From jobst at barrett.com.au Wed Sep 11 23:40:27 2019 From: jobst at barrett.com.au (Jobst Schmalenbach) Date: Thu, 12 Sep 2019 13:40:27 +1000 Subject: Increase verbosity of logging of saslauth Message-ID: <20190912034027.GB17654@pits.barrett.com.au> Hi CentOS 7.X, sendmail.x86_64 8.14.7-5.el7, cyrus-sasl.x86_64 2.1.26-23.el7 There are conflicting message on how to increase the logging of saslauthd. I know I can do this: /usr/sbin/saslauthd -d -m /var/run/saslauthd -a pam but that still omits logging. I have used openssl s_client -crlf -connect IP:PORT testsaslauthd -u USERNAME -p PASSWORD -s smtp to test the authentication, but users supplying wrong credentials is difficult to see as the standard logging of saslauthd is not verbose. How can I increase the verbosity of saslauthd debug output so I can see usernames etc. to see where it went wrong. I have read somewhere there is a loglevel flag (postfix with ldap and salsauthd) but I do not know how to do this with sendmail and saslauthd. -- Jobst Schmalenbach "Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man." - Mohandas K. Gandhi From cepheid at 3phase.com Thu Sep 12 02:04:19 2019 From: cepheid at 3phase.com (Amir Caspi) Date: Thu, 12 Sep 2019 00:04:19 -0600 Subject: Increase verbosity of logging of saslauth In-Reply-To: <20190912034027.GB17654@pits.barrett.com.au> References: <20190912034027.GB17654@pits.barrett.com.au> Message-ID: On Sep 11, 2019, at 9:40 PM, Jobst Schmalenbach wrote: > > I have read somewhere there is a loglevel flag (postfix with ldap and salsauthd) but I do not know how to do this with sendmail and saslauthd. If it's just sendmail you care about, then set your sendmail log level to 10 or higher. If you use sendmail.mc (and convert via m4), then insert the following: define(`confLOG_LEVEL', `10')dnl If you use sendmail.cf directly, then: O LogLevel=10 You can use higher log levels, but 10 is the minimum required to get the SASL auth info. With level 10, you'll get lines like these in /var/log/maillog: Sep 8 04:22:06 hostname sendmail[30028]: x884M25w030028: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed, relay=[193.169.255.137] Correspondingly, you'll see lines like these in /var/log/secure: Sep 8 04:22:04 hostname saslauthd[30669]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Sep 8 04:23:40 hostname saslauthd[30666]: pam_unix(smtp:auth): check pass; user unknown If the supplied username actually exists (and failed), you'll instead see something like: Sep 8 05:50:06 hostname unix_chkpwd[31192]: password check failed for user (someuser) Sep 8 05:50:06 hostname saslauthd[30667]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=someuser Unfortunately, saslauthd does not properly log the rhost parameter when used by sendmail. There is a longstanding open bug for this, with a patch that was committed and then rolled back... I don't think this was ever resolved. Hope this helps. --- Amir -------------- next part -------------- An HTML attachment was scrubbed... URL: From jobst at barrett.com.au Thu Sep 12 03:44:11 2019 From: jobst at barrett.com.au (Jobst Schmalenbach) Date: Thu, 12 Sep 2019 17:44:11 +1000 Subject: Increase verbosity of logging of saslauth In-Reply-To: References: <20190912034027.GB17654@pits.barrett.com.au> Message-ID: <20190912074411.GA24549@pits.barrett.com.au> On Thu, Sep 12, 2019 at 12:04:19AM -0600, Amir Caspi (cepheid at 3phase.com) wrote: > On Sep 11, 2019, at 9:40 PM, Jobst Schmalenbach wrote: > > > If it's just sendmail you care about, then set your sendmail log level to 10 or higher. If you use sendmail.mc (and convert via m4), then insert the following: > O LogLevel=10 > You can use higher log levels, but 10 is the minimum required to get the SASL auth info. With level 10, you'll get lines like these in /var/log/maillog: Thanks for the reply! I have had this set to 14 for a long time due to some MILTERS I have running and I need the read the output of those milters. > > Sep 8 04:22:06 hostname sendmail[30028]: x884M25w030028: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed, relay=[193.169.255.137] These lines are my problem exactly ... I only sometimes get anything in /var/log/secure Most of the time those lines look like Sep 8 11:42:21 sendmail[32726]: x881gCC5032726: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: Unable to find a callback: 32775, relay=hosting-by.directwebhost.org [45.227.253.117] (may be forged) but I never see anything in /var/log/secure S my problem is I cannot see the username and/or whether it actually exists. I would like - at the very least - see the names, so I can see whether the person trying is having SOME clue or is far of the planet (just for my own sake). I get some entries like so Aug 26 18:43:47 saslauthd[1291]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] but at most of the times I see nothing. It would be helpful to at least see the usernames .... if they are far off I could not care less. But there are literrally hundreds of those "user not found" messages in the maillog without corresponding entires in /var/log/secure. -- Jobst Schmalenbach A computer without Microsoft is like chocolate cake without ketchup! From cepheid at 3phase.com Thu Sep 12 05:00:47 2019 From: cepheid at 3phase.com (Amir Caspi) Date: Thu, 12 Sep 2019 03:00:47 -0600 Subject: Increase verbosity of logging of saslauth In-Reply-To: <20190912074411.GA24549@pits.barrett.com.au> References: <20190912034027.GB17654@pits.barrett.com.au> <20190912074411.GA24549@pits.barrett.com.au> Message-ID: On Sep 12, 2019, at 1:44 AM, Jobst Schmalenbach wrote: > > Most of the time those lines look like > > Sep 8 11:42:21 sendmail[32726]: x881gCC5032726: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: Unable to find a callback: 32775, relay=hosting-by.directwebhost.org [45.227.253.117] (may be forged) > > but I never see anything in /var/log/secure I may be wrong, but I believe that's because the CRAM-MD5 auth mechanism requires sasldb (at least according to the googling I just did). The "unable to find a callback" portion of the error suggests that this auth mechanism isn't configured properly so saslauthd isn't actually doing anything, hence not logging (though I may well be wrong -- I don't use MD5 logins). Do you require this auth mechanism enabled? If not, you should consider just using PLAIN and LOGIN, making sure that TLS is enabled and required. If you do require CRAM-MD5, then hopefully someone else can help... Cheers. --- Amir -------------- next part -------------- An HTML attachment was scrubbed... URL: From ca+sasl at esmtp.org Thu Sep 12 07:12:12 2019 From: ca+sasl at esmtp.org (Claus Assmann) Date: Thu, 12 Sep 2019 04:12:12 -0700 Subject: Increase verbosity of logging of saslauth In-Reply-To: <20190912074411.GA24549@pits.barrett.com.au> References: <20190912034027.GB17654@pits.barrett.com.au> <20190912074411.GA24549@pits.barrett.com.au> Message-ID: <20190912111212.GC20755@x2.esmtp.org> On Thu, Sep 12, 2019, Jobst Schmalenbach wrote: > On Thu, Sep 12, 2019 at 12:04:19AM -0600, Amir Caspi (cepheid at 3phase.com) wrote: > > If it's just sendmail you care about, then set your sendmail log level to 10 or higher. If you use sendmail.mc (and convert via m4), then insert the following: > > O LogLevel=10 Don't do that, use the mc macro. See cf/README. > I would like - at the very least - see the names [[...]] Get the latest sendmail snapshot and compile with -D_FFR_AUTH_FAIL_LOG_USER From jobst at barrett.com.au Thu Sep 12 23:52:03 2019 From: jobst at barrett.com.au (Jobst Schmalenbach) Date: Fri, 13 Sep 2019 13:52:03 +1000 Subject: Increase verbosity of logging of saslauth In-Reply-To: <20190912111212.GC20755@x2.esmtp.org> References: <20190912034027.GB17654@pits.barrett.com.au> <20190912074411.GA24549@pits.barrett.com.au> <20190912111212.GC20755@x2.esmtp.org> Message-ID: <20190913035203.GA29343@pits.barrett.com.au> On Thu, Sep 12, 2019 at 04:12:12AM -0700, Claus Assmann (ca+sasl at esmtp.org) wrote: > On Thu, Sep 12, 2019, Jobst Schmalenbach wrote: > > On Thu, Sep 12, 2019 at 12:04:19AM -0600, Amir Caspi (cepheid at 3phase.com) wrote: > Don't do that, use the mc macro. See cf/README. I won't ;-), been using sendmail for a loooooooooooooooooooong time. > > > I would like - at the very least - see the names [[...]] > > Get the latest sendmail snapshot and compile with -D_FFR_AUTH_FAIL_LOG_USER Curious question: Why is this not a default setting in sendmail and could be turned on by a macro? thanks -- Jobst Schmalenbach It took the power of 3 Commodore 64's to go to the moon, but it takes a 2GHz Pentium 4 to run XP... Something is desperately wrong here! From ca+sasl at esmtp.org Fri Sep 13 05:33:48 2019 From: ca+sasl at esmtp.org (Claus Assmann) Date: Fri, 13 Sep 2019 02:33:48 -0700 Subject: Increase verbosity of logging of saslauth In-Reply-To: <20190913035203.GA29343@pits.barrett.com.au> References: <20190912034027.GB17654@pits.barrett.com.au> <20190912074411.GA24549@pits.barrett.com.au> <20190912111212.GC20755@x2.esmtp.org> <20190913035203.GA29343@pits.barrett.com.au> Message-ID: <20190913093348.GA22548@x2.esmtp.org> On Fri, Sep 13, 2019, Jobst Schmalenbach wrote: > On Thu, Sep 12, 2019 at 04:12:12AM -0700, Claus Assmann (ca+sasl at esmtp.org) wrote: > > > I would like - at the very least - see the names [[...]] > > Get the latest sendmail snapshot and compile with -D_FFR_AUTH_FAIL_LOG_USER > Curious question: Why is this not a default setting in sendmail and could be turned on by a macro? There aren't many people who want(ed) this feature, so why should it be turned on for everyone? Moreover, it only works for some AUTH methods, so it's not a complete solution. What do you mean by "a macro"? It's a compile time option, not a run time option. I don't see how a (cf/mc?) "macro" could be involved here and what the purpose/benefit would be. From jobst at barrett.com.au Sun Sep 15 21:10:25 2019 From: jobst at barrett.com.au (Jobst Schmalenbach) Date: Mon, 16 Sep 2019 11:10:25 +1000 Subject: Increase verbosity of logging of saslauth In-Reply-To: <20190913093348.GA22548@x2.esmtp.org> References: <20190912034027.GB17654@pits.barrett.com.au> <20190912074411.GA24549@pits.barrett.com.au> <20190912111212.GC20755@x2.esmtp.org> <20190913035203.GA29343@pits.barrett.com.au> <20190913093348.GA22548@x2.esmtp.org> Message-ID: <20190916011025.GA14864@pits.barrett.com.au> On Fri, Sep 13, 2019 at 02:33:48AM -0700, Claus Assmann (ca+sasl at esmtp.org) wrote: > On Fri, Sep 13, 2019, Jobst Schmalenbach wrote: > > On Thu, Sep 12, 2019 at 04:12:12AM -0700, Claus Assmann (ca+sasl at esmtp.org) wrote: > > > > I would like - at the very least - see the names [[...]] > > > Get the latest sendmail snapshot and compile with -D_FFR_AUTH_FAIL_LOG_USER > > Curious question: Why is this not a default setting in sendmail and could be turned on by a macro? > > What do you mean by "a macro"? It's a compile time option, not a > run time option. I don't see how a (cf/mc?) "macro" could be involved > here and what the purpose/benefit would be. Don't worry about the second part of the question ... should not have asked that, double questions are never good! -- Jobst Schmalenbach * help! I've fallen over and I can't SIGHUP! From dave at compata.com Fri Sep 20 01:42:37 2019 From: dave at compata.com (Dave Close) Date: Thu, 19 Sep 2019 22:42:37 -0700 Subject: Installing on Fedora Message-ID: <201909200542.x8K5gbKr017797@d7010.compata.com> Trying to get Cyrus working on Fedora 30 by following instructions at but having some trouble. # dnf install cyrus-imapd cyrus-sasl cyrus-sasl-plain # passwd cyrus # systemctl start saslauthd # systemctl enable saslauthd Everything worked correctly. # testsaslauthd -u cyrus -p YOUR-PASSWORD 0: OK "Success." # systemctl start cyrus-imapd # systemctl enable cyrus-imapd Everything worked correctly. # imtest -t "" -u cyrus -a cyrus localhost S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=SCRAM-SHA-1 AUTH=SCRAM-SHA-256 AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN SASL-IR] d7010.compata.com Cyrus IMAP 3.0.10-1.fc30 Fedora server ready C: S01 STARTTLS S: S01 NO Error initializing TLS Please enter your password: C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPWN5cnVzLG49Y3lydXMscj1ES01aRmVyWlpaOFBoQ2NiK2lrQlQ5ZENnMXd5NDBw UQ== S: A01 NO generic failure Authentication failed. generic failure What am I missing? The "generic failure" message does not give me any clue how to proceed. Searching for that message online also did not return any useful results. -- Dave Close, Compata, Irvine CA +1 714 434 7359 dave at compata.com dhclose at alumni.caltech.edu "I don't need bodyguards." -- Jimmy Hoffa, June 1975 From ad+lists at uni-x.org Fri Sep 20 08:34:19 2019 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Fri, 20 Sep 2019 14:34:19 +0200 Subject: Installing on Fedora In-Reply-To: <201909200542.x8K5gbKr017797@d7010.compata.com> References: <201909200542.x8K5gbKr017797@d7010.compata.com> Message-ID: <2af6f2b1996d32e0d672076305e76a92@uni-x.org> Am 2019-09-20 07:42, schrieb Dave Close: > Trying to get Cyrus working on Fedora 30 by following instructions at > > but having some trouble. > > # dnf install cyrus-imapd cyrus-sasl cyrus-sasl-plain > # passwd cyrus > # systemctl start saslauthd > # systemctl enable saslauthd > Everything worked correctly. > > # testsaslauthd -u cyrus -p YOUR-PASSWORD > 0: OK "Success." > > # systemctl start cyrus-imapd > # systemctl enable cyrus-imapd > Everything worked correctly. > > # imtest -t "" -u cyrus -a cyrus localhost > S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS > AUTH=SCRAM-SHA-1 AUTH=SCRAM-SHA-256 > AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN > AUTH=PLAIN SASL-IR] > d7010.compata.com Cyrus IMAP 3.0.10-1.fc30 Fedora server ready > C: S01 STARTTLS > S: S01 NO Error initializing TLS > Please enter your password: > C: A01 AUTHENTICATE SCRAM-SHA-1 > bixhPWN5cnVzLG49Y3lydXMscj1ES01aRmVyWlpaOFBoQ2NiK2lrQlQ5ZENnMXd5NDBw > UQ== > S: A01 NO generic failure > Authentication failed. generic failure > > What am I missing? The "generic failure" message does not give me any > clue how to proceed. Searching for that message online also did not > return any useful results. Check how cyrus-imapd is configured. Does it really use saslauthd as its credential backend? Alexander From dave at compata.com Fri Sep 20 15:19:21 2019 From: dave at compata.com (Dave Close) Date: Fri, 20 Sep 2019 12:19:21 -0700 Subject: Installing on Fedora In-Reply-To: Your message of "Fri, 20 Sep 2019 14:34:19 +0200." <2af6f2b1996d32e0d672076305e76a92@uni-x.org> References: <201909200542.x8K5gbKr017797@d7010.compata.com> <2af6f2b1996d32e0d672076305e76a92@uni-x.org> Message-ID: <201909201919.x8KJJLPk027053@d7010.compata.com> I wrote: > Trying to get Cyrus working on Fedora 30 by following instructions at > > but having some trouble. > > # dnf install cyrus-imapd cyrus-sasl cyrus-sasl-plain > # passwd cyrus > # systemctl start saslauthd > # systemctl enable saslauthd > Everything worked correctly. > > # testsaslauthd -u cyrus -p YOUR-PASSWORD > 0: OK "Success." > > # systemctl start cyrus-imapd > # systemctl enable cyrus-imapd > Everything worked correctly. > > # imtest -t "" -u cyrus -a cyrus localhost > S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS > AUTH=SCRAM-SHA-1 AUTH=SCRAM-SHA-256 > AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN > AUTH=PLAIN SASL-IR] > d7010.compata.com Cyrus IMAP 3.0.10-1.fc30 Fedora server ready > C: S01 STARTTLS > S: S01 NO Error initializing TLS > Please enter your password: > C: A01 AUTHENTICATE SCRAM-SHA-1 > bixhPWN5cnVzLG49Y3lydXMscj1ES01aRmVyWlpaOFBoQ2NiK2lrQlQ5ZENnMXd5NDBw > UQ== > S: A01 NO generic failure > Authentication failed. generic failure > > What am I missing? The "generic failure" message does not give me any > clue how to proceed. Searching for that message online also did not > return any useful results. Alexander Dalloz answered: > Check how cyrus-imapd is configured. Does it really use saslauthd as its > credential backend? /etc/imap.conf is the default from the Fedora RPM. It contains this line: sasl_pwcheck_method: saslauthd -- Dave Close, Compata, Irvine CA +1 714 434 7359 dave at compata.com dhclose at alumni.caltech.edu Ralph Waldo Emerson: "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines. With consistency a great soul has simply nothing to do." From dwhite at olp.net Fri Sep 20 16:47:29 2019 From: dwhite at olp.net (Dan White) Date: Fri, 20 Sep 2019 15:47:29 -0500 Subject: Installing on Fedora In-Reply-To: <201909201919.x8KJJLPk027053@d7010.compata.com> References: <201909200542.x8K5gbKr017797@d7010.compata.com> <2af6f2b1996d32e0d672076305e76a92@uni-x.org> <201909201919.x8KJJLPk027053@d7010.compata.com> Message-ID: <20190920204729.GA5641@zeno.bixbytelephone.com> On 09/20/19?12:19?-0700, Dave Close wrote: >> # testsaslauthd -u cyrus -p YOUR-PASSWORD >> 0: OK "Success." >> >> # imtest -t "" -u cyrus -a cyrus localhost >> AUTH=SCRAM-SHA-1 AUTH=SCRAM-SHA-256 >> AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN >> AUTH=PLAIN SASL-IR] >> C: A01 AUTHENTICATE SCRAM-SHA-1 >> >> S: A01 NO generic failure >> Authentication failed. generic failure > >/etc/imap.conf is the default from the Fedora RPM. It contains this >line: > >sasl_pwcheck_method: saslauthd Hi Dave, The sasl_pwcheck_method configuration directs libsasl how to authenticate plaintext mechanisms (plain/login). The scram-sha-1 mechanism does not use saslauthd and will instead make use of your configured auxprop plugin(s) to authenticate. With default configuration, libsasl will reference your sasldb database, which is configured using the saslpasswd2 utility. If you wish to only use saslauthd, to authenticate against pam for instance, then restrict the mechanisms offered by the server with: sasl_mech_list: PLAIN LOGIN From dave at compata.com Sat Sep 21 01:34:27 2019 From: dave at compata.com (Dave Close) Date: Fri, 20 Sep 2019 22:34:27 -0700 Subject: Installing on Fedora In-Reply-To: Your message of "Fri, 20 Sep 2019 15:47:29 -0500." <20190920204729.GA5641@zeno.bixbytelephone.com> References: <201909200542.x8K5gbKr017797@d7010.compata.com> <2af6f2b1996d32e0d672076305e76a92@uni-x.org> <201909201919.x8KJJLPk027053@d7010.compata.com> <20190920204729.GA5641@zeno.bixbytelephone.com> Message-ID: <201909210534.x8L5YRgS030589@d7010.compata.com> Dan White wrote: >With default configuration, libsasl will reference your sasldb database, >which is configured using the saslpasswd2 utility. I wondered about that, having noticed the saslpasswd2 command. So I used it to set the same password as I had set with straight passwd. There was no change; imtest still failed the same way. >If you wish to only use saslauthd, to authenticate against pam for >instance, then restrict the mechanisms offered by the server with: > >sasl_mech_list: PLAIN LOGIN That line was not in the supplied imapd.conf. Now that I've added it, imtest succeeds. Thanks a bunch! It seems to me that something about the default Fedora packages doesn't match the description offered at the cyrusimap.org help page (). Perhaps someone should make a few updates. Now that I'm past this obsticle, I'll take the time to go back and try to understand the details better. -- Dave Close, Compata, Irvine CA +1 714 434 7359 dave at compata.com dhclose at alumni.caltech.edu "Email is the 'file system' for people that aren't geeks. IMAP is NFS for your mom." --Tom Limoncelli From lists at localguru.de Tue Sep 24 03:11:42 2019 From: lists at localguru.de (Marcus Schopen) Date: Tue, 24 Sep 2019 09:11:42 +0200 Subject: how to check if mailbox is empty? Message-ID: Hi, how can I test the status of a mailbox without having to login? Specifically, I want to test whether a mailbox is empty, i.e. whether all mails have been picked up via POP3. Since expunge delayed is activated, I can't work with a simple "find" at file system level. Any ideas? Ciao Marcus From gdmalet at uwaterloo.ca Tue Sep 24 10:36:27 2019 From: gdmalet at uwaterloo.ca (Giles Malet) Date: Tue, 24 Sep 2019 10:36:27 -0400 Subject: how to check if mailbox is empty? In-Reply-To: References: Message-ID: <902a5d3d-0882-09fd-539e-bd378e62d9e4@uwaterloo.ca> On 2019-09-24 3:11 a.m., Marcus Schopen wrote: > how can I test the status of a mailbox without having to login? > [...] I can't work with a simple "find" at file system level. If you can run system commands, there's always mbexamine, which seems like overkill, but there's a "Number of Messages" value in the output, as well as other info. g From lists at localguru.de Tue Sep 24 14:20:33 2019 From: lists at localguru.de (Marcus Schopen) Date: Tue, 24 Sep 2019 20:20:33 +0200 Subject: how to check if mailbox is empty? In-Reply-To: <902a5d3d-0882-09fd-539e-bd378e62d9e4@uwaterloo.ca> References: <902a5d3d-0882-09fd-539e-bd378e62d9e4@uwaterloo.ca> Message-ID: <731ee302935bcfd70e32008ba3db202469a36c08.camel@localguru.de> Am Dienstag, den 24.09.2019, 10:36 -0400 schrieb Giles Malet: > On 2019-09-24 3:11 a.m., Marcus Schopen wrote: > > how can I test the status of a mailbox without having to login? > > [...] I can't work with a simple "find" at file system level. > > If you can run system commands, there's always mbexamine, which > seems > like overkill, but there's a "Number of Messages" value in the > output, > as well as other info. hmmm ... I have to do that for about 200 inboxes. I've found this nagios plugin, which works very well: https://labs.consol.de/de/nagios/check_mailbox_health/index.html But then I have to login into each account and have to save username/password on my monitoring server. Ciao!