define(`confCACERT_PATH', `CERT_DIR')dnl<br>
define(`confCACERT', `CERT_DIR/ca.crt')dnl<br>define(`confSERVER_CERT', `CERT_DIR/server.crt')dnl<br>define(`confSERVER_KEY', `CERT_DIR/private/server.pem')dnl<br>define(`confCLIENT_CERT', `CERT_DIR/client.crt')dnl<br>
define(`confCLIENT_KEY', `CERT_DIR/client.pem')dnl<br>...<br>dnl<br>MAILER(smtp)dnl<br>MAILER(local)dnl<br>dnl<br>define('confLOCAL_MAILER', 'cyrysv2')dnl<br>MAILER(cyrusv2)dnl<br>dnl<br>define('confLOG_LEVEL', '14')dnl<br>
<div><div><div><div>...<br><br>#openssl s_client -starttls smtp -crlf -connect you.server.tld:587<br>...<br>xpansion: NONE<br>SSL-Session:<br> Protocol : TLSv1<br> Cipher : DHE-RSA-AES256-SHA<br> Session-ID: 839845D8DB239212176A8BA0F2EDBEFCA66B33F52FD7CB2521DECF7A55077444<br>
Session-ID-ctx:<br> Master-Key: 1CA3EFC72A9E61DE10AF2A9E5B2DA7560529A6EAC826238E1A7D2389E6613DD35427DBAFAAF571D4DE7F8978DF0B3361<br> Key-Arg : None<br> PSK identity: None<br> PSK identity hint: None<br>
TLS session ticket:<br>
0000 - 20 50 61 41 7a b8 0b 07-ba 15 5b a7 1d 4d ca bd PaAz.....[..M..<br> 0010 - 5e 6b 71 7a 61 22 76 d3-65 8b d4 3e 0f c2 96 e3 ^kqza"v.e..>....<br> 0020 - 8f 03 10 3b ec 26 25 31-dc ee 4d 5e e0 71 21 6d ...;.&%1..M^.q!m<br>
0030 - cf 7e ff 9e 81 f6 3f a9-2a bf 99 a9 bf bf 7d ea .~....?.*.....}.<br> 0040 - a5 f4 1d 50 a8 ef 62 7c-d3 12 45 2a 54 5a 24 de ...P..b|..E*TZ$.<br> 0050 - 96 c9 ba e5 2d 84 00 f7-0e d4 1d e9 70 d5 4a b6 ....-.......p.J.<br>
0060 - 56 31 39 da 21 ef ce 3c-0e 6a 10 bb a3 c4 d2 cc V19.!..<.j......<br> 0070 - 97 61 23 10 bf 93 92 dc-31 60 5b 9b c3 55 e7 96 .a#.....1`[..U..<br> 0080 - ff 4f e8 89 7e 72 8f c3-90 60 61 e3 ad 05 ca 59 .O..~r...`a....Y<br>
0090 - 3a b3 75 be 40 1e bc 91-38 24 84 aa 82 04 b9 7b :.u.@...8$.....{<br><br> Start Time: 1382081852<br> Timeout : 300 (sec)<br> Verify return code: 19 (self signed certificate in certificate chain)<br>
---<br>250 HELP<br>ehlo localhost<br><a href="http://250-mail.server.org" target="_blank">250-mail.server.org</a><div style="width:16px;height:16px;display:inline-block"> </div> Hello <a href="mailto:root@50-0-1-5.static.sonic.net" target="_blank">root@50-0-1-5.static.sonic.net</a> [50.0.1.5], pleased to meet you<br>
250-ENHANCEDSTATUSCODES<br>250-PIPELINING<br>250-8BITMIME<br>250-SIZE<br>250-DSN<br>250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5<br>but there is LOGIN PLAIN which mist be present according to Sendmail <a href="http://config.mc" target="_blank">config.mc</a><div style="width:16px;height:16px;display:inline-block">
</div>?<br>
250-DELIVERBY<br>250 HELP<br><br></div><div>The same absence of advertisement of PLAIN LOGIN when connected<br><br></div><div>#telnet localhost 587 or #telnet ext_ip_server's_address 587<br>Trying 127.0.0.1...<br>Connected to localhost.<br>
Escape character is '^]'.<br>220 <a href="http://mail.server.org" target="_blank">mail.server.org</a><div style="width:16px;height:16px;display:inline-block"> </div> ESMTP Sendmail 8.14.5/8.14.5; Fri, 18 Oct 2013 11:42:11 +0400 (MSK)<br>
ehlo localhost<br><a href="http://250-mail.server.org" target="_blank">250-mail.server.org</a><div style="width:16px;height:16px;display:inline-block"> </div> Hello root@localhost [127.0.0.1], pleased to meet you<br>
250-ENHANCEDSTATUSCODES<br>250-PIPELINING<br>250-8BITMIME<br>250-SIZE<br>250-DSN<br>250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5<br>there is no PLAIN LOGIN advertisement also<br>250-STARTTLS<br>250-DELIVERBY<br>250 HELP<br></div>
<div>
<br>TLS encryption of an connection is working properly, but Sendmail have not
issue 250-AUTH PLAIN LOGIN and still offers me some encrypted
mechanisms like GSSAPI CRAM-MD5 DIGEST-MD5 but I need PLAIN LOGIN.<br>
<br>What I'm doing wrong or maybe I have to rebuild
Cyrus-SASL from ports and/or sources with enabling PLAIN LOGIN options? Can it be a bug in Cyrus-SASL and/or Sendmail?<br>
<br>Please advise.<br><div><div><img src="https://mail.google.com/mail/images/cleardot.gif"></div></div></div></div></div></div></div><a href="mailto:deniza956@gmail.com" target="_blank"></a>
</div>