Mailing List Archive

On 5/4/22 7:31 AM, John Covici wrote:
> Hi. I have been using various clients to connect to my sendmail
> server using port 587 and using starttls to encrypt the connections
> and then using the plain mechanism to send the user name and password
> to authenticate.
>
> Last day or so this has stopped working -- I don't know that I changed
> anything (famous last words),

Assume that your configuration is at least acceptable until you have a
reason to think otherwise.

> So, after all that, anyone have an idea as to how to fix?

Start with the simpler thing first.

Is the SASL authentication daemon running?

Did your (START)TLS certificate expire? Contemporary clients may
silently refuse to use expired certs.

> Thanks.

You're welcome.

Feel free to poke things and respond with more questions / details /
errors / etc.



--
Grant. . . .
unix || die

On Thu, 05 May 2022 12:22:55 -0400,
Grant Taylor wrote:
>
> On 5/4/22 7:31 AM, John Covici wrote:
> > Hi. I have been using various clients to connect to my sendmail
> > server using port 587 and using starttls to encrypt the connections
> > and then using the plain mechanism to send the user name and password
> > to authenticate.
> >
> > Last day or so this has stopped working -- I don't know that I changed
> > anything (famous last words),
>
> Assume that your configuration is at least acceptable until you
> have a reason to think otherwise.
>
> > So, after all that, anyone have an idea as to how to fix?
>
> Start with the simpler thing first.
>
> Is the SASL authentication daemon running?
>
> Did your (START)TLS certificate expire? Contemporary clients may
> silently refuse to use expired certs.
>
> > Thanks.
>
> You're welcome.
>
> Feel free to poke things and respond with more questions /
> details / errors / etc.
>

saslauthd is running, but it seems to ignore the Sendmail.conf . I
used openssl s_client to connect to my sendmail, it was happy with the
certs, but in response to the ehlo gives me no auth line at all. Very
strange.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

On 5/5/22 10:39 AM, John Covici wrote:
> saslauthd is running, but it seems to ignore the Sendmail.conf .

I think it's the other way around.

Sendmail is told to support authentication via one or more methods, one
of which can be SASL and co.

The actual SASL auth daemon just listens on a unix socket and / or TCP
port for clients to test authentication pairs, returning a pass fail
type message.

> I used openssl s_client to connect to my sendmail, it was happy with
> the certs, but in response to the ehlo gives me no auth line at all.

:-/

> Very strange.

Very annoying, definitely.

I don't know if it's strange yet or not. I think the strangeness will
be confirmed or refuted after finding out why Sendmail isn't offering
AUTH options.

My favorite thing to turn to when things that used to work and now don't
is to restore a backup of the configuration file and compare them. Can
you do that with your sendmail.cf or sendmail.mc file?

There's also a chance that it's your submit.cf or submit.mc file since
we're talking about the MSA on port 587. (Unless you aren't using the
separate MSA which has been standard for 15+ years.)



--
Grant. . . .
unix || die

On Thu, 05 May 2022 12:52:45 -0400,
Grant Taylor wrote:
>
> On 5/5/22 10:39 AM, John Covici wrote:
> > saslauthd is running, but it seems to ignore the Sendmail.conf .
>
> I think it's the other way around.
>
> Sendmail is told to support authentication via one or more
> methods, one of which can be SASL and co.
>
> The actual SASL auth daemon just listens on a unix socket and /
> or TCP port for clients to test authentication pairs, returning a
> pass fail type message.
>
> > I used openssl s_client to connect to my sendmail, it was happy
> > with the certs, but in response to the ehlo gives me no auth
> > line at all.
>
> :-/
>
> > Very strange.
>
> Very annoying, definitely.
>
> I don't know if it's strange yet or not. I think the strangeness
> will be confirmed or refuted after finding out why Sendmail isn't
> offering AUTH options.
>
> My favorite thing to turn to when things that used to work and
> now don't is to restore a backup of the configuration file and
> compare them. Can you do that with your sendmail.cf or
> sendmail.mc file?
>
> There's also a chance that it's your submit.cf or submit.mc file
> since we're talking about the MSA on port 587. (Unless you
> aren't using the separate MSA which has been standard for 15+
> years.)
I do have a submit.mc file, but I have not changed this at all. What
is strange to me is that if I do saslauthd -v should not I get
everything that my Sendmail.conf has?

I can check an old backup and see if I have one for my sendmail.mc and
get back.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

On 5/5/22 1:24 PM, John Covici wrote:
> I do have a submit.mc file, but I have not changed this at all.
> What is strange to me is that if I do saslauthd -v should not I get
> everything that my Sendmail.conf has?

I would not assume so.

I say that based on my understanding of how SASL and Sendmail interact.

In many ways, Sendmail and SASL are two entirely separate sub-systems.
Sendmail (as I usually see it configured) wholesale outsources
outsources testing authentication credentials. It does so by asking the
completely independent SASL authentication daemon to test the
credentials (nominally a username and password pair) to see if they are
valid. SASL returns a yes / no to Sendmail. Sendmail alters what it
does based on that answer.

Since Sendmail and SASL are independent entities there is no reason for
SASL to know anything about how Sendmail is configured.

> I can check an old backup and see if I have one for my sendmail.mc and
> get back.

ACK



--
Grant. . . .
unix || die

So, I restored all the files, I could like sendmail.mc and the
Sendmail.conf, but no joy, still no authentication mechanisms. I
restored them to about first of April. This still leads me to saslauthd.

On Thu, 05 May 2022 12:52:45 -0400,
Grant Taylor wrote:
>
> On 5/5/22 10:39 AM, John Covici wrote:
> > saslauthd is running, but it seems to ignore the Sendmail.conf .
>
> I think it's the other way around.
>
> Sendmail is told to support authentication via one or more
> methods, one of which can be SASL and co.
>
> The actual SASL auth daemon just listens on a unix socket and /
> or TCP port for clients to test authentication pairs, returning a
> pass fail type message.
>
> > I used openssl s_client to connect to my sendmail, it was happy
> > with the certs, but in response to the ehlo gives me no auth
> > line at all.
>
> :-/
>
> > Very strange.
>
> Very annoying, definitely.
>
> I don't know if it's strange yet or not. I think the strangeness
> will be confirmed or refuted after finding out why Sendmail isn't
> offering AUTH options.
>
> My favorite thing to turn to when things that used to work and
> now don't is to restore a backup of the configuration file and
> compare them. Can you do that with your sendmail.cf or
> sendmail.mc file?
>
> There's also a chance that it's your submit.cf or submit.mc file
> since we're talking about the MSA on port 587. (Unless you
> aren't using the separate MSA which has been standard for 15+
> years.)
>
>
>
> --
> Grant. . . .
> unix || die
>

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

On 5/6/22 4:09 AM, John Covici wrote:
> So, I restored all the files, I could like sendmail.mc and the
> Sendmail.conf, but no joy, still no authentication mechanisms.
> I restored them to about first of April.

Well darn. :-/

> This still leads me to saslauthd.

I didn't mean to imply that it /wasn't/ SASL, just that the two are
separate.

Have you been maintaining your sendmail.cf via the sendmail.mc file? Or
are there unaccounted for hand edits? -- I'll often test new things in
sendmail.cf directly and then promote them to sendmail.mc once I have
identified what I want.

Likewise with submit.cf / submit.mc.

Would you be willing to share your sendmail.mc and submit.mc files?
Feel free to "REDACT" things as necessary. (Please make sure it's easy
to tell what is redacted.)



--
Grant. . . .
unix || die

On Fri, 06 May 2022 10:47:15 -0400,
Grant Taylor wrote:
>
> On 5/6/22 4:09 AM, John Covici wrote:
> > So, I restored all the files, I could like sendmail.mc and the
> > Sendmail.conf, but no joy, still no authentication
> > mechanisms. I restored them to about first of April.
>
> Well darn. :-/
>
> > This still leads me to saslauthd.
>
> I didn't mean to imply that it /wasn't/ SASL, just that the two
> are separate.
>
> Have you been maintaining your sendmail.cf via the sendmail.mc
> file? Or are there unaccounted for hand edits? -- I'll often
> test new things in sendmail.cf directly and then promote them to
> sendmail.mc once I have identified what I want.
>
> Likewise with submit.cf / submit.mc.
>
> Would you be willing to share your sendmail.mc and submit.mc
> files? Feel free to "REDACT" things as necessary. (Please make
> sure it's easy to tell what is redacted.)
>
I do not usually modify my sendmail.cf, I probably would make a
mistake somewhere.

So, here is my sendmail.mc, no passwords or anything secret that I am
aware of.

divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(mklinux)
define(`confDONT_BLAME_SENDMAIL', `IncludeFileInUnsafeDirPath,AssumeSafeChown, GroupWritableForwardFileSafe, ForwardFileInGroupWritableDirPath,groupreadablekeyfile groupreadableSASLdbfile')dnl
define(`LOCAL_MAILER_PATH', `/usr/sbin/mail.local')dnl
define(`LOCAL_MAILER_FLAGS', `Ermn9')dnl
define(`LOCAL_MAILER_ARGS', `mail $u')dnl
FEATURE(`access_db')dnl
FEATURE(`delay_checks', `friend')dnl

dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts...
FEATURE(`greet_pause', `1000')dnl 1 seconds
dnl # Stop connections that overflow our concurrent and time connection rates
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
dnl #

FEATURE(`mailertable')dnl
FEATURE(`authinfo')dnl
LOCAL_DOMAIN(`covici.com')dnl
dnl #
dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
dnl # Remove `, Addr=' clauses to receive from any interface
dnl # If you want to support IPv6, switch the commented/uncommentd lines
FEATURE(`no_default_msa')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=587', `M=Ea')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, Addr=::1')dnl
dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')dnl
define(`confMAX_HEADERS_LENGTH', `65536')dnl
define(`confDELAY_LA', `20')dnl
define(`confQUEUE_LA', `30')dnl
define(`confREFUSE_LA', `20')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confTO_MAIL', `10m')dnl
define(`confTO_RCPT', `1h')dnl
define(`confTO_DATAINIT', `10m')dnl
define(`confTO_DATABLOCK', `1h')dnl
define(`confTO_DATAFINAL', `1h')dnl
define(`confTO_MISC', `5m')dnl
define(`confTO_AUTH', `20m')dnl
define(`confAUTH_OPTIONS', `A p y')dnl
define(`TRUST_AUTH_MECH', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
dnl # CRL not found... do not issue warnings on it!
undefine(`confCRL')dnl
define(`confCACERT_PATH', `/etc/letsencrypt/live/ccs.covici.com/')dnl
define(`confCACERT',`/etc/letsencrypt/live/ccs.covici.com/fullchain.pem')dnl
define(`confCLIENT_CERT', `/etc/letsencrypt/live/ccs.covici.com/cert.pem')dnl
define(`confCLIENT_KEY', `/etc/letsencrypt/live/ccs.covici.com/privkey.pem')dnl
define(`confSERVER_CERT', `/etc/letsencrypt/live/ccs.covici.com/cert.pem')dnl
define(`confSERVER_KEY', `/etc/letsencrypt/live/ccs.covici.com/privkey.pem')dnl

LOCAL_CONFIG
OA/etc/mail/bfg_list.txt
define(`SMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
FEATURE(`local_lmtp')dnl
define(`LOCAL_MAILER_ARGS', `TCP $h 8024')dnl
MAILER(local)
MAILER(smtp)

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

So, I went on to the sasl mailing list and someone found a patch --
seems to be available for the freebsd port, and the patch was specific
to sendmail and dev-libs/cyrus-sasl 2.1.28. I modified it for gentoo
and it fixed everything up! I wonder if I should file this somewhere
-- funny no one else noticed this before -- I saw nothing on bgo.

On Fri, 06 May 2022 10:47:15 -0400,
Grant Taylor wrote:
>
> On 5/6/22 4:09 AM, John Covici wrote:
> > So, I restored all the files, I could like sendmail.mc and the
> > Sendmail.conf, but no joy, still no authentication
> > mechanisms. I restored them to about first of April.
>
> Well darn. :-/
>
> > This still leads me to saslauthd.
>
> I didn't mean to imply that it /wasn't/ SASL, just that the two
> are separate.
>
> Have you been maintaining your sendmail.cf via the sendmail.mc
> file? Or are there unaccounted for hand edits? -- I'll often
> test new things in sendmail.cf directly and then promote them to
> sendmail.mc once I have identified what I want.
>
> Likewise with submit.cf / submit.mc.
>
> Would you be willing to share your sendmail.mc and submit.mc
> files? Feel free to "REDACT" things as necessary. (Please make
> sure it's easy to tell what is redacted.)
>
>
>
> --
> Grant. . . .
> unix || die
>

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

On 5/12/22 8:42 AM, John Covici wrote:
> So, I went on to the sasl mailing list and someone found a patch --
> seems to be available for the freebsd port, and the patch was specific
> to sendmail and dev-libs/cyrus-sasl 2.1.28. I modified it for gentoo
> and it fixed everything up! I wonder if I should file this somewhere
> -- funny no one else noticed this before -- I saw nothing on bgo.

Hi John,

I'm glad that you found a solution.

I'm sorry that I've not responded to your detailed message yet. Life /
$WORK has been really busy this week. I was planing on giving your
message the attention it deserved this weekend.

Yes, I suspect that a patch or at least a bug report to Gentoo would be
good.

I'd suggest starting communications with the Gentoo package maintainer
if there is no better place. I expect that they will receive the patch
and / or redirect you somewhere better.



--
Grant. . . .
unix || die

On Thu, 12 May 2022 11:53:16 -0400,
Grant Taylor wrote:
>
> On 5/12/22 8:42 AM, John Covici wrote:
> > So, I went on to the sasl mailing list and someone found a
> > patch -- seems to be available for the freebsd port, and the
> > patch was specific to sendmail and dev-libs/cyrus-sasl 2.1.28.
> > I modified it for gentoo and it fixed everything up! I wonder
> > if I should file this somewhere -- funny no one else noticed
> > this before -- I saw nothing on bgo.
>
> Hi John,
>
> I'm glad that you found a solution.
>
> I'm sorry that I've not responded to your detailed message yet.
> Life / $WORK has been really busy this week. I was planing on
> giving your message the attention it deserved this weekend.
>
> Yes, I suspect that a patch or at least a bug report to Gentoo
> would be good.
>
> I'd suggest starting communications with the Gentoo package
> maintainer if there is no better place. I expect that they will
> receive the patch and / or redirect you somewhere better.
OK, I will see if I can find the maintainer, I saw lots of references
in the bug list to maintainer wanted, we shall see.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com