Re: sendmail + sasl == Broken?

To: The Doctor What <docwhat@gerf.org>
Cc: debian-user@lists.debian.org
Subject: Re: sendmail + sasl == Broken?
From: Richard A Nelson <cowboy@debian.org>
Date: Fri, 14 Mar 2003 14:55:16 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.53.0303141442490.31830@onqynaqf.yrkvatgba.voz.pbz>
In-reply-to: <[🔎] 20030314190304.GD2268@gerf.org>
References: <[🔎] 20030314190304.GD2268@gerf.org>

On Fri, 14 Mar 2003, The Doctor What wrote:

> Here is my situation.  Prior to the latest security update for
> sendmail in woody, I had SASL working using the sasldb for
> SMTP_AUTH.  It worked fine with my woody version of Evolution, and I
> was happy.
>
> When I upgraded sendmail due to security problems, the
> sendmailconfig program asked me if I wanted to use PAM, it didn't
> say what for.  I stupidly said "yes".

Eh? I beg to differ ... it's not the best, and I'll gladly take any
improvements :)
----------------
    It is *strongly* recommended that you use PAM as the authentication
    method for sendmail via SASL.  Doing so will allow *all* your shell
    users (those with an /etc/passwd entry) to automagically authenticate
    themselves when using a MUA with SASL support turned on.
----------------

Make sure you're using the version currently in proposed-updates,
it corrects LDAP problems that may also affect SASL.

> Now, SMTP_AUTH no loger works from Evolution (every method says "bad
> password").  I tried switching the /etc/mail/sasl/Sendmail.conf to
> use sasldb again, but even that doesn't work.

* Did you stop/restart sendmail after that?
* What does /var/log/mail.log show for these attempts? and is there
  any message during startup about SASL problems?
* What is the output of:
     telnet <host> 25
     ehlo localhost
  I'm specifically looking for the AUTH line (here's mine):
  250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
* Does this help `chmod a+r /etc/mail/sasl/Sendmail.conf` ?

> I would really like to get this working again.  Using PAM would be
> really keen, but I'd be happy to go back to using the sasldb.

PAM only works for PLAIN/LOGIN authentication, and should be used
with auto_transition: true so that CRAM-MD5 passwords are built and
stored in /etc/sasld for better security on later connections

> Ideally, it would be set up so that:
>   * It would only accept SMTP_AUTH if had STARTTLS'ed already.

Only ideal if for PLAIN/LOGIN where you need the extra security of
not sending plain or weakly encrypted pwds...

You can do this today - see /usr/share/doc/sendmail/doc/op.{txt,ps}.gz:
 AuthOptions :
	p   don't permit mechanisms susceptible to simple
	    passive attack (e.g., PLAIN, LOGIN), unless a
	    security layer is active.

>   * It would work with PAM, so that the login/passwds would match
>   imap/pop.

Again, PAM only works for PLAIN/LOGIN - but the password is encrypted
into CRAM-MD5 or whatever and stored in /etc/sasld IFF auto_transition
is set

-- 
Rick Nelson
Gates' Law: Every 18 months, the speed of software halves.

Reply to:

Follow-Ups:
- Re: sendmail + sasl == Broken?
  - From: The Doctor What <docwhat@gerf.org>

References:
- sendmail + sasl == Broken?
  - From: The Doctor What <docwhat@gerf.org>

Prev by Date: XFree86 in 1152x864, problem!
Next by Date: Re: TELNET
Previous by thread: sendmail + sasl == Broken?
Next by thread: Re: sendmail + sasl == Broken?
Index(es):
- Date
- Thread