How to enable LOGIN PLAIN under TLS in Sendmail 250-AUTH advertisement (Sendmail 8.14.5 + Cyrys-SASL 2.1.25p2-ldap + cyrus-imapd-2.4.13p0)
Dan White
dwhite at olp.net
Fri Oct 18 14:25:55 EDT 2013
On 10/18/13 22:05 +0400, Denis Lapshin wrote:
>Have working setup Sendmail 8.14.5 + Cyrys-SASL 2.1.25p2-ldap +
>cyrus-imapd-2.4.13p0. The user's password getting from LDAP server which
>authenticate users for other services.
>
>The only one problem still not solved:
>
>How to enable PLAIN LOGIN in 250-AUTH advertisement by Sendmail just after
>STARTTLS session?
>...
>dnl The option below is blocking PLAIN and LOGIN attempts on unsecured
>channels
>dnl (i.e. port 25 w/o STARTTLS command issued first)
>define('confAUTH_OPTIONS', 'A p y')dnl
>define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
>TRUST_AUTH_MECH('LOGIN PLAIN')dnl
>dnl
>dnl Tell sendmail not to bother to ask for client sertificates
>dnl define('confTLS_SRV_OPTIONS', 'V')dnl
>dnl
>dnl STARTTLS support for SMTP-AUTH; uncomment and read starttls(8) to use
>dnl
>define(`CERT_DIR', `MAIL_SETTINGS_DIR/certs')dnl
>define(`confCACERT_PATH', `CERT_DIR')dnl
>define(`confCACERT', `CERT_DIR/ca.crt')dnl
>define(`confSERVER_CERT', `CERT_DIR/server.crt')dnl
>define(`confSERVER_KEY', `CERT_DIR/private/server.pem')dnl
>define(`confCLIENT_CERT', `CERT_DIR/client.crt')dnl
>define(`confCLIENT_KEY', `CERT_DIR/client.pem')dnl
>...
>dnl
>MAILER(smtp)dnl
>MAILER(local)dnl
>dnl
>define('confLOCAL_MAILER', 'cyrysv2')dnl
>MAILER(cyrusv2)dnl
>dnl
>define('confLOG_LEVEL', '14')dnl
>...
Have you also created a SASL Sendmail.conf file? It should either contain
no 'pwcheck_method' entry, or explicitly include your desired mechanisms.
Use pluginviewer to verify the PLAIN and LOGIN mechanisms were properly
compiled and installed.
>#openssl s_client -starttls smtp -crlf -connect you.server.tld:587
>...
>---
>250 HELP
>ehlo localhost
>250-mail.server.org
>
>Hello root at 50-0-1-5.static.sonic.net [50.0.1.5], pleased to meet you
>250-ENHANCEDSTATUSCODES
>250-PIPELINING
>250-8BITMIME
>250-SIZE
>250-DSN
>250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
>but there is LOGIN PLAIN which mist be present according to Sendmail
>config.mc
>
>?
>250-DELIVERBY
>250 HELP
>
>The same absence of advertisement of PLAIN LOGIN when connected
(smtptest is another way to test this)
>TLS encryption of an connection is working properly, but Sendmail have not
>issue 250-AUTH PLAIN LOGIN and still offers me some encrypted mechanisms
>like GSSAPI CRAM-MD5 DIGEST-MD5 but I need PLAIN LOGIN.
>
>What I'm doing wrong or maybe I have to rebuild Cyrus-SASL from ports
>and/or sources with enabling PLAIN LOGIN options? Can it be a bug in
>Cyrus-SASL and/or Sendmail?
Sendmail may (or may not) have the equivalent of Cyrus IMAP's
'allowplaintext'. You may also need to adjust your 'minimum_ssf' and
'maximum_ssf' values if they are exposed within Sendmail's configuration.
See:
http://cyrusimap.org/docs/cyrus-sasl/2.1.25/sysadmin.php
http://www.sendmail.org/~ca/email/auth.html
--
Dan White
More information about the Cyrus-sasl
mailing list