Authentication succeeds, but sending still fails

Question

I'm trying to configure my home server to relay e-mails from the family's iPhones. To this end I created a single "user" account in the server's SASL-database and configured sendmail to use CRAM-MD5 as the sole SASL-mechanism. In the log (at high verbosity level) sendmail says:

AUTH: available mech=CRAM-MD5, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

When an iPhone connects, its attempt to authenticate seems to succeed (see exchange below). However, the e-mail is then rejected anyway, and this completely baffles me...

<-- EHLO [192.168.1.171]
--- 250-symbion.example.com Hello ... [...], pleased to meet you
--- 250-ENHANCEDSTATUSCODES
--- 250-PIPELINING
--- 250-8BITMIME
--- 250-SIZE
--- 250-DSN
--- 250-AUTH CRAM-MD5
--- 250-STARTTLS
--- 250-DELIVERBY
--- 250 HELP
<-- AUTH CRAM-MD5
--- 334 PDEzOT....dG1hbi5jb20+
--- 235 2.0.0 OK Authenticated
<-- MAIL FROM:<mi+m@aldan.example.net>
Authentication-Warning: symbion.example.com: Host ... [...] claimed to be [192.168.1.171]
--- 403 4.7.0 authentication required
ruleset=check_mail, arg1=<mi+m@aldan.example.net>, relay=... [...], reject=403 4.7.0 authentication required
<-- RCPT TO:<info@......>
--- 503 5.0.0 Need MAIL before RCPT
<-- DATA
--- 503 5.0.0 Need MAIL command
<-- QUIT
--- 221 2.0.0 symbion.example.com closing connection

My access database is not large:

CERTISSUER:/MY/OWN/Certificate/Authority   RELAY
TLS_Clt:127.0.0.1       OK
TLS_Clt:192.168.1       OK
TLS_Clt:        VERIFY:112
Try_TLS:127.0.0.1       NO
Try_TLS:192.168.1       NO
Connect:192.168.1       RELAY
Connect:127.0.0.1       RELAY
Srv_Features:127.0.0.1  S A V
Srv_Features:192.168.1  S A V
Srv_Features:   s a v

Same with the locally-invoked sendmail:

% sendmail -O LogLevel=14 -bs -Am
220 symbion.example.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 27 Oct 2017 01:02:25 -0400 (EDT)
AUTH CRAM-MD5
334 PDEwM....vbT4=
cmlvc0BzeW1ia...JhYjU5
235 2.0.0 OK Authenticated
MAIL FROM: mi@meow
403 4.7.0 authentication required

That looks almost like you set up only the confAUTH_MECHANISMS to support authentication and not any confAUTH_OPTIONS in your sendmail.mc to instruct sendmail to allow relaying for authenticated users. - But with modern anti-spam requirements such as spf and DKIM signatures you probably should use the actual mailservers belonging to the email addresses your family uses as the outgoing mailserver and not relay through your own ... — HBruijn, Oct 27 '17 at 05:57
So what should I add -- what `define` or `FEATURE` do I research? — Mikhail T., Oct 27 '17 at 12:24
I have this in my `.mc` file already: `TRUST_AUTH_MECH(\`CRAM-MD5')` -- do I need some special entry in the access-database? — Mikhail T., Oct 27 '17 at 12:32
Yes, I do, and the `sendmail.cf` does contain the resulting `O AuthOptions=A`... Also, for whatever it is worth, the error does not cite _authorization_ ("you can't do this"), it claims an _authentication_ problem: "we don't know, who you are"... — Mikhail T., Oct 27 '17 at 15:08
That said, the login-name I created for CRAM-MD5 -- somename@my.server -- has nothing to do with the actual senders. I want all of the iPhones to use _the same_ shared account. Could that be the problem? But the `A`-option is relevant only when `sendmail` is acting as a client, is it not? And my problem is with the `sendmail`-server :( — Mikhail T., Oct 27 '17 at 15:22

score 0 · Accepted Answer · answered Oct 27 '17 at 18:05

Ok, this is the culprit:

TLS_Clt:        VERIFY:112

Not necessary and, indeed harmful, because the stupid iPhones can not be configured to present client certificates. Once I removed the above line, the authentication began to work both for peers, that present the satisfactory certificates, and for those, that supply pre-shared credentials over CRAM-MD5 instead.

(The AUTH_OPTIONS part proved irrelevant.)

Authentication succeeds, but sending still fails

1 Answers1