SASL Auth not working SMTP with STARTTLS/SSL

Scott Ellentuch tuctboh at gmail.com
Mon Sep 21 22:17:19 EDT 2020


Hi,

So with some more debugging, I'm learning that with my normal password, and
variations of it, it continues that RENEGOTIATION and it never sends the
actual data to sendmail. Same if I use it in the user field
Example passwords that do this:
REFQQVNTV09SRA==
RE9XSm9uZXM=
RGl3YWxp

I'm also finding that some passwords (Trying for the heck of it) go
straight from "334 UGFzc3dvcmQ6" to "DONE". Just like that, nothing else.
Same for going from "334 VXNlcm5hbWU6" to "DONE".
Examples of passwords that do this:
Q2hlY2tpbmdBY2NvdW50
Q2hhbmdlLm9yZw==

Any ideas?

Tnx, Tuc

On Mon, Sep 21, 2020 at 1:40 PM Scott Ellentuch <tuctboh at gmail.com> wrote:

> Hi,
>
> I'm using sendmail 8.14.4 and Sasl 2.1.23 .  Config info
>
> # more /etc/sasl2/Sendmail.conf
>
> pwcheck_method:saslauthd
>
>
> # egrep -v "^#" /etc/sysconfig/saslauthd
>
> SOCKETDIR=/var/run/saslauthd
>
> MECH=pam
>
> FLAGS=-d
>
>
> # cat /etc/pam.d/smtp
>
> #%PAM-1.0
>
> auth       include password-auth
>
> account    include password-auth
>
>
> I'm having an issue when using "AUTH LOGIN" but not in every case.
>
>
> *Port 25:
>
>   SENDMAIL -
>
>     235 2.0.0 OK Authenticated
>
>
>   SASLAUTHD -
>
> saslauthd[26872] :released accept lock
>
> saslauthd[26871] :acquired accept lock
>
> saslauthd[26872] :auth success: [user=USER] [service=smtp] [realm=]
> [mech=pam]
>
> saslauthd[26872] :response: OK
>
>
> ---
>
> *Port 587:
>
>   SENDMAIL -
>
>     235 2.0.0 OK Authenticated
>
>
>   SASLAUTHD -
>
> saslauthd[26871] :released accept lock
>
> saslauthd[26875] :acquired accept lock
>
> saslauthd[26871] :auth success: [user=USER] [service=smtp] [realm=]
> [mech=pam]
>
> saslauthd[26871] :response: OK
>
>
> ---
>
> *Port 25 STARTTLS:
>
>   SENDMAIL (Via openssl s_client -connect)
>
> RENEGOTIATING
>
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
>
> verify return:1
>
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>
> verify return:1
>
> depth=0 CN = MYSERVERNAME
>
> verify return:1
>
> (I HIT RETURN HERE)
>
> 535 5.7.0 authentication failed
>
>
>   SASLAUTHD-
>
> saslauthd[26875] :released accept lock
>
> saslauthd[26875] :NULL password received
>
> saslauthd[26875] :acquired accept lock
>
>
> ---
>
> *Port 465
>
>   SENDMAIL - (Via openssl s_client -connect)
>
> RENEGOTIATING
>
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
>
> verify return:1
>
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>
> verify return:1
>
> depth=0 CN = MYSERVERNAME
>
> verify return:1
>
> (I HIT RETURN HERE)
>
> 535 5.7.0 authentication failed
>
>
>   SASLAUTHD-
>
> saslauthd[26875] :released accept lock
>
> saslauthd[26874] :acquired accept lock
>
> saslauthd[26875] :NULL password received
>
>
> ---
>
> *testsaslauthd non existent service -
>
>   TESTSASLAUTHD -
>
>     0: NO "authentication failed"
>
>
>   SASLAUTHD-
>
> saslauthd[26873] :released accept lock
>
> saslauthd[26872] :acquired accept lock
>
> saslauthd[26873] :auth failure: [user=USER] [service=nonexistant] [realm=]
> [mech=pam] [reason=PAM auth error]
>
>
> ---
>
> *testsaslauthd smtp service
>
>   TESTSASLAUTHD -
>
>     0: OK "Success."
>
>
>   SASLAUTHD -
>
> saslauthd[26872] :released accept lock
>
> saslauthd[26871] :acquired accept lock
>
> saslauthd[26872] :auth success: [user=user] [service=smtp] [realm=]
> [mech=pam]
>
> saslauthd[26872] :response: OK
>
>
> ---
>
>
> I'm not sure why things work fine during plaintext, and then gives ":NULL
> password received" when it's STARTTLS / SSL.
>
>
> Any pointers to look / tweak / etc?
>
>
> Tnx, Tuc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20200921/72015a2f/attachment-0001.html>


More information about the Cyrus-sasl mailing list