sendmail LMTP authenticate to cyrus-imap

Is there any way to direct sendmail to authenticate over LMTP to cyrus-
imap running on another box? I've seen discussion of this in this
group as well as other groups, but no one seems to have successfully
accomplished this. Some say just to set "lmtpd -a" on the cyrus side
so as to eliminate the need for authentication. That seems to defeat
the whole purpose.

Cyrus-SASL is running on both sides to handle authentication. I've
created an authinfo database with authentication information for a
cyrus admin which should allow me to deliver mail to the server,
however, I receive the following from sendmail:

Jan 15 23:09:02 smtp1 sendmail[1396]: STARTTLS=client,
relay=imap1.4test.net.,
version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Jan 15 23:09:02 smtp1 sendmail[1396]: m0F7krM4016065:
to=,
delay=21:22:08, xdelay=00:00:00, mailer=cyrusv2, pri=2730660,
relay=imap1.4test.net. [192.168.101.8], dsn=4.0.0, stat=Deferred: 430
Authentication required

And on the cyrus side:

Jan 15 23:09:02 imap1 lmtp[1398]: connection from smtp1.4test.net
[192.168.101.7]
Jan 15 23:09:02 imap1 lmtp[1398]: mystore: starting txn 2147483683
Jan 15 23:09:02 imap1 lmtp[1398]: mystore: committing txn 2147483683
Jan 15 23:09:02 imap1 lmtp[1398]: starttls: TLSv1 with cipher AES256-
SHA (256/25
6 bits new) no authentication

I'm guessing from the "no authentication" that sendmail isn't even
sending any auth info to the cyrus server. Is sendmail only capable of
SMTP auth and not LMTP auth?

Re: sendmail LMTP authenticate to cyrus-imap

singram writes:

> Is there any way to direct sendmail to authenticate over LMTP to cyrus-
> imap running on another box? I've seen discussion of this in this
> group as well as other groups, but no one seems to have successfully
> accomplished this. Some say just to set "lmtpd -a" on the cyrus side
> so as to eliminate the need for authentication. That seems to defeat
> the whole purpose.
>
> Cyrus-SASL is running on both sides to handle authentication. I've
> created an authinfo database with authentication information for a
> cyrus admin which should allow me to deliver mail to the server,
> however, I receive the following from sendmail:
>
> Jan 15 23:09:02 smtp1 sendmail[1396]: STARTTLS=client,
> relay=imap1.4test.net.,
> version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
> Jan 15 23:09:02 smtp1 sendmail[1396]: m0F7krM4016065:
> to=,
> delay=21:22:08, xdelay=00:00:00, mailer=cyrusv2, pri=2730660,
> relay=imap1.4test.net. [192.168.101.8], dsn=4.0.0, stat=Deferred: 430
> Authentication required
>
> And on the cyrus side:
>
> Jan 15 23:09:02 imap1 lmtp[1398]: connection from smtp1.4test.net
> [192.168.101.7]
> Jan 15 23:09:02 imap1 lmtp[1398]: mystore: starting txn 2147483683
> Jan 15 23:09:02 imap1 lmtp[1398]: mystore: committing txn 2147483683
> Jan 15 23:09:02 imap1 lmtp[1398]: starttls: TLSv1 with cipher AES256-
> SHA (256/25
> 6 bits new) no authentication
>
> I'm guessing from the "no authentication" that sendmail isn't even
> sending any auth info to the cyrus server. Is sendmail only capable of
> SMTP auth and not LMTP auth?

Send a test message as root in verbose mode with tracking (authinfo) map
lookups. The most likely problems:
* cyrus offers authentication sendmail does not support
* sendmail looks for something different that you expect
[ I put once wrong key in authinfo file myself :-) ]

sample test script:

#!/bin/sh
RECIPIENT='test@example.com'

/usr/sbin/sendmail -Am -v -d60.5 -oi -- $RECIPIENT < subject: test message

test message body
END

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
"Give me enough medals, and I'll win any war."
-- Napoleon
----
http://groups.google.com/groups?selm=87ir1t93yp@shari.fsf.ho bby-site.com

Re: sendmail LMTP authenticate to cyrus-imap

On Jan 16, 7:37 am, Andrzej Adam Filip wrote:
>
> Send a test message as root in verbose mode with tracking (authinfo) map
> lookups. The most likely problems:
> * cyrus offers authentication sendmail does not support
> * sendmail looks for something different that you expect
> [ I put once wrong key in authinfo file myself :-) ]
>
> sample test script:
>
> #!/bin/sh
> RECIPIENT='t...@example.com'
>
> /usr/sbin/sendmail -Am -v -d60.5 -oi -- $RECIPIENT < > subject: test message
>
> test message body
> END

I ran your test script and got some info back indicating that sendmail
was looking to the access map for TLS info so I inserted the following
two lines:

TLS_Srv:imap1.4test.net ENCR:112
Try_TLS:imap1.4test.net ENCR:112

I'm not sure by the output whether or not that takes care of the TLS
part, however, I don't see anything in the output referring to the
passed authentication from the line in the authinfo map:

AuthInfo:imap1.4test.net "M:DIGEST-MD5 PLAIN" "U:lmtp"
"I:lmtp" "P:secret" "R:imap1.4test.net"

as the output from sendmail is:

map_lookup(dequote, root, %0=root) => NOT FOUND (0)
map_lookup(host, 4test.net, %0=4test.net) => 4test.net. (0)
map_lookup(dequote, steve, %0=steve) => NOT FOUND (0)
map_lookup(virtuser, steve@4test.net, %0=steve@4test.net, %1=steve) =>
NOT FOUND (68)
map_lookup(virtuser, @4test.net, %0=@4test.net, %1=steve) => NOT FOUND
(68)
steve@4test.net... Connecting to imap1.4test.net. port 24 via
cyrusv2...
220 imap1.4test.net LMTP Cyrus v2.3.7-Invoca-RPM-2.3.7-1.1.el5 ready
>>> LHLO smtp1.4test.net
250-imap1.4test.net
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-SIZE
250-STARTTLS
250 IGNOREQUOTA
map_lookup(access, Try_TLS:imap1.4test.net,
%0=Try_TLS:imap1.4test.net) => ENCR:112 (0)
>>> STARTTLS
220 Begin TLS negotiation now
map_lookup(macro, {TLS_Name}, %0={TLS_Name}, %1=imap1.4test.net) =>
(0)
map_lookup(access, TLS_Srv:imap1.4test.net,
%0=TLS_Srv:imap1.4test.net) => ENCR:112 (0)
map_lookup(arith, l, %0=l, %1=256, %2=112) => FALSE (0)
>>> LHLO smtp1.4test.net
250-imap1.4test.net
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-SIZE
250 IGNOREQUOTA
>>> MAIL From: SIZE=41
430 Authentication required
steve@4test.net... Deferred: 430 Authentication required

Am I correct here, or have I missed something in the debug info?

Re: sendmail LMTP authenticate to cyrus-imap

singram writes:

> On Jan 16, 7:37 am, Andrzej Adam Filip wrote:
>>
>> Send a test message as root in verbose mode with tracking (authinfo) map
>> lookups. The most likely problems:
>> * cyrus offers authentication sendmail does not support
>> * sendmail looks for something different that you expect
>> [ I put once wrong key in authinfo file myself :-) ]
>>
>> sample test script:
>>
>> #!/bin/sh
>> RECIPIENT='t...@example.com'
>>
>> /usr/sbin/sendmail -Am -v -d60.5 -oi -- $RECIPIENT < >> subject: test message
>>
>> test message body
>> END
>
> I ran your test script and got some info back indicating that sendmail
> was looking to the access map for TLS info so I inserted the following
> two lines:
>
> TLS_Srv:imap1.4test.net ENCR:112
> Try_TLS:imap1.4test.net ENCR:112
>
> I'm not sure by the output whether or not that takes care of the TLS
> part, however, I don't see anything in the output referring to the
> passed authentication from the line in the authinfo map:
>
> AuthInfo:imap1.4test.net "M:DIGEST-MD5 PLAIN" "U:lmtp"
> "I:lmtp" "P:secret" "R:imap1.4test.net"
>
> as the output from sendmail is:
>
> map_lookup(dequote, root, %0=root) => NOT FOUND (0)
> map_lookup(host, 4test.net, %0=4test.net) => 4test.net. (0)
> map_lookup(dequote, steve, %0=steve) => NOT FOUND (0)
> map_lookup(virtuser, steve@4test.net, %0=steve@4test.net, %1=steve) =>
> NOT FOUND (68)
> map_lookup(virtuser, @4test.net, %0=@4test.net, %1=steve) => NOT FOUND
> (68)
> steve@4test.net... Connecting to imap1.4test.net. port 24 via
> cyrusv2...
> 220 imap1.4test.net LMTP Cyrus v2.3.7-Invoca-RPM-2.3.7-1.1.el5 ready
>>>> LHLO smtp1.4test.net
> 250-imap1.4test.net
> 250-8BITMIME
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-SIZE
> 250-STARTTLS
> 250 IGNOREQUOTA
> map_lookup(access, Try_TLS:imap1.4test.net,
> %0=Try_TLS:imap1.4test.net) => ENCR:112 (0)
>>>> STARTTLS
> 220 Begin TLS negotiation now
> map_lookup(macro, {TLS_Name}, %0={TLS_Name}, %1=imap1.4test.net) =>
> (0)
> map_lookup(access, TLS_Srv:imap1.4test.net,
> %0=TLS_Srv:imap1.4test.net) => ENCR:112 (0)
> map_lookup(arith, l, %0=l, %1=256, %2=112) => FALSE (0)
>>>> LHLO smtp1.4test.net
> 250-imap1.4test.net
> 250-8BITMIME
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-SIZE
> 250 IGNOREQUOTA
>>>> MAIL From: SIZE=41
> 430 Authentication required
> steve@4test.net... Deferred: 430 Authentication required
>
> Am I correct here, or have I missed something in the debug info?

According to the above transcript your sendmail:
0) [OK] established IMAP connection to cyrus-imap-2.3.7
1) [OK] successfully issued STARTTLS.
2) [bad] have not seen any sign of AUTH support in LHLO reply.

AFAIK lack of declared AUTH support stops sendmail from attempting
authentication. For me it looks like a problem at cyrus-imap side.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
To be beautiful is enough! if a woman can do that well who should demand
more from her? You don't want a rose to sing.
-- Thackeray
----
http://groups.google.com/groups?selm=873asx7de4@thomas.fsf.h obby-site.com

Re: sendmail LMTP authenticate to cyrus-imap

On Jan 16, 11:56 am, Andrzej Adam Filip wrote:
> 2) [bad] have not seen any sign of AUTH support in LHLO reply.
>
> AFAIK lack of declared AUTH support stops sendmail from attempting
> authentication. For me it looks like a problem at cyrus-imap side.
>
Oh, yes and how it does. I feel really stupid now as this part was
working on the old box, but I somehow missed the auth mech rpms on
this box so of course it didn't advertise AUTH. OK, so rpms are
installed now and authentication sent and working properly.

Obviously having some experience with sendmail/cyrus integration, you
probably know the next stumbling block I ran into: sendmail not send
the correct user info over to the cyrus box (I am using virtual
users). I thought I had that covered after changing the S=EnvFromSMTP/
HdrFromL, R=EnvToL/HdrToL in the cyrusv2.m4 mailer spec to
S=EnvFromSMTP/HdrFromL, R=EnvToSMTP, but, alas it is sending
steve@smtp1.4test.net instead of steve@4test.net.

I had already come across your wonderful RTCyrus3 project in my
research and figured I might need it at some point. I think I've now
reached that point. I haven't found any references yet, but I'm hoping
it will work with my 2 server tcp lmtp configuration. Since I'm not
using the lmtp socket configuration, can I replace your rtcyrus3.mc
line:

define(`CYRUS_LMTP_SOCKET',`/var/imap/socket/lmtp')dnl with something
that will accommodate my tcp lmtp?

Also I'm also using LDAP for my sendmail config lookups, so I'm hoping
I can replace your mc line:

C{VCyrusDomains} example.com example.net, with

F{VCyrusDomains}@LDAP

so I can move this domain info into LDAP with everything else. (Not
sure what the "C" is but I'm thinking I can use "F" like a class.)

Are there any other changes I would need to make?

Re: sendmail LMTP authenticate to cyrus-imap

Andrzej-

I never managed to get your VCyrusDomains definition into LDAP as
mentioned in my last post, but I'm not sure it's even necessary.

Is it necessary to insert domains into mailertable and users into
aliases file and virtualusers table too? I've found various scraps of
info about Cyrus virtualusers and some of them make mention of this.

Well, I would love to now somehow adapt your RTCyrus3 macros in order
to accommodate larger mail installations. I think I have figured out
how to get the lmtp part of your RTCyrus3 working over TCP, and half
of the sendmail map part working. I have the smmap daemon listening on
a port, however, I'm not sure how to rewrite your anfi feature to
accommodate this. I tried modifying the following line in vcyrus.m4:

Kcyrus socket -T local:SMMAP_SOCKET,

but, with no success. Can this work?

Steven

Re: sendmail LMTP authenticate to cyrus-imap

OK, I think I've got it! I changed the following line in feature/anfi/
vcyrus.m4:

Kcyrus socket -T local:SMMAP_SOCKET,

to be:

Kcyrus socket -T inet:26@imap1.4test.net

where 26 is the port smmap is listening on.

I also tried changing the VCyrusDomains to be looked up in LDAP and it
appears to be working. I'm not sure, however, if sendmail is trusting
the results or using class w instead. It's difficult to tell from the
myriad of LDAP queries.

Can you please tell me specifically what maps/classes need to be
filled in order for RTCyrus3 to work properly? I've read through
several postings here and there and I've even seen references to
mailertable and aliases so I'm really not sure.

Steven