sendmail hangs on AUTH CRAM-MD5

sendmail hangs on AUTH CRAM-MD5

am 09.10.2007 18:47:27 von pilsl

I've this sendmail-installtion 8.12.11 running for quite a while now. It
authenticated remote smtp-clients with different mechs. Usually clients use the
CRAM-MD5-mech and everything fine. Until today around noon.

Suddenly this cram-md5 thing stopped working. All kind of clients (but mostly
thunderbirds) had the "sending-mail"-window hanging on forever and myriads of
hanging sendmail-processes appeared on the system and stayed for hours.

sendmail: l99GNEps032767 [85.127.157.14]: AUTH

Nothing appeared in the maillogs until I raised LogLevel and then everything in
the maildialog was fine until the AUTH-command, which was always the last log
for authenticated mails. Other smtp-connection (needing no authentication) were
accepted and handled perfectly.

When I disable CRAM-MD5 in sendmail.mc then clients use the LOGIN-mech and
everything is working fine again. I'm lost with that one:

CRAM-MD5 stops working on a sudden and I dont have any clue how to debug this
down. It seems that the server just hangs on this connections and there is
nothing useful at the logs with LogLevel=45

any help appretiated,

thnx
peter



here the logs:


Oct 9 18:23:14 gkserv11 sendmail[32767]: NOQUEUE: connect from [85.127.157.14]
Oct 9 18:23:14 gkserv11 sendmail[32767]: AUTH: available mech=ANONYMOUS
CRAM-MD5 DIGEST-MD5 LOGIN PLAIN OTP, allowed mech=GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 220
intranet2.xxxxxx.at ESMTP Sendmail 8.12.11/8.12.9; Tue, 9 Oct 2007 18:23:14 +0200
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: <-- EHLO [10.21.1.7]
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: ---
250-intranet2.xxxxxxx.at Hello [85.127.157.14], pleased to meet you
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: ---
250-ENHANCEDSTATUSCODES
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-PIPELINING
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-EXPN
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-VERB
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-8BITMIME
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-SIZE
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-DSN
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-ETRN
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-AUTH CRAM-MD5
DIGEST-MD5 LOGIN
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-STARTTLS
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-DELIVERBY
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250 HELP
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: <-- STARTTLS
Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 220 2.0.0 Ready to
start TLS
Oct 9 18:23:16 gkserv11 sendmail[32767]: STARTTLS=server, get_verify: 0
get_peer: 0x0
Oct 9 18:23:16 gkserv11 sendmail[32767]: STARTTLS=server,
relay=[85.127.157.14], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
Oct 9 18:23:16 gkserv11 sendmail[32767]: STARTTLS=server, cert-subject=,
cert-issuer=
Oct 9 18:23:16 gkserv11 sendmail[32767]: AUTH: available mech=ANONYMOUS
CRAM-MD5 DIGEST-MD5 LOGIN PLAIN OTP, allowed mech=GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEpr032767: <-- EHLO [10.21.1.7]
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: ---
250-intranet2.xxxxxxxxxxxx.at Hello [85.127.157.14], pleased to meet you
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: ---
250-ENHANCEDSTATUSCODES
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-PIPELINING
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-EXPN
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-VERB
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-8BITMIME
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-SIZE
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-DSN
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-ETRN
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-AUTH CRAM-MD5
DIGEST-MD5 LOGIN
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-DELIVERBY
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250 HELP
Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: <-- AUTH CRAM-MD5


and here the sendmail.mc:


# cat sendmail.mc
######################
#
# peter 2003
#
# sendmailfile version gruen.v1
#
##################


VERSIONID(`peter.gruen v1.0')
OSTYPE(linux)


# aliasing
define(`ALIAS_FILE',`/etc/mail/aliases')

# usermasquerading

MASQUERADE_AS(xxxxxxxxxx.at)
FEATURE(masquerade_envelope)

# class{M}
#
# domains in this file will be masqueraded too !!
# (also all domains in class{w} unless `FEATURE(limited_masquerade)' is
# used.
# note that masquerading also affects relayed mails !!
MASQUERADE_DOMAIN_FILE(/etc/mail/masqueradedomain)


# class{G}
#
GENERICS_DOMAIN_FILE(/etc/mail/genericsdomain)

# alter sender name/domain that is in class{G}
# example : root@goldfisch.at sepp@jans.it
FEATURE(genericstable, hash /etc/mail/genericstable)

# mailertable allows handling of mails using different mailers on a
per-domain-selection
FEATURE(`mailertable', hash /etc/mail/mailertable)

# allows different handling of mails based on emailadress
FEATURE(`virtusertable',hash -o /etc/mail/virtusertable)

# allows defining on permisson on a per-net or per-host-base, mainly for relaying
FEATURE(access_db, hash -T /etc/mail/access)


# this makes sendmail use local-host-names which defines all domains that should
be delivered locally
# (virtusertable is only for local delivered mails !!)
# this domains and all local ip's and its reversed local hostnames form class{w}
#
FEATURE(`use_cw_file')

FEATURE(local_procmail, /usr/bin/procmail)

FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Port=smtp, Name=MTA_lo, Address=127.0.0.1')
DAEMON_OPTIONS(`Port=smtp, Name=MTA_ext1, Address=161.110.126.6')
DAEMON_OPTIONS(`Port=smtp, Name=MTA_ext2, Address=161.110.126.3')
DAEMON_OPTIONS(`Port=587, Name=MSA_lo, M=E, Address=127.0.0.1')

FEATURE(accept_unresolvable_domains)

# this is for accepting relayed mails from shell

##FEATURE(`accept_unqualified_senders')


# this is for accepting relayed mails from shell

FEATURE(`accept_unqualified_senders')

TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5')
define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 LOGIN')

define(`confCACERT_PATH', `/data/ssl')
define(`confCACERT', `/data/ssl/ca.crt')
define(`confSERVER_CERT', `/data/ssl/smtp.crt')
define(`confSERVER_KEY', `/data/ssl/smtp.key')


MAILER(smtp)
MAILER(cyrus)
MAILER(local)
MAILER(procmail)

Re: sendmail hangs on AUTH CRAM-MD5

am 11.10.2007 08:12:08 von Knute Johnson

peter pilsl wrote:
> I've this sendmail-installtion 8.12.11 running for quite a while now. It
> authenticated remote smtp-clients with different mechs. Usually clients use the
> CRAM-MD5-mech and everything fine. Until today around noon.
>
> Suddenly this cram-md5 thing stopped working. All kind of clients (but mostly
> thunderbirds) had the "sending-mail"-window hanging on forever and myriads of
> hanging sendmail-processes appeared on the system and stayed for hours.
>
> sendmail: l99GNEps032767 [85.127.157.14]: AUTH
>
> Nothing appeared in the maillogs until I raised LogLevel and then everything in
> the maildialog was fine until the AUTH-command, which was always the last log
> for authenticated mails. Other smtp-connection (needing no authentication) were
> accepted and handled perfectly.
>
> When I disable CRAM-MD5 in sendmail.mc then clients use the LOGIN-mech and
> everything is working fine again. I'm lost with that one:
>
> CRAM-MD5 stops working on a sudden and I dont have any clue how to debug this
> down. It seems that the server just hangs on this connections and there is
> nothing useful at the logs with LogLevel=45
>
> any help appretiated,
>
> thnx
> peter
>
>
>
> here the logs:
>
>
> Oct 9 18:23:14 gkserv11 sendmail[32767]: NOQUEUE: connect from [85.127.157.14]
> Oct 9 18:23:14 gkserv11 sendmail[32767]: AUTH: available mech=ANONYMOUS
> CRAM-MD5 DIGEST-MD5 LOGIN PLAIN OTP, allowed mech=GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 220
> intranet2.xxxxxx.at ESMTP Sendmail 8.12.11/8.12.9; Tue, 9 Oct 2007 18:23:14 +0200
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: <-- EHLO [10.21.1.7]
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: ---
> 250-intranet2.xxxxxxx.at Hello [85.127.157.14], pleased to meet you
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: ---
> 250-ENHANCEDSTATUSCODES
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-PIPELINING
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-EXPN
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-VERB
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-8BITMIME
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-SIZE
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-DSN
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-ETRN
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-AUTH CRAM-MD5
> DIGEST-MD5 LOGIN
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-STARTTLS
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250-DELIVERBY
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 250 HELP
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: <-- STARTTLS
> Oct 9 18:23:14 gkserv11 sendmail[32767]: l99GNEpr032767: --- 220 2.0.0 Ready to
> start TLS
> Oct 9 18:23:16 gkserv11 sendmail[32767]: STARTTLS=server, get_verify: 0
> get_peer: 0x0
> Oct 9 18:23:16 gkserv11 sendmail[32767]: STARTTLS=server,
> relay=[85.127.157.14], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5, bits=128/128
> Oct 9 18:23:16 gkserv11 sendmail[32767]: STARTTLS=server, cert-subject=,
> cert-issuer=
> Oct 9 18:23:16 gkserv11 sendmail[32767]: AUTH: available mech=ANONYMOUS
> CRAM-MD5 DIGEST-MD5 LOGIN PLAIN OTP, allowed mech=GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEpr032767: <-- EHLO [10.21.1.7]
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: ---
> 250-intranet2.xxxxxxxxxxxx.at Hello [85.127.157.14], pleased to meet you
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: ---
> 250-ENHANCEDSTATUSCODES
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-PIPELINING
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-EXPN
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-VERB
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-8BITMIME
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-SIZE
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-DSN
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-ETRN
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-AUTH CRAM-MD5
> DIGEST-MD5 LOGIN
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250-DELIVERBY
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: --- 250 HELP
> Oct 9 18:23:16 gkserv11 sendmail[32767]: l99GNEps032767: <-- AUTH CRAM-MD5
>
>
> and here the sendmail.mc:
>
>
> # cat sendmail.mc
> ######################
> #
> # peter 2003
> #
> # sendmailfile version gruen.v1
> #
> ##################
>
>
> VERSIONID(`peter.gruen v1.0')
> OSTYPE(linux)
>
>
> # aliasing
> define(`ALIAS_FILE',`/etc/mail/aliases')
>
> # usermasquerading
>
> MASQUERADE_AS(xxxxxxxxxx.at)
> FEATURE(masquerade_envelope)
>
> # class{M}
> #
> # domains in this file will be masqueraded too !!
> # (also all domains in class{w} unless `FEATURE(limited_masquerade)' is
> # used.
> # note that masquerading also affects relayed mails !!
> MASQUERADE_DOMAIN_FILE(/etc/mail/masqueradedomain)
>
>
> # class{G}
> #
> GENERICS_DOMAIN_FILE(/etc/mail/genericsdomain)
>
> # alter sender name/domain that is in class{G}
> # example : root@goldfisch.at sepp@jans.it
> FEATURE(genericstable, hash /etc/mail/genericstable)
>
> # mailertable allows handling of mails using different mailers on a
> per-domain-selection
> FEATURE(`mailertable', hash /etc/mail/mailertable)
>
> # allows different handling of mails based on emailadress
> FEATURE(`virtusertable',hash -o /etc/mail/virtusertable)
>
> # allows defining on permisson on a per-net or per-host-base, mainly for relaying
> FEATURE(access_db, hash -T /etc/mail/access)
>
>
> # this makes sendmail use local-host-names which defines all domains that should
> be delivered locally
> # (virtusertable is only for local delivered mails !!)
> # this domains and all local ip's and its reversed local hostnames form class{w}
> #
> FEATURE(`use_cw_file')
>
> FEATURE(local_procmail, /usr/bin/procmail)
>
> FEATURE(`no_default_msa')
> DAEMON_OPTIONS(`Port=smtp, Name=MTA_lo, Address=127.0.0.1')
> DAEMON_OPTIONS(`Port=smtp, Name=MTA_ext1, Address=161.110.126.6')
> DAEMON_OPTIONS(`Port=smtp, Name=MTA_ext2, Address=161.110.126.3')
> DAEMON_OPTIONS(`Port=587, Name=MSA_lo, M=E, Address=127.0.0.1')
>
> FEATURE(accept_unresolvable_domains)
>
> # this is for accepting relayed mails from shell
>
> ##FEATURE(`accept_unqualified_senders')
>
>
> # this is for accepting relayed mails from shell
>
> FEATURE(`accept_unqualified_senders')
>
> TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5')
> define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 LOGIN')
>
> define(`confCACERT_PATH', `/data/ssl')
> define(`confCACERT', `/data/ssl/ca.crt')
> define(`confSERVER_CERT', `/data/ssl/smtp.crt')
> define(`confSERVER_KEY', `/data/ssl/smtp.key')
>
>
> MAILER(smtp)
> MAILER(cyrus)
> MAILER(local)
> MAILER(procmail)

Is saslauthd still running?

--

Knute Johnson
email s/nospam/knute/