How to enable LOGIN PLAIN under TLS in Sendmail 250-AUTH advertisement (Sendmail 8.14.5 + Cyrys-SASL 2.1.25p2-ldap + cyrus-imapd-2.4.13p0)

Denis Lapshin deniza956 at gmail.com
Fri Oct 18 14:05:58 EDT 2013 

Have working setup Sendmail 8.14.5 + Cyrys-SASL 2.1.25p2-ldap +
cyrus-imapd-2.4.13p0. The user's password getting from LDAP server which
authenticate users for other services.

The only one problem still not solved:

How to enable PLAIN LOGIN in 250-AUTH advertisement by Sendmail just after
STARTTLS session?

Plain login has been enabled in Sendmail config.mc

(sendmail was built with SASLv2 and STARTTLS support)

#cat /etc/imapd.conf
...
sasl_pwcheck_method: saslauthd
tls_ca_file: /etc/mail/certs/ca.crt
tls_cert_file: /etc/mail/certs/client.crt
tls_key_file: /etc/mail/certs/client.pem

#sendmail -d0.1 -dv
Version 8.14.5
 Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
                MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
                PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS
USERDB
                USE_LDAP_INIT XDEBUG

============ SYSTEM IDENTITY (after readcf) ============

# cat /usr/share/sendmail/cf/openbsd-proto.mc


...
dnl The option below is blocking PLAIN and LOGIN attempts on unsecured
channels
dnl (i.e. port 25 w/o STARTTLS command issued first)
define('confAUTH_OPTIONS', 'A p y')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
dnl
dnl Tell sendmail not to bother to ask for client sertificates
dnl define('confTLS_SRV_OPTIONS', 'V')dnl
dnl
dnl STARTTLS support for SMTP-AUTH; uncomment and read starttls(8) to use
dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/ca.crt')dnl
define(`confSERVER_CERT', `CERT_DIR/server.crt')dnl
define(`confSERVER_KEY', `CERT_DIR/private/server.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/client.crt')dnl
define(`confCLIENT_KEY', `CERT_DIR/client.pem')dnl
...
dnl
MAILER(smtp)dnl
MAILER(local)dnl
dnl
define('confLOCAL_MAILER', 'cyrysv2')dnl
MAILER(cyrusv2)dnl
dnl
define('confLOG_LEVEL', '14')dnl
...

#openssl s_client -starttls smtp -crlf -connect you.server.tld:587
...
xpansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
839845D8DB239212176A8BA0F2EDBEFCA66B33F52FD7CB2521DECF7A55077444
    Session-ID-ctx:
    Master-Key:
1CA3EFC72A9E61DE10AF2A9E5B2DA7560529A6EAC826238E1A7D2389E6613DD35427DBAFAAF571D4DE7F8978DF0B3361
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 20 50 61 41 7a b8 0b 07-ba 15 5b a7 1d 4d ca bd
PaAz.....[..M..
    0010 - 5e 6b 71 7a 61 22 76 d3-65 8b d4 3e 0f c2 96 e3
^kqza"v.e..>....
    0020 - 8f 03 10 3b ec 26 25 31-dc ee 4d 5e e0 71 21 6d
...;.&%1..M^.q!m
    0030 - cf 7e ff 9e 81 f6 3f a9-2a bf 99 a9 bf bf 7d ea
.~....?.*.....}.
    0040 - a5 f4 1d 50 a8 ef 62 7c-d3 12 45 2a 54 5a 24 de
...P..b|..E*TZ$.
    0050 - 96 c9 ba e5 2d 84 00 f7-0e d4 1d e9 70 d5 4a b6
....-.......p.J.
    0060 - 56 31 39 da 21 ef ce 3c-0e 6a 10 bb a3 c4 d2 cc
V19.!..<.j......
    0070 - 97 61 23 10 bf 93 92 dc-31 60 5b 9b c3 55 e7 96
.a#.....1`[..U..
    0080 - ff 4f e8 89 7e 72 8f c3-90 60 61 e3 ad 05 ca 59
.O..~r...`a....Y
    0090 - 3a b3 75 be 40 1e bc 91-38 24 84 aa 82 04 b9 7b   :.u.@
...8$.....{

    Start Time: 1382081852
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
ehlo localhost
250-mail.server.org

Hello root at 50-0-1-5.static.sonic.net [50.0.1.5], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
but there is LOGIN PLAIN which mist be present according to Sendmail
config.mc

?
250-DELIVERBY
250 HELP

The same absence of advertisement of PLAIN LOGIN when connected

#telnet localhost 587 or #telnet ext_ip_server's_address 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.server.org

ESMTP Sendmail 8.14.5/8.14.5; Fri, 18 Oct 2013 11:42:11 +0400 (MSK)
ehlo localhost
250-mail.server.org

Hello root at localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
there is no PLAIN LOGIN advertisement also
250-STARTTLS
250-DELIVERBY
250 HELP

TLS encryption of an connection is working properly, but Sendmail have not
issue 250-AUTH PLAIN LOGIN and still offers me some encrypted mechanisms
like GSSAPI CRAM-MD5 DIGEST-MD5 but I need PLAIN LOGIN.

What I'm doing wrong or maybe I have to rebuild Cyrus-SASL from ports
and/or sources with enabling PLAIN LOGIN options? Can it be a bug in
Cyrus-SASL and/or Sendmail?

Please advise.
<deniza956 at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20131018/d351c591/attachment.html

More information about the Cyrus-sasl mailing list