lmtp authentication ignored with tls enabled

[Dan White]

On 07/20/15 03:21 +0200, Marcus Schopen wrote:
>sendmail.mc:
>--------------
>AuthInfo:imap.domain.de "I:lmtp-admin" "P:pass" "M:DIGEST-MD5"

>--------------
>Jul 20 02:19:01 mail sendmail[5368]: t6K0GIKP005234:
>to=<postmaster at domain.de>, delay=00:02:43, xdelay=00:00:03,
>mailer=cyrusv2, pri=211679, relay=imap.domain.de. [xx.xx.xx.xx],
>dsn=4.0.0, stat=Deferred: 430 Authentication required
>--------------
>
>This is correct. Adding AuthInfo to /etc/mail/access and add lmtp-admin
>to sasldb2 on cyrus side mails are delivered via lmtp to cyrus with
>proper authentication. Good.
>
>But after setting tls_cert_file und tls_key_file in imapd.conf to get an
>encrypted connection the lmtp authentication is completely ignored and
>mails are going through even without any AuthInfo in /etc/mail/access:

>Jul 20 03:08:06 imap cyrus/lmtp[3875]: received client certificate
>Jul 20 03:08:06 imap cyrus/lmtp[3875]: subject=/CN=server.domain.de
>Jul 20 03:08:06 imap cyrus/lmtp[3875]: starttls: TLSv1.2 with cipher
>DHE-RSA-AES256-SHA (256/256 bits new) authenticated as server.domain.de

It appears you may be performing sasl EXTERNAL authentication. Your
auth-facility syslog should confirm that.

Configuring a restricted mechanism list would prevent that from happening:

lmtp_sasl_mech_list: digestmd5

>/etc/imapd.conf:
>--------------
>lmtp_downcase_rcpt: yes
>admins: cyrus
>lmtp_admins: lmtp-admin
>allowplaintext: yes
>sasl_minimum_layer: 0
>sasl_pwcheck_method: auxprop
>sasl_auto_transition: no
>tls_cert_file: /etc/ssl/domain/imap.crt
>tls_key_file: /etc/ssl/domain/imap.key
>tls_ca_file: /etc/ssl/domain/cacert_org-class3.crt
>tls_ca_path: /etc/ssl/certs
>tls_session_timeout: 1440
>tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>lmtpsocket: /var/run/cyrus/socket/lmtp

>cyrus.conf:
>lmtp		cmd="lmtpd" listen="2003" prefork=4 maxchild=20
>lmtpunix	cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0
>maxchild=20

-- 
Dan White