saslauthd, sendmail, and AUTH

Alexander Dalloz ad+lists at uni-x.org
Wed Jul 12 20:05:31 EDT 2006 

Eric Ewanco schrieb:

> I am having a heck of a time getting Sendmail 8.13.1 to authenticate 
> using Cyrus saslauthd 2.1.13.  I need help isolating my problem to 
> either saslauthd or Sendmail.
>
Hopefully both Sendmail and Cyrus-SASL are patched to cover the security 
issues the plain upstream versions have.

> Saslauthd has worked fine with Cyrus imapd for years.  If I test it 
> using testsaslauthd, it authenticates fine with a service name of smtp 
> or imap.
> Sendmail, however, refuses to provide the AUTH command and complains
>
> Jul 12 14:11:49 polycarp sendmail[1322]: AUTH warning: no mechanisms
>
> I have followed several sets of instructions for configuring Sendmail 
> for saslauthd and none have worked.
> I am invoking saslauthd with the -a shadow option.
>
> Is there a way to determine which mechanisms are available?  I did this:

Check which Cyrus-SASL libraries are installed, either by using your 
package manager or just looking into the libraries directory. For 
instance in your care /usr/lib/sasl2 has to contain liblogin.so and 
libplain.so.

> [root at polycarp eje]# /usr/local/sbin/saslauthd -v
> saslauthd 2.1.13
> authentication mechanisms: getpwent pam rimap shadow
>
> How come the "mechanisms" cited by the -v option don't match up with 
> the mech_list in the configuration file (below), but rather match the 
> "methods"?  Which type of mechanism is Sendmail complaining about?

"saslauthd -v" gives you a list of supported (compiled in) auth method 
backends, which is not the same as the mechanism used.

> /usr/lib/sasl2/Sendmail.conf says:
>
> #pwcheck_method: saslauthd
> pwcheck_method: shadow
> mech_list: PLAIN CRAM-MD5 DIGEST-MD5

2 faults: a) with SASLv2 you can't use pwcheck_method shadow! It has 
either to be saslauthd or auxprop. b) using saslauthd you can't use 
shared secret mechs (CRAM-MD5 / DIGEST-MD5).

>
> I tried running saslauthd in debug mode but it printed out nothing 
> when I invoked Sendmail.
>
> sendmail.mc contains:
> define(`confAUTH_MECHANISMS',`LOGIN PLAIN DIGEST-MD5')
> define(`confAUTH_OPTIONS',`y,p,a')

You know what these parameters mean? If not please see in Sendmail's 
op.me doc file. You specify "y" which means that LOGIN and PLAIN will 
only be offered when a trusted connection is established: STARTTLS or 
SMTPS. As said before, offering DIGEST-MD5 is useless if you run (or 
need to run) saslauthd, because your auth credentials are stored in the 
shadow file.

> TRUST_AUTH_MECH(`LOGIN DIGEST-MD5 PLAIN')

Your mech list in sendmail.mc does not match the list in Sendmail.conf, 
that is not good. Here because Sendmail now offers LOGIN while the SASL 
setup by Sendmail.conf does not list LOGIN as a possible mech. An 
attempt to use LOGIN will fail.

> ...
> LOCAL_CONFIG
> ESASL_PATH=/usr/lib/sasl2
>
> Thanks!
>
> Eric Ewanco
>
Hope it helps.

Alexander

More information about the Cyrus-sasl mailing list