2

I have sendmail running on a RedHat 7.1 machine. I want to configure it to authenticate using either PLAIN or CRAM-MD5. I have it working with PLAIN (so I know the client works, I have the username/password correct, etc.) but CRAM-MD5 always returns "535 5.7.0 authentication failed". For testing I'm using a simple python script which uses the smtplib module; I'm assuming their implementation of CRAM-MD5 is correct.

It responds to EHLO with "AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN" and sends a challenge when I send "AUTH CRAM-MD5", so it does accept CRAM-MD5 requests but it refuses to authenticate them.

I know that CRAM-MD5 requires the server to have access to the plaintext passwords; is it possible that it doesn't? How can I tell and if not, how can I configure the machine so that it does?

I've added the username / password into /etc/mail/authinfo and run map hash /etc/mail/authinfo < /etc/mail/authinfo. There are no error messages in the /var/log/maillog file.

Graeme Perrow
  • 545
  • 1
  • 4
  • 16
  • How did you configure SASL? E.g. the Sendmail.conf for that, etc. – thrig Sep 03 '15 at 15:31
  • I didn't do anything other than make sure the saslauthd daemon is running. /etc/sasl2/Sendmail.conf contains one line: "pwcheck_method:saslauthd". – Graeme Perrow Sep 03 '15 at 15:44
  • Okay, but where are the plaintext passwords? `CRAM-MD5` requires that sasl have such a database to lookup passwords in. (`authinfo` is used by `sendmail` when `sendmail` is a *client* authenticating to a remote server, not by sasl.) – thrig Sep 03 '15 at 16:02
  • I guess that's my question. I know it _needs_ the plaintext passwords but I don't know where they are or should be. – Graeme Perrow Sep 03 '15 at 16:06
  • Then show us the content of your */etc/default/saslauthd*. If there're files matching glob */etc/default/saslauthd-\**, paste them too. – sam_pan_mariusz Sep 03 '15 at 16:47
  • /etc/default only contains 3 files: grub, nss, and useradd. – Graeme Perrow Sep 03 '15 at 17:18

2 Answers2

3

According to the sasl sysadmin doc, 

For simplicity sake, the Cyrus SASL library stores plaintext
passwords only in the /etc/sasldb2 database. These passwords
are then shared among all mechanisms which choose to use it.
...
The "saslpasswd" utility is provided to change the secrets in
sasldb. It does not affect PAM, /etc/passwd, or any other
standard system library; it only affects secrets stored
in sasldb.

However, some vendors may change the location of things at compile time, so strings on the sasl binaries or strace may be necessary to reveal where exactly saslauthd is looking.

thrig
  • 1,626
  • 9
  • 9
0

This might help somebody...

When you run sendmailconfig it says... "Unfortunately, there is no automagic way to migrate to /etc/sasldb2"

Translated to me: something is wrong with it.

So I just deleted sasldb2 (figured it was messed up anyway.) Maybe that wasn't necessary, maybe I just needed to add my users to it?

In any case, I ran saslpasswd2 which I assume creates an empty database with no users. User authentication did not work until I ran...

saslpasswd2 -c username which prompts for a password.

And that works like a charm :-)

I'm using Debian 9 with sasl2-bin, which sendmailconfig recommends.

PJ Brunet
  • 556
  • 1
  • 5
  • 15