Package: sendmail Version: 8.13.4-3sarge3 Severity: important Tags: patch If using libnss-ldap, and not using nscd, the libc will invoke libnss-ldap on every call to getpwnam and such.
libnss-ldap will initialize sasl as a client by calling sasl_client_init() On its first invokation, sasl_client_init() stores a list of global callback functions for later usage. Since libnss-ldap is clever, it will not provide any global callback functions; instead it provides them later, on a per-session basis, when sasl_client_new() is called. Later, sendmail wants to authenticate. It calls sasl_client_init() itself and tries to register global callback functions. Since sasl is already initialized, it ignores the callback function list and returns OK. When sendmail calls sasl_client_new(), it fails to provide the list of callback function, assuming sasl will use the global ones. This makes SMTP AUTH as client fail. Unfortunately the mail.log only says Nov 16 00:24:19 localhost sm-mta[9890]: kAEFnQqh004922: AUTH=client, available mechanisms do not fulfill requirements which is very confusing. This can be seen as a sasl bug, but there is a very simple fix for sendmail: Dont rely on the global callback function list, provide the list again on session initialization time. However, there is a ("fixed") bug for libsasl2 where I added a comment on this, too (#274087). The simple patch is included. Thanks. Moritz diff -u -r -N sendmail-8.13.4.orig/sendmail/usersmtp.c sendmail-8.13.4/sendmail/usersmtp.c --- sendmail-8.13.4.orig/sendmail/usersmtp.c 2006-11-16 10:26:06.003494000 +0100 +++ sendmail-8.13.4/sendmail/usersmtp.c 2006-11-16 10:34:24.744797703 +0100 @@ -553,6 +553,9 @@ if (sasl_clt_init) return SASL_OK; + /* Beware, callbacks are ignored if sasl_client_init() has + * been called before (by a library such as libnss_ldap) + */ result = sasl_client_init(callbacks); /* should we retry later again or just remember that it failed? */ @@ -1579,9 +1582,13 @@ /* make a new client sasl connection */ # if SASL >= 20000 + /* We provide the callbacks again because global callbacks in + * sasl_client_init() are ignored if sasl has been initialized + * before, for example, by a library such as libnss-ldap. + */ saslresult = sasl_client_new(bitnset(M_LMTP, m->m_flags) ? "lmtp" : "smtp", - CurHostName, NULL, NULL, NULL, 0, + CurHostName, NULL, NULL, callbacks, 0, &mci->mci_conn); # else /* SASL >= 20000 */ saslresult = sasl_client_new(bitnset(M_LMTP, m->m_flags) ? "lmtp" -- Package-specific info: Ouput of /usr/share/bug/sendmail/script: ls -alR /etc/mail: /etc/mail: total 412 drwxr-sr-x 8 smmta smmsp 4096 Nov 16 10:44 . drwxr-xr-x 118 root root 8192 Nov 16 10:42 .. -rwxr-xr-- 1 root smmsp 11668 Nov 16 10:42 Makefile -rw------- 1 root root 4211 Mar 19 2006 access -rw-r----- 1 smmta smmsp 12288 Nov 16 10:42 access.db -rw-r--r-- 1 root root 281 Jun 3 2005 address.resolve lrwxrwxrwx 1 root smmsp 10 Mar 19 2006 aliases -> ../aliases -rw-r----- 1 smmta smmsp 12288 Nov 16 10:42 aliases.db drwx------ 2 root smmsp 4096 Nov 16 10:42 auth -rw-r--r-- 1 root smmsp 34 Oct 16 15:36 blah -rw-r--r-- 1 root root 3615 Nov 16 10:42 databases -rw-r----- 1 smmta smmsp 53 Oct 16 23:38 default-auth-info -rw-r--r-- 1 root smmsp 11153 Oct 17 01:35 found:q -rw-r--r-- 1 root root 5588 Jun 3 2005 helpfile -rw-r--r-- 1 root smmsp 40 Nov 15 01:16 local-host-names drwxr-sr-x 2 smmta smmsp 4096 Mar 19 2006 m4 -rw-r----- 1 root smmsp 37 Nov 16 10:44 mailertable -rw-r----- 1 root smmsp 12288 Nov 16 10:44 mailertable.db drwxr-xr-x 2 root root 4096 Nov 16 10:42 peers -rw-r--r-- 1 root smmsp 0 Oct 16 15:38 relay-domains drwxr-xr-x 2 root smmsp 4096 Nov 15 01:13 sasl -rw-r--r-- 1 root smmsp 65976 Nov 16 10:42 sendmail.cf -rw-r--r-- 1 root root 65979 Nov 16 10:42 sendmail.cf.old -rw-r--r-- 1 root root 11882 Nov 16 10:42 sendmail.conf -rw-r--r-- 1 root smmsp 4374 Nov 16 10:42 sendmail.mc -rw-r--r-- 1 root smmsp 4120 Mar 20 2006 sendmail.mc.old -rw-r--r-- 1 root root 149 Jun 3 2005 service.switch -rw-r--r-- 1 root root 180 Jun 3 2005 service.switch-nodns drwxr-sr-x 2 smmta smmsp 4096 Mar 19 2006 smrsh -rw-r--r-- 1 root smmsp 43922 Nov 16 10:42 submit.cf -rw-r--r-- 1 root root 43912 Nov 16 10:42 submit.cf.old -rw-r--r-- 1 root smmsp 2321 Nov 16 10:42 submit.mc drwxr-xr-x 2 root smmsp 4096 Nov 14 17:55 tls -rw-r--r-- 1 root smmsp 10 Oct 31 23:28 trusted-users /etc/mail/m4: total 8 drwxr-sr-x 2 smmta smmsp 4096 Mar 19 2006 . drwxr-sr-x 8 smmta smmsp 4096 Nov 16 10:44 .. -rw-r----- 1 root smmsp 0 Mar 19 2006 dialup.m4 -rw-r----- 1 root smmsp 0 Mar 19 2006 provider.m4 /etc/mail/peers: total 12 drwxr-xr-x 2 root root 4096 Nov 16 10:42 . drwxr-sr-x 8 smmta smmsp 4096 Nov 16 10:44 .. -rw-r--r-- 1 root root 328 Jun 3 2005 provider /etc/mail/sasl: total 16 drwxr-xr-x 2 root smmsp 4096 Nov 15 01:13 . drwxr-sr-x 8 smmta smmsp 4096 Nov 16 10:44 .. -rw-r----- 1 smmta smmsp 749 Nov 14 18:09 Sendmail.conf.2 -rwxr--r-- 1 root root 3677 Oct 31 21:46 sasl.m4 /etc/mail/smrsh: total 8 drwxr-sr-x 2 smmta smmsp 4096 Mar 19 2006 . drwxr-sr-x 8 smmta smmsp 4096 Nov 16 10:44 .. lrwxrwxrwx 1 root smmsp 26 Mar 19 2006 mail.local -> /usr/lib/sm.bin/mail.local lrwxrwxrwx 1 root smmsp 17 Mar 19 2006 procmail -> /usr/bin/procmail /etc/mail/tls: total 44 drwxr-xr-x 2 root smmsp 4096 Nov 14 17:55 . drwxr-sr-x 8 smmta smmsp 4096 Nov 16 10:44 .. -rw-r--r-- 1 root root 7 Mar 19 2006 no_prompt -rw------- 1 root root 0 Oct 17 00:42 revocation.list -rw------- 1 root root 1191 Mar 19 2006 sendmail-client.cfg -rw-r--r-- 1 root smmsp 1229 Oct 16 16:33 sendmail-client.crt -rw------- 1 root root 1013 Oct 16 16:33 sendmail-client.csr -rw-r----- 1 root smmsp 1675 Oct 16 16:33 sendmail-common.key -rw------- 1 root root 0 Oct 16 16:33 sendmail-common.prm -rw------- 1 root root 1191 Mar 19 2006 sendmail-server.cfg -rw-r--r-- 1 root smmsp 1229 Oct 16 16:33 sendmail-server.crt -rw------- 1 root root 1013 Oct 16 16:33 sendmail-server.csr -rwxr--r-- 1 root root 3099 Oct 31 21:46 starttls.m4 sendmail.conf: DAEMON_NETMODE="Static"; DAEMON_NETIF="lo"; DAEMON_MODE="Daemon"; DAEMON_PARMS=""; DAEMON_HOSTSTATS="No"; DAEMON_MAILSTATS="No"; QUEUE_MODE="${DAEMON_MODE}"; QUEUE_INTERVAL="10m"; QUEUE_PARMS=""; MSP_MODE="Cron"; MSP_INTERVAL="20m"; MSP_PARMS=""; MSP_MAILSTATS="${DAEMON_MAILSTATS}"; MISC_PARMS=""; CRON_MAILTO="root"; CRON_PARMS=""; LOG_CMDS="No"; HANDS_OFF="No"; AGE_DATA=""; DAEMON_RUNASUSER="No"; DAEMON_STATS="${DAEMON_MAILSTATS}"; MSP_STATS="${MSP_MAILSTATS}"; sendmail.mc: divert(-1)dnl divert(0)dnl define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.13.4-3 2005-06-03 16:49:22 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, Addr=127.0.0.1')dnl define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl FEATURE(`access_db', , `skip')dnl FEATURE(`greet_pause', `1000')dnl 1 seconds FEATURE(`delay_checks', `friend', `n')dnl define(`confBAD_RCPT_THROTTLE',`3')dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl LOCAL_CONFIG MASQUERADE_AS(`aldebaran.de')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl FEATURE(`always_add_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`smrsh')dnl FEATURE(`authinfo',`hash /etc/mail/auth/authinfo')dnl FEATURE(`mailertable')dnl include(`/etc/mail/m4/dialup.m4')dnl include(`/etc/mail/m4/provider.m4')dnl MAILER_DEFINITIONS MAILER(local)dnl MAILER(smtp)dnl LOCAL_CONFIG include(`/etc/mail/sasl/sasl.m4')dnl submit.mc... divert(-1)dnl divert(0)dnl define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: submit.mc, v 8.13.4-3 2005-06-03 16:49:22 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-msp')dnl FEATURE(`msp', `[127.0.0.1]', `MSA')dnl include(`/etc/mail/sasl/sasl.m4')dnl -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-3-k7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages sendmail depends on: ii rmail 8.13.4-3sarge3 MTA->UUCP remote mail handler ii sendmail-base 8.13.4-3sarge3 powerful, efficient, and scalable ii sendmail-bin 8.13.4-3sarge3 powerful, efficient, and scalable ii sendmail-cf 8.13.4-3sarge3 powerful, efficient, and scalable ii sensible-mda 8.13.4-3sarge3 Mail Delivery Agent wrapper Versions of packages sensible-mda depends on: ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an ii procmail 3.22-11 Versatile e-mail processor ii sendmail-bin [mail-tr 8.13.4-3sarge3 powerful, efficient, and scalable Versions of packages rmail depends on: ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an ii libldap2 2.1.30-8 OpenLDAP libraries ii sendmail-bin [mail-tr 8.13.4-3sarge3 powerful, efficient, and scalable -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]