Sendmail, saslauthd, AUTH DIGEST-MD5 and /etc/shadow ?

Sebastian Hagedorn Hagedorn at uni-koeln.de
Fri Jan 11 14:12:48 EST 2013


You'll have to use sasldb if you want to use DIGEST-MD5. Challenge-response 
only works when both sides know the original password.

> Hello List
>
> I'm struggling (for many days!) to get sendmail AUTH DIGEST-MD5 to work in
> Fedora 17, Linux version 3.6.11-1.fc17.i686.PAE.
>
> I have AUTH PLAIN working, but DIGEST-AUTH refuses. (see Tests: below)
>
> Configuration:
> # yum list sendmail cyrus-sasl*
> Installed Packages
> cyrus-sasl.i686       2.1.23-31.fc17
> cyrus-sasl-lib.i686   2.1.23-31.fc17
> cyrus-sasl-md5.i686   2.1.23-31.fc17
> cyrus-sasl-plain.i686 2.1.23-31.fc17
>
> In /etc/sysconfig/saslauthd containing MECH=shadow and:
> # saslauthd -v
> saslauthd 2.1.23
> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
> httpform # ps wax | grep saslauthd
> .... /usr/bin/saslauthd -m /run/saslauthd -a shadow
> # testsaslauthd -u realuser -p realuserpwd -s smtp
> 0: OK "Success."
>
> in /etc/mail/sendmail.mc contains:
> define(`confAUTH_OPTIONS', `A')dnl
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL DIGEST-MD5 PLAIN')dnl
> FEATURE(`authinfo', `hash /etc/authinfo.db')dnl
>
> in /etc/sasl2/Sendmail.conf
> pwcheck_method:saslauthd
> mech_list:DIGEST-MD5 PLAIN
> log_level:5
>
> in /etc/mail/authinfo
> AuthInfo:mail......com "U:smmsp" "I:realuser" "P:smmsppwd"
>
> I did "makemap hash authinfo < authinfo" and "chown root:smmsp
> authinfo.db"
>
> and:
> # ls /usr/lib/sasl2/*.so
> /usr/lib/sasl2/libanonymous.so  /usr/lib/sasl2/liblogin.so
> /usr/lib/sasl2/libcrammd5.so    /usr/lib/sasl2/libplain.so
> /usr/lib/sasl2/libdigestmd5.so  /usr/lib/sasl2/libsasldb.so
>
>               ~ o ~
>
> Tests:
> # smtptest -v -p 587 -m DIGEST-MD5 -a realuser -u smmsp localhost
> ...
> C: EHLO smtptest
> ...
> C: AUTH DIGEST-MD5
> S: 334 bm9uY2U9Ik81Lytn...
> Please enter your password:
> C: dXNlcm5hbWU9ImJyYWQiLHJ...
> S: 535 5.7.0 authentication failed
> Authentication failed. generic failure
> Security strength factor: 128
>
> and a connection from Evolution gives Error:
> "The reported error was "AUTH command failed: authentication failed".
>
> /var/log/maillog says:
> AUTH: available mech=PLAIN DIGEST-MD5, allowed mech=EXTERNAL DIGEST-MD5
> PLAIN ...
> --- 535 5.7.0 authentication failed
> AUTH failure (DIGEST-MD5): user not found (-20) SASL(-13): user not
> found: no secret in database.
>
> My question is which database is saslauthd looking in?
> Or perhaps why is it not using shadow?
>
> Both realuser and smmsp are present in /etc/shadow
>
> I repeat AUTH PLAIN works for both smtptest and Evolution tests but not
> DIGEST-MD5.
>
> Have I missed something? Any help would be very much appreciated.
>
>



--
Sebastian Hagedorn - Weyertal 121, Zimmer 2.02
Regionales Rechenzentrum (RRZK)
Universität zu Köln / Cologne University - Tel. +49-221-470-89578


More information about the Cyrus-sasl mailing list