Re: sendmail + sasl == Broken?

To: The Doctor What <docwhat@gerf.org>
Cc: debian-user@lists.debian.org
Subject: Re: sendmail + sasl == Broken?
From: Richard A Nelson <cowboy@debian.org>
Date: Thu, 3 Apr 2003 08:44:51 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.53.0304030836200.22463@onpx40.onqynaqf.bet>
In-reply-to: <20030315002032.GE2268@gerf.org>
References: <20030314190304.GD2268@gerf.org> <Pine.LNX.4.53.0303141442490.31830@onqynaqf.yrkvatgba.voz.pbz> <20030315002032.GE2268@gerf.org>

Sorry for the delay...

On Fri, 14 Mar 2003, The Doctor What wrote:

> I did not mean to disparage your text.  My apologies.

Heh, no problem, It is always hard to critique ones one text, if you
can make it clearer - please help !

> What happened is that I didn't remember what SASL was.  If it had
> mentioned SMTP_AUTH, I would have realized what it was.  Also, the
> script makes no attempt to detect (if it is possible) if the admin
> had already set something up.

Ah, if SASL is already in use, it should work fine - but I only use
SASL for sendmail - not IMAP/IPOP... if there's something I need to
account for, please let me know

> Perhaps you could show all the non-commented lines from
> /etc/mail/sasl/Sendmail.conf

To what end ?

> The log says:
> Mar 14 17:24:03 gerf sm-mta[15246]: STARTTLS=server, relay=rack.gnubian.org [209.61.188.219], version=TLSv1/SSLv3, verify=FAIL, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168
>
> I can only assume that the verify FAIL means that I failed to log
> in.  I couldn't find a better reference for what these lines mean.

No, what you're showing here is STARTTLS (TLS - OpenSSL) encrypted
communication, probably betwixt the msp and mta.  The verify=FAIL means
that sendmail encrypted the communication, but couldn't verify the
supplied certificate - most likely because it is self-signed (thats the
way I currently setup the sendmail package, am looking at providing a
dummy CA).

> method. This led me to track down that Evolution is storing the
> method in the email itself.  This meant that my changing the method
> in the configuration settings had no effect. :-(

Ah... interesting, I'll have to file that away :)

> Anyway, I have it working with all four options, though I will turn
> off DIGEST and CRAM, since I think using PLAIN or LOGIN via SSL is
> much saner and managable.

If you do that, please make sure you require SSL before accepting
plain/login over the internet (or lan if non-trusted machines are
about)

> I would like to thank you very much for helping me out.  I think
> what would help would be a client to test with (say a simple python
> script or something) that would report everything that it can.  If
> it was included with a howto and a description on how to set up
> super high logging (level 14), the combination would be powerful.

Yes, indeed that would be very nice - I'm python illiterate, however :)

> Having suggested it, I might try to write such a python script, if
> modules exist for sending email. :-)

I'm sure they do, perl has some, but it also has a general TCP/IP
method - and sendmail is simple enough...

-- 
Rick Nelson
<stu> Stupid nick highlighting
<stu> Whenever someone starts with "stupid" it highlights the nick.  Hmm.
	-- #Debian

Reply to:

Prev by Date: Re: Compiling xcircuit
Next by Date: unsubscribe
Previous by thread: exim4 install deadlock
Next by thread: netstat / masquerading
Index(es):
- Date
- Thread