after ehlo, it sends 3 lines:
250-PIPELINING
250-AUTH LOGIN PLAIN
250 8BITMIME
the only one that wasn't present was 250-DATAZ
-- Jason
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, July 22, 2005 5:04 AM
Subject: Re: smtp auth
telnet your.smtp.server 25
Trying 1.2.3.4...
Connected to your.smtp.server.
Escape character is '^]'.
220 your.smtp.server ESMTP
ehlo
250-your.smtp.server
250-PIPELINING
250-DATAZ
250-AUTH LOGIN PLAIN
250 8BITMIME
quit
221 your.smtp.server Goodbye.
Connection closed by foreign host.
Check if AUTH LOGIN PLAIN is present.
In some cases (not RHEL3) making file world writable only makes things
worse. Security libraries might block access to file.
Thomas,
I'm running RHEL3... I downloaded and installed djbdns-1.05 before
installing qmail, then downloaded qmail-1.03, and patched it with
qmail-ldap-1.03-20050401a.patch... then I modified 3 lines in the
makefile (uncommented the MDIRMAKE, HDIRMAKE, and SHADOWLIBS lines) and
did a "make setup check"
ucspi-tcp-0.88 and daemontools-0.76 were also installed.
Here is the output from your commands:
# ls -l /var/qmail/control/ldappassword
-rw-r----- 1 root nofiles 14 Jul 19 12:55
/var/qmail/control/ldappassword
just to make sure im not crazy, i temporarily set it to -rw-rw-rw- 1
root nofiles 14 Jul 19 12:55 /var/qmail/control/ldappassword
but in either scenario, it still doesn't pass any ldap requests across
loopback when I do the SMTP auth, and the smtp auth subsequently fails.
# cat /var/qmail/control/ldaprebind
cat: /var/qmail/control/ldaprebind: No such file or directory
# cat /etc/tcp.smtp
:allow,SMTPAUTH=""
I set it that way so I could test out smtp auth exclusively... I'll
exclude my lan once I know it works. additionally, every time I change
that
file, I do a
# qmailctl cdb
so its running those rules right now as we speak. qmailctl is almost a
direct cut/paste from the one on life-with-qmail website except I added
some extra lines to take care of pop3.
Any Ideas?
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 21, 2005 2:07 PM
Subject: Re: smtp auth
your qmail-ldap version? if you use older than 20050401 patch and it is
compiled with TLS support and you already configured TLS support in
qmail-ldap - require TLS for SMTP AUTH. SMTPAUTH="TLSREQUIRED"
ls -l /var/qmail/control/ldappassword
cat /var/qmail/control/ldaprebind
do you allow anonymous ldap lookups?
have you added SMTPAUTH variable in tcpserver for smtp environment.
Qmail LDAP provides daemontools startup scripts and you don't have to
write custom startup scripts in most cases.
--
Tomas
Thanks, both Thomas and HyperAxe, for bringing that to my attention.
I'm still confused though.
I've made the permissions changes that you suggested, Thomas.
When I do an ethereal packet capture between the SMTP and LDAP
servers (actually capturing on loopback) I dont get any connections to
LDAP
unless I'm doing pop3 requests... the SMTP server denies the
incoming relay attempt without even checking the password with the
ldap server.
If pop3 can connect (using the same files in the control directory
for credentials as SMTP), then there has got to be another problem
going on.
Is there any way to trace what files are being accessed within a
given timeframe... kinda like the linux equivalant of winternals
filemon? just to verify that indeed there isn't a file permissions
issue here?
moreover, whenever I attempt to smtpauth, It logs something like this
in /var/log/qmail/smtpd/current:
@4000000042dfba2a0e9832cc tcpserver: status: 1/20
@4000000042dfba2a0f62d5cc tcpserver: pid 12398 from <my-ip>
@4000000042dfba2a0fa3befc tcpserver: ok 12398
mail.mydomain.com:<servers-ip>:25 :<clients-ip>::48418
@4000000042dfba2f14df19fc tcpserver: end 12398 status 256
@4000000042dfba2f14df5494 tcpserver: status: 0/20
is there a way that I can change my qmail-smtpd/run/log or
qmail-smtpd/run script to log more helpful information?
Thanks again. You guys have been ever so helpful!
-- Jason
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 21, 2005 10:57 AM
Subject: Re: smtp auth
Thanks, HyperAxe. That fixed my immediate problem... Now it
actually tries to authenticate when I roam... which is exactly
what I wanted. :-)
The new problem is with authentication. It rejects whatever
username/password combo that I put in... I'm guessing that
relates with my failure to configure my qmail-smtpd/run script
correctly.
Life with qmail-ldap book is outdated. Current version of
Qmail-LDAP
does not need extra arguments in qmail-smtpd. Check
/var/qmail/boot/qmail-smtpd/run
Check mailing list history. I think information about setting smtp
auth in qmail-ldap was posted several times.
-----------------
Since 20031001 patch QmailLDAP supports SMTP authentication protocol
(rfc
2554). Use of 20050401 patch or later is recommended. Only PLAIN
authentication schema is supported. CRAM-MD5 and DIGEST-MD5
authentication schemas are not implemented. CRAM-MD5 requires
features that are not enabled in qmail-ldap by default. DIGEST-MD5
requires specific user name layout (i think).
SMTP authentication is enabled by adding SMTPAUTH variable to
tcpserver's environment. If you use daemontools
(http://cr.yp.to/daemontools.html)
startup scripts supplied by qmail-ldap 20031101 or later, you can do
that by adding
<pre>
:allow,SMTPAUTH=""
</pre>
to /var/qmail/control/qmail-smtpd.rules and running command 'make'
in /var/qmail/control directory.
If you set SMTPAUTH value to TLSREQUIRED (SMTPAUTH="TLSREQUIRED"),
then authentication will work only in TLS encrypted sessions. See
information about compiling and installing qmail ldap with TLS
support.
In order to authenticate users, smtp server's user (normally
qmaild) must be able to validate password entered by user with
information stored in LDAP userPassword field. Access to this field
is usually restricted and qmaild user does not have enough
privileges to access ldap connection information.
There are two possible solutions to this problem.
First solution is to give read access rights to qmaild user or
nofiles group on /var/qmail/control/ldappassword configuration file.
<pre>
# chgrp nofiles /var/qmail/control/ldappassword
# chmod 640 /var/qmail/control/ldappassword
</pre>
or
<pre>
# chmod 400 /var/qmail/control/ldappassword
# chown qmaild /var/qmail/control/ldappassword
</pre>
Second solution is to enable ldaprebind in
/var/qmail/control/ldaprebind.
<pre>
# echo 1 > /var/qmail/control/ldaprebind
</pre>
If ldap rebind is used, qmaild user must be able to retrieve user's
dn in anonymous LDAP connection and authenticate to LDAP server with
retrieved user's dn and password provided by user. Password schema
used in userPassword field must be supported by LDAP server's
authentication system.
--
Tomas
