sendmail suddenly stops using popauth.db in pop-before-smtp??

Folks,
Got hit with a rather strange problem this morning.
Our sendmail 8.13.1 normally runs in conjunction with POP before
SMTP using a popauth.db file (RHEL 4 Server). No changes have
been made in months to the sendmail.cf used by the server, nor
the handling of the popauth.db, nor to sendmail itself.

We had made a minor change to access.db and restarted
sendmail when it started rejecting external email with our standard
"Relaying denied" message. It didn't make any sense, we backed out
the access.db change, restarted, and that still didn't clear anything.
We then went to another server we had not touched at all and saw the
same problem after a restart.

In etc mail we have:
-rw-r--r-- 1 root root 12288 Nov 15 14:22 popauth.db

> makemap -u hash popauth
134.245.15.1 1195153832
166.84.1.3 1195154073

Tried connecting from the 166.84.1.3 address and got
relaying denied. Ran an address test (not sure on the warnings,
the FullAddr does appear twice with an identical def, the
Local_check_rcpt appears twice, different defs. My mc file is
also at the end. Any help in tracking this down would be
appreciated very much!

John

> (root-hammer)/etc/mail>sendmail -bt -d21.4
WARNING: Ruleset FullAddr has multiple definitions
WARNING: Ruleset Local_check_rcpt has multiple definitions
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter

Re: sendmail suddenly stops using popauth.db in pop-before-smtp??

John Murtari writes:

> Folks,
> Got hit with a rather strange problem this morning.
> Our sendmail 8.13.1 normally runs in conjunction with POP before
> SMTP using a popauth.db file (RHEL 4 Server). No changes have
> been made in months to the sendmail.cf used by the server, nor
> the handling of the popauth.db, nor to sendmail itself.

As I understand you use recipe from
http://www.sendmail.org/~ca/email/chk-89n.html

> We had made a minor change to access.db and restarted
> sendmail when it started rejecting external email with our standard
> "Relaying denied" message. It didn't make any sense, we backed out
> the access.db change, restarted, and that still didn't clear anything.
> We then went to another server we had not touched at all and saw the
> same problem after a restart.
>
> In etc mail we have:
> -rw-r--r-- 1 root root 12288 Nov 15 14:22 popauth.db
>
>> makemap -u hash popauth
> 134.245.15.1 1195153832
> 166.84.1.3 1195154073
>
> Tried connecting from the 166.84.1.3 address and got
> relaying denied. Ran an address test (not sure on the warnings,
> the FullAddr does appear twice with an identical def, the
> Local_check_rcpt appears twice, different defs. My mc file is
> also at the end. Any help in tracking this down would be
> appreciated very much!
>
> John
>
>> (root-hammer)/etc/mail>sendmail -bt -d21.4
> WARNING: Ruleset FullAddr has multiple definitions
> WARNING: Ruleset Local_check_rcpt has multiple definitions
> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
> Enter

Re: sendmail suddenly stops using popauth.db in pop-before-smtp??

Andrzej Adam Filip writes:
> [..]
> Could you repeat the above test for IP listed in popauth with more
> detailed debug flags?
>
> ( echo ".D{client_addr}166.84.1.3" ; echo "joe@smoe.com") | sendmail -bt -d21.12 -d60.5

I have missed rule set name


#!/bin/sh
sendmail -bt -d21.12 -d60.5 < ..D{client_addr}166.84.1.3
Local_check_rcpt joe@smoe.com
END


--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

Re: sendmail suddenly stops using popauth.db in pop-before-smtp??

Andrzej Adam Filip writes:


>> Got hit with a rather strange problem this morning.
>> Our sendmail 8.13.1 normally runs in conjunction with POP before
>> SMTP using a popauth.db file (RHEL 4 Server). No changes have
>> been made in months to the sendmail.cf used by the server, nor
>> the handling of the popauth.db, nor to sendmail itself.
>
> As I understand you use recipe from
> http://www.sendmail.org/~ca/email/chk-89n.html
>
>> We had made a minor change to access.db and restarted
>> sendmail when it started rejecting external email with our standard
>> "Relaying denied" message. It didn't make any sense, we backed out
>> the access.db change, restarted, and that still didn't clear anything.
>> We then went to another server we had not touched at all and saw the
>> same problem after a restart.
>>
>> In etc mail we have:
>> -rw-r--r-- 1 root root 12288 Nov 15 14:22 popauth.db
>>
>>> makemap -u hash popauth
>> 134.245.15.1 1195153832
>> 166.84.1.3 1195154073
>>
>> Tried connecting from the 166.84.1.3 address and got
>> relaying denied. Ran an address test (not sure on the warnings,
>> the FullAddr does appear twice with an identical def, the
>> Local_check_rcpt appears twice, different defs. My mc file is
>> also at the end. Any help in tracking this down would be
>> appreciated very much!
>>
>> John
>>
>>> (root-hammer)/etc/mail>sendmail -bt -d21.4
>> WARNING: Ruleset FullAddr has multiple definitions
>> WARNING: Ruleset Local_check_rcpt has multiple definitions
>> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
>> Enter

SMTP AUTH v. POP before SMTP [Was: sendmail suddenly stops using popauth.db in pop-before-smtp??]

John Murtari writes:
> [...]
> Thanks for the advice and we may follow through with further
> testing in the future. What we finally did (which was overdue),
> was remove all the check_local HACKs for the header and dns from our
> .mc files -- worked like a champ after that.

BTW Why do you use POP before SMTP instead of SMTP AUTH?

AFAIR POP before SMTP has been always described as inferior to SMTP AUTH
*and* SMTP AUTH is no longer a "fresh" technology with limited support
by MUA (mail clients).

URL(s):
http://www.sendmail.org/tips/
-> http://www.sendmail.org/~ca/email/auth.html

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

Re: SMTP AUTH v. POP before SMTP

Andrzej
>
> BTW Why do you use POP before SMTP instead of SMTP AUTH?
>
> AFAIR POP before SMTP has been always described as inferior to SMTP AUTH
> *and* SMTP AUTH is no longer a "fresh" technology with limited support
> by MUA (mail clients).
>
Well, I quite agree. But our reason for not moving is
an installed base of thousands (as a web host provider) with a lot
of 'non computer' people with existing email setups that 'work'.

About a year ago we actually prepared some test systems to
support SMTP AUTH and had things working. The 'gotcha' was we couldn't
get sendmail to do BOTH, i.e. if SMTP auth works, let them through --
if we have their IP address in POP-before-SMTP, let them through.

Email is the MOST sensitive thing for our customers, and since
switching to SMTP auth was going to be all all-or-nothing change, it
was decided to wait. We just knew that as much as we tried to prep
people for transition, many would not be ready.

Now, if someone has a potential mc or cf change for sendmail
that would allow it to support BOTH during a transition period, we'd
love to hear the details and we could get it done. As I was writing
this I did a quick Google and it seems that supporting both is possible,
but could not find an example of .mc or .cf changes. Anybody have it?

Best regards!
--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

Re: SMTP AUTH v. POP before SMTP

John Murtari writes:

> Andrzej
>>
>> BTW Why do you use POP before SMTP instead of SMTP AUTH?
>>
>> AFAIR POP before SMTP has been always described as inferior to SMTP AUTH
>> *and* SMTP AUTH is no longer a "fresh" technology with limited support
>> by MUA (mail clients).
>>
> Well, I quite agree. But our reason for not moving is
> an installed base of thousands (as a web host provider) with a lot
> of 'non computer' people with existing email setups that 'work'.
>
> About a year ago we actually prepared some test systems to
> support SMTP AUTH and had things working. The 'gotcha' was we couldn't
> get sendmail to do BOTH, i.e. if SMTP auth works, let them through --
> if we have their IP address in POP-before-SMTP, let them through.
>
> Email is the MOST sensitive thing for our customers, and since
> switching to SMTP auth was going to be all all-or-nothing change, it
> was decided to wait. We just knew that as much as we tried to prep
> people for transition, many would not be ready.
>
> Now, if someone has a potential mc or cf change for sendmail
> that would allow it to support BOTH during a transition period, we'd
> love to hear the details and we could get it done. As I was writing
> this I did a quick Google and it seems that supporting both is possible,
> but could not find an example of .mc or .cf changes. Anybody have it?

I can seen no reason prohibiting the two to work together but I would
bet you are unwilling to start new round of tests before January :-)
[It could be a strange interaction with yet another non standard element]

BTW I have another 'checkup' question:
Do you plan to migrate functionality provided by check_local in
sendmail.cf to milter?
AFAIK check_local has never been supported by sendmail.org and it is no
longer supported by the author(s).

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

Re: SMTP AUTH v. POP before SMTP

Andrzej Adam Filip writes:

>>> BTW Why do you use POP before SMTP instead of SMTP AUTH?

>> Well, I quite agree. But our reason for not moving is
>> an installed base of thousands (as a web host provider) with a lot
>> of 'non computer' people with existing email setups that 'work'.
>>
>> About a year ago we actually prepared some test systems to
>> support SMTP AUTH and had things working. The 'gotcha' was we couldn't
>> get sendmail to do BOTH, i.e. if SMTP auth works, let them through --
>> if we have their IP address in POP-before-SMTP, let them through.
>>
>> Email is the MOST sensitive thing for our customers, and since
>> switching to SMTP auth was going to be all all-or-nothing change, it
>> was decided to wait. We just knew that as much as we tried to prep
>> people for transition, many would not be ready.
>>
>> Now, if someone has a potential mc or cf change for sendmail
>> that would allow it to support BOTH during a transition period, we'd
>> love to hear the details and we could get it done. As I was writing
>> this I did a quick Google and it seems that supporting both is possible,
>> but could not find an example of .mc or .cf changes. Anybody have it?
>
> I can seen no reason prohibiting the two to work together but I would
> bet you are unwilling to start new round of tests before January :-)
> [It could be a strange interaction with yet another non standard element]
>
> BTW I have another 'checkup' question:
> Do you plan to migrate functionality provided by check_local in
> sendmail.cf to milter?
> AFAIK check_local has never been supported by sendmail.org and it is no
> longer supported by the author(s).

No, we realized the same thing about check_local -- we were using
it in the days when we were trying to manage our own SPAM filtering. A
few users ago we went to Canit (http://www.canit.ca/) and it has worked
great with sendmail and supported a fairly complex setup we had.

Best regards!
--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

Re: SMTP AUTH v. POP before SMTP

John Murtari (jmurtari@thebook.com) wrote:
: Andrzej
: >
: > BTW Why do you use POP before SMTP instead of SMTP AUTH?
: >
: > AFAIR POP before SMTP has been always described as inferior to SMTP AUTH
: > *and* SMTP AUTH is no longer a "fresh" technology with limited support
: > by MUA (mail clients).
: >
: Well, I quite agree. But our reason for not moving is
: an installed base of thousands (as a web host provider) with a lot
: of 'non computer' people with existing email setups that 'work'.

: About a year ago we actually prepared some test systems to
: support SMTP AUTH and had things working. The 'gotcha' was we couldn't
: get sendmail to do BOTH, i.e. if SMTP auth works, let them through --
: if we have their IP address in POP-before-SMTP, let them through.

This is easy.

: Email is the MOST sensitive thing for our customers, and since

I know this very well...

: switching to SMTP auth was going to be all all-or-nothing change, it
: was decided to wait. We just knew that as much as we tried to prep
: people for transition, many would not be ready.

: Now, if someone has a potential mc or cf change for sendmail
: that would allow it to support BOTH during a transition period, we'd
: love to hear the details and we could get it done. As I was writing
: this I did a quick Google and it seems that supporting both is possible,
: but could not find an example of .mc or .cf changes. Anybody have it?

Note that I use drac for POP before SMTP. See
http://mail.cc.umanitoba.ca/drac/index.html for more information.

LOCAL_CONFIG
# dynamic relay authorization control map
Kdrac btree /etc/mail/dracd
TRUST_AUTH_MECH(`LOGIN PLAIN')
....
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS', `A,y')dnl
....
LOCAL_RULESETS
SLocal_check_rcpt
# allow recent POP/IMAP mail clients to relay
R$* $: $&{client_addr}
R$+ $: $(drac $1 $: ? $)
R? $@ ?
R$+ $@ $#OK

Re: SMTP AUTH v. POP before SMTP

jnemeth@vtn1.victoria.tc.ca (John Nemeth) writes:

> : Now, if someone has a potential mc or cf change for sendmail
> : that would allow it to support BOTH during a transition period, we'd
> : love to hear the details and we could get it done. As I was writing
> : this I did a quick Google and it seems that supporting both is possible,
> : but could not find an example of .mc or .cf changes. Anybody have it?


> Note that I use drac for POP before SMTP. See
> http://mail.cc.umanitoba.ca/drac/index.html for more information.
>
> LOCAL_CONFIG
> # dynamic relay authorization control map
> Kdrac btree /etc/mail/dracd
> TRUST_AUTH_MECH(`LOGIN PLAIN')
> ...
> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> define(`confAUTH_OPTIONS', `A,y')dnl
> ...
> LOCAL_RULESETS
> SLocal_check_rcpt
> # allow recent POP/IMAP mail clients to relay
> R$* $: $&{client_addr}
> R$+ $: $(drac $1 $: ? $)
> R? $@ ?
> R$+ $@ $#OK

Okay, thanks for the tip on how to setup an MC file
to do both. We'll try that out in the future.
Best regards!
--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/