Having problems with SMTP authentication

HI,

I've followed the instructions  
http://www.freebsd.org/doc/en_US.ISO8859
-1/books/handbook/smtp-auth.html, but 
am still having problems with the authentication process.

If I set my client to use either CRAM-MD5 or DIGEST-MD5, I
get an error return 
of authentication failure, "most likely the password is
wrong."  Now, to make 
sure that I'm understanding this correctly, this program
(saslauthd) takes 
the username and passwords given it and attempts to verify
them against what 
the system knows to be it's users, correct?

Working under this assumption, it would seem that the user
vmail (a user I 
created on the system) would be the user that I would want
to use in the 
e-mail client.  Well, I've done this and verified that the
password is, in 
fact, correct; I'm unable to authenticate to the SMTP
server.

Another point of interest, I added these lines (from the
handbook) to my 
freebsd.mc file (as per instructions):

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN')dnl

But when I ask my e-mail client to "check what the
server supports", the 
returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5.  Why
is LOGIN not 
listed when it's included in this macro file?  Is there
anything missing from 
this section of the handbook that I've missed?

Andy
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Andrew Falanga wrote:

> dnl set SASL options
> TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN')dnl
> 
> But when I ask my e-mail client to "check what the
server supports", the 
> returned list is only, GSSAPI, DIGEST-MD5 and CRAM-MD5.
 Why is LOGIN not 
> listed when it's included in this macro file?  Is there
anything missing from 
> this section of the handbook that I've missed?

LOGIN will only be enabled over an encrypted connection. 
All you need
to do to enable the stock sendmail to support STARTTLS is
tell it to
use one or more SSL certs.  Adding something like this to
/etc/mail/`hostname`.mc is how to do that:

dnl
dnl TLS stuff
dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

Which means you'ld put the PEM encoded cacert, key and cert
into
/etc/mail/cacert.pem, /etc/mail/key.pem and
/etc/mail/key.cert
respectively.  To generate all of those, there are some
pithy
instructions here:

h
ttp://www.sendmail.org/~ca/email/other/cagreg.html

When submitting a new message, most mail clients will
automatically
do STARTTLS if it's available.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory
Courtyard
                                                  Flat 3
PGP: http://www.i
nfracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11
9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFHdrM68Mjk52CukIwRCHdTAJ9oUv7PNaV41xopL9/uw1UMcx1gDACg
hT4Z
orlyowTjs5ZXPsv+7B/nebg=
=LWRP
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

On Saturday 29 December 2007 13:51:06 Matthew Seaman wrote:
> Andrew Falanga wrote:
> > dnl set SASL options
> > TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN')dnl
> > define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN')dnl
> >
> > But when I ask my e-mail client to "check
what the server supports", the
> > returned list is only, GSSAPI, DIGEST-MD5 and
CRAM-MD5.  Why is LOGIN not
> > listed when it's included in this macro file?  Is
there anything missing
> > from this section of the handbook that I've
missed?
>
> LOGIN will only be enabled over an encrypted
connection.  All you need
> to do to enable the stock sendmail to support STARTTLS
is tell it to
> use one or more SSL certs.  Adding something like this
to
> /etc/mail/`hostname`.mc is how to do that:

this seems to imply you want me to create a file named
<hostname>.mc.  The 
instructions I followed in the handbook also mentioned that,
"Many 
administrators choose to use the output from hostname(1) as
the .mc file for 
uniqueness."  Do I have to make this new file, paste
into it all the stuff 
in "freebsd.mc" and then add these lines too?

>
> dnl
> dnl TLS stuff
> dnl
> define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
> define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
>
> Which means you'ld put the PEM encoded cacert, key and
cert into
> /etc/mail/cacert.pem, /etc/mail/key.pem and
/etc/mail/key.cert
> respectively.  To generate all of those, there are some
pithy
> instructions here:
>
> h
ttp://www.sendmail.org/~ca/email/other/cagreg.html

Thanks for all this.

Andy

>
> When submitting a new message, most mail clients will
automatically
> do STARTTLS if it's available.
>
> 	Cheers,
>
> 	Matthew


_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

On Sat, 29 Dec 2007 15:24:42 -0700
Andrew Falanga <af300wsmgmail.com> wrote:

[snip]

> this seems to imply you want me to create a file named
> <hostname>.mc.  The instructions I followed in
the handbook also
> mentioned that, "Many administrators choose to use
the output from
> hostname(1) as the .mc file for uniqueness."  Do I
have to make this
> new file, paste into it all the stuff in
"freebsd.mc" and then add
> these lines too?

It has been ages since I worked with Sendmail; however, I
believe all
you have to do, after configuring the /etc/mail/*.mc files,
is
run:

	make all install restart

in the /etc/mail directory. Be sure to read the
documentation in each of
the *.mc files. If you have not all ready done so, check out
the
aliases file and modify as required. Be sure to run
'newaliases' when
finished. If I remember correctly, the new *.cf files will
be in the
form of "hostname.cf".

You could always use Postfix. It is a lot easier.

-- 

Gerard
gerardseibercom.net

O give me a home,
Where the buffalo roam,
Where the deer and the antelope play,
Where seldom is heard
A discouraging word,
'Cause what can an antelope say?

On Sat, Dec 29, 2007 at 03:24:42PM -0700, Andrew Falanga
wrote:
> On Saturday 29 December 2007 13:51:06 Matthew Seaman
wrote:
> > Andrew Falanga wrote:
> > > dnl set SASL options
> > > TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN')dnl
> > > define(`confAUTH_MECHANISMS', `GSSAPI
DIGEST-MD5 CRAM-MD5 LOGIN')dnl
> > >
> > > But when I ask my e-mail client to
"check what the server supports", the
> > > returned list is only, GSSAPI, DIGEST-MD5 and
CRAM-MD5.  Why is LOGIN not
> > > listed when it's included in this macro file?
 Is there anything missing
> > > from this section of the handbook that I've
missed?
> >
> > LOGIN will only be enabled over an encrypted
connection.  All you need
> > to do to enable the stock sendmail to support
STARTTLS is tell it to
> > use one or more SSL certs.  Adding something like
this to
> > /etc/mail/`hostname`.mc is how to do that:
> 
> this seems to imply you want me to create a file named
<hostname>.mc.  The 
> instructions I followed in the handbook also mentioned
that, "Many 
> administrators choose to use the output from
hostname(1) as the .mc file for 
> uniqueness."  Do I have to make this new file,
paste into it all the stuff 
> in "freebsd.mc" and then add these lines
too?
> 

Just run `make` in /etc/mail, it will create `hostname`.mc
for you, edit
it, and run `make all install restart` (targets are
described in
/etc/mail/Makefile).

> >
> > dnl
> > dnl TLS stuff
> > dnl
> > define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
> > define(`confCACERT_PATH', `CERT_DIR')dnl
> > define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
> > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
> >
> > Which means you'ld put the PEM encoded cacert, key
and cert into
> > /etc/mail/cacert.pem, /etc/mail/key.pem and
/etc/mail/key.cert
> > respectively.  To generate all of those, there are
some pithy
> > instructions here:
> >
> > h
ttp://www.sendmail.org/~ca/email/other/cagreg.html
> 
> Thanks for all this.
> 
> Andy
> 
> >
> > When submitting a new message, most mail clients
will automatically
> > do STARTTLS if it's available.
> >
> > 	Cheers,
> >
> > 	Matthew

HTH,
Yuri
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"