how to configure sendmail (sasl) to use two different SMTP_AUTH methods

how to configure sendmail (sasl) to use two different SMTP_AUTH methods

am 04.04.2008 13:22:55 von Ingo Freund

Hi

I'm still unsuccessfully working on this requirement:

authenticated users may use sendmail as a relay.
The users shall authenticate via STARTLS/LOGIN(PLAIN) or
via DIGEST-/CRAM-MD5 and are locally listed in passwd/shadow.
The SMTP-AUTH using STARTLS/LOGIN works fine with saslauthd/pam.
Any other authentication I try fails.
How do I have to configure sendmail (or the other authentication
partner processes on the machine) to authenticate via CRAM-MD5 ?

-Ingo

Re: how to configure sendmail (sasl) to use two different SMTP_AUTHmethods

am 04.04.2008 17:45:13 von Tilman Schmidt

Ingo Freund schrieb:
> The users shall authenticate via STARTLS/LOGIN(PLAIN) or
> via DIGEST-/CRAM-MD5 and are locally listed in passwd/shadow.

DIGEST-MD5 or CRAM-MD5 cannot authenticate against a one way
encrypted password database like passwd/shadow. These algorithms
need access to the cleartext password.

> The SMTP-AUTH using STARTLS/LOGIN works fine with saslauthd/pam.
> Any other authentication I try fails.

That's the way things are when authenticating against the regular
Unix user database.

> How do I have to configure sendmail (or the other authentication
> partner processes on the machine) to authenticate via CRAM-MD5 ?

Use SASLdb.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Re: how to configure sendmail (sasl) to use two different SMTP_AUTH methods

am 07.04.2008 07:31:38 von Ingo Freund

On 04.04.2008 17:45, Tilman Schmidt wrote (please find the answer below the original text):
> Ingo Freund schrieb:
>> The users shall authenticate via STARTLS/LOGIN(PLAIN) or
>> via DIGEST-/CRAM-MD5 and are locally listed in passwd/shadow.
>
> DIGEST-MD5 or CRAM-MD5 cannot authenticate against a one way
> encrypted password database like passwd/shadow. These algorithms
> need access to the cleartext password.
>
>> How do I have to configure sendmail (or the other authentication
>> partner processes on the machine) to authenticate via CRAM-MD5 ?
>
> Use SASLdb.
>

Thanks for your answer.
What I'd like to know now is how to configure sendmail
to use two (or more) methods parallel.

-Ingo.

Re: how to configure sendmail (sasl) to use two different SMTP_AUTH methods

am 08.04.2008 10:07:53 von Tilman Schmidt

Ingo Freund schrieb:
> On 04.04.2008 17:45, Tilman Schmidt wrote (please find the answer below the original text):
>> Ingo Freund schrieb:
>>> The users shall authenticate via STARTLS/LOGIN(PLAIN) or
>>> via DIGEST-/CRAM-MD5 and are locally listed in passwd/shadow.
>>
>> DIGEST-MD5 or CRAM-MD5 cannot authenticate against a one way
>> encrypted password database like passwd/shadow. These algorithms
>> need access to the cleartext password.
>>
>>> How do I have to configure sendmail (or the other authentication
>>> partner processes on the machine) to authenticate via CRAM-MD5 ?
>>
>> Use SASLdb.
>
> Thanks for your answer.
> What I'd like to know now is how to configure sendmail
> to use two (or more) methods parallel.

Once you have your passwords in sasldb, its as easy as putting

define(`confAUTH_OPTIONS', `Apy')
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')

in your sendmail.mc (you've probably done that already) and

pwcheck_method: auxprop
auxprop_plugin: sasldb

in /usr/lib/sasl2/Sendmail.conf. WFM, anyway.

If you *don't* have your passwords in sasldb, it's not possible. Period.

HTH
T.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Re: how to configure sendmail (sasl) to use two different SMTP_AUTHmethods

am 08.04.2008 10:43:55 von Ingo Freund

On 08.04.2008 10:07, Tilman Schmidt wrote (please find the answer below the original text):
[...]
> Once you have your passwords in sasldb, its as easy as putting
>
> define(`confAUTH_OPTIONS', `Apy')
> define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')
> TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')
>
> in your sendmail.mc (you've probably done that already) and
>
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
>
> in /usr/lib/sasl2/Sendmail.conf. WFM, anyway.
>
> If you *don't* have your passwords in sasldb, it's not possible. Period.
>

Again thank you for your answer.
Referring to the subject there seems not to be no way to implement
a parallel authentication of
- users who use passwd/shadow or ldap with STARTLS/LOGIN
- users authenticating themselves by CRAM-/DIGEST-MD5 without STARTLS
where in worst case both users can be the same system user.

This is not really acceptable because it happens that a user
uses different mail clients possibly speaking TLS or not.
In non-TLS cases there is no authentification which results
in "RELAYING DENIED"

-Ingo.

Re: how to configure sendmail (sasl) to use two different SMTP_AUTHmethods

am 09.04.2008 12:06:06 von Tilman Schmidt

Ingo Freund schrieb:
> Referring to the subject there seems not to be no way to implement
> a parallel authentication of
> - users who use passwd/shadow or ldap with STARTLS/LOGIN
> - users authenticating themselves by CRAM-/DIGEST-MD5 without STARTLS
> where in worst case both users can be the same system user.

I wouldn't put it quite like that. The only thing that's really impossible
is authenticating users with CRAM-MD5/DIGEST-MD5 against a password stored
in encrypted form, eg. in the shadow password database.

For the sake of completeness, it *is* possible to configure Sendmail to
check both the shadow password file and SASLdb, so you can store some
users' passwords in one and some in the other. (It is even possible to
have users listed in both, but I'd recommend against it, as the results
can be rather difficult to explain to the average user. ;-) In that case,
those users who are listed in SASLdb can authenticate with all methods,
while those listed only in the shadow password file can only use the
cleartext methods (PLAIN and LOGIN). If that's what you want, just put
"pwcheck_method: auxprop saslauthd" in your Sendmail.conf file and make
sure the saslauthd daemon is running.

> This is not really acceptable

It's reality. It doesn't really care if we accept it. :-)

> because it happens that a user
> uses different mail clients possibly speaking TLS or not.

It's been a long time since I last saw a mail client without TLS support.
Anyway, the usual solution to that is keeping your mail users in SASLdb.
Is there a particular reason why you want to put them in passwd/shadow?
Most mailserver administrators are quite happy to have a separate mail
user database so that they needn't create a system user for every mail
user.

HTH
T.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...