Re: sendmail + sasl == Broken?
On Fri, 14 Mar 2003, The Doctor What wrote:
> Here is my situation. Prior to the latest security update for
> sendmail in woody, I had SASL working using the sasldb for
> SMTP_AUTH. It worked fine with my woody version of Evolution, and I
> was happy.
>
> When I upgraded sendmail due to security problems, the
> sendmailconfig program asked me if I wanted to use PAM, it didn't
> say what for. I stupidly said "yes".
Eh? I beg to differ ... it's not the best, and I'll gladly take any
improvements :)
----------------
It is *strongly* recommended that you use PAM as the authentication
method for sendmail via SASL. Doing so will allow *all* your shell
users (those with an /etc/passwd entry) to automagically authenticate
themselves when using a MUA with SASL support turned on.
----------------
Make sure you're using the version currently in proposed-updates,
it corrects LDAP problems that may also affect SASL.
> Now, SMTP_AUTH no loger works from Evolution (every method says "bad
> password"). I tried switching the /etc/mail/sasl/Sendmail.conf to
> use sasldb again, but even that doesn't work.
* Did you stop/restart sendmail after that?
* What does /var/log/mail.log show for these attempts? and is there
any message during startup about SASL problems?
* What is the output of:
telnet <host> 25
ehlo localhost
I'm specifically looking for the AUTH line (here's mine):
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
* Does this help `chmod a+r /etc/mail/sasl/Sendmail.conf` ?
> I would really like to get this working again. Using PAM would be
> really keen, but I'd be happy to go back to using the sasldb.
PAM only works for PLAIN/LOGIN authentication, and should be used
with auto_transition: true so that CRAM-MD5 passwords are built and
stored in /etc/sasld for better security on later connections
> Ideally, it would be set up so that:
> * It would only accept SMTP_AUTH if had STARTTLS'ed already.
Only ideal if for PLAIN/LOGIN where you need the extra security of
not sending plain or weakly encrypted pwds...
You can do this today - see /usr/share/doc/sendmail/doc/op.{txt,ps}.gz:
AuthOptions :
p don't permit mechanisms susceptible to simple
passive attack (e.g., PLAIN, LOGIN), unless a
security layer is active.
> * It would work with PAM, so that the login/passwds would match
> imap/pop.
Again, PAM only works for PLAIN/LOGIN - but the password is encrypted
into CRAM-MD5 or whatever and stored in /etc/sasld IFF auto_transition
is set
--
Rick Nelson
Gates' Law: Every 18 months, the speed of software halves.
Reply to: