subject:"Re\: cyrus\-sasl2 setup failing"

Re: cyrus-sasl2 setup failing

2003-06-06 Thread Grzegorz Czaplinski

On Wed, Jun 04, 2003 at 08:35:50PM -0800, admin wrote:
> wait I figured this out.  I changed the saslauthd flags to 
> 
> if [ -z "${sasl_saslauthd_flags}" ]; then
> sasl_saslauthd_flags="-a getpwent"
> fi
> 
> got the daemon running and things are fine now.
> 
> are there any security issues here.  looks liek I cannot send mail unless I
> have SSL enabled on the client side.  SO I think I have things running properly.

No security issues here...

Cheers,
gregory
--
Grzegorz Czaplinski 
"The Power to Serve, Right for the Power Users!" - http://www.FreeBSD.org/
 Fingerprint: EB77 E19D CFA2 5736 810F  847C A70F A275 2489 469F


pgp0.pgp
Description: PGP signature

Re: cyrus-sasl2 setup failing

2003-06-05 Thread admin

On Thu, 05 Jun 2003 05:54:45 +0200, Dirk Meyer wrote
> > Sendmail 8.12.9-sasl2 (compiled from /usr/ports/mail/sendmail-sasl)
> > cyrus-sasl-2.1.13 (compiled from /usr/ports/security/cyrus-sasl2-saslauthd)
> > 
> > A client is still not able to authenticate via SASL - looks like is it not
> > happy but I am not sure how to fix it.  Anybody got a clue what I am doing
> > wrong here?
> 
> > --- from the logs when some attempts to authenticate 
> > Jun  4 20:09:46 typhoon sm-mta[78399]: AUTH: available mech=NTLM LOGIN PLAIN
> > OTP DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
> 
> > Jun  4 20:09:46 typhoon sm-mta[78399]: h5539jJQ078399: AUTH failure (LOGIN):
> > no mechanism available (-4) SASL(-4): no mechanism available: checkpass failed
> 
> > define(`confAUTH_OPTIONS', `A p y')dnl
> > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
> 
> checkpass failed, is the saslauthd started?
> do you needd the "A" Option?



wait I figured this out.  I changed the saslauthd flags to 

if [ -z "${sasl_saslauthd_flags}" ]; then
sasl_saslauthd_flags="-a getpwent"
fi

got the daemon running and things are fine now.

are there any security issues here.  looks liek I cannot send mail unless I
have SSL enabled on the client side.  SO I think I have things running properly.

- Noah


> 
> from: /usr/local/share/sendmail/cf/README
> confAUTH_OPTIONSAuthOptions [undefined] If this option 
> is 'A'then the AUTH= 
> parameter for theMAIL FROM 
> command is only issuedwhen 
> authentication succeeded. [...] See doc/op/op.me 
> for details.
> 
> from: /usr/local/share/doc/sendmail/op.txt
> [no short name] List  of  options  for  SMTP
> AUTH  consisting  of  single characters with
> intervening white space or commas.
> 
> A   Use the AUTH= parameter for the MAIL FROM
> command only when authentication succeeded.
> This can be used as a workaround for broken
> MTAs that do not implement RFC 2554 
> correctly.a   protection from active (non-
> dictionary) attacksduring authentication exchange.
> c   require mechanisms which pass client 
> credentials,and allow mechanisms which can 
> pass credentialsto do so.
> d   don't permit mechanisms susceptible to passive   
>  dictionary attack.f   require forward 
> secrecy between sessions
> (breaking one won't help break next).
> p   don't permit mechanisms susceptible to simple
> passive attack (e.g., PLAIN, LOGIN), unless a
> security layer is active.y   
> don't permit mechanisms that allow anonymous login.
> 
> The first option applies to  sendmail  as  a
> client, the others to a server.  Example:
> 
> O AuthOptions=p,y
> 
> more links:
> http://www.sendmail.org/~gshapiro/
> http://www.sendmail.org/~ca/email/auth.html
> http://www.asp.ogi.edu/people/paja/linux/sendmail/
> http://blue-labs.org/clue/sendmail.php
> http://www.digitalanswers.org/sendmail/
> 
>  
> kind regards Dirk
> 
> - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
> - [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: cyrus-sasl2 setup failing

2003-06-05 Thread admin

On Thu, 05 Jun 2003 05:54:45 +0200, Dirk Meyer wrote
> > Sendmail 8.12.9-sasl2 (compiled from /usr/ports/mail/sendmail-sasl)
> > cyrus-sasl-2.1.13 (compiled from /usr/ports/security/cyrus-sasl2-saslauthd)
> > 
> > A client is still not able to authenticate via SASL - looks like is it not
> > happy but I am not sure how to fix it.  Anybody got a clue what I am doing
> > wrong here?
> 
> > --- from the logs when some attempts to authenticate 
> > Jun  4 20:09:46 typhoon sm-mta[78399]: AUTH: available mech=NTLM LOGIN PLAIN
> > OTP DIGEST-MD5 CRAM-MD5, allowed mech=LOGIN PLAIN
> 
> > Jun  4 20:09:46 typhoon sm-mta[78399]: h5539jJQ078399: AUTH failure (LOGIN):
> > no mechanism available (-4) SASL(-4): no mechanism available: checkpass failed
> 
> > define(`confAUTH_OPTIONS', `A p y')dnl
> > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
> 
> checkpass failed, is the saslauthd started?


thanks for the quick response.

no, what should my saslauthd flags be since the sendmail configuration I am
asking for LOGIN PLAIN in my sendmail .mc - is this correct?

if [ -z "${sasl_saslauthd_flags}" ]; then
sasl_saslauthd_flags="-a pam"
fi




> do you needd the "A" Option?
> 
> from: /usr/local/share/sendmail/cf/README
> confAUTH_OPTIONSAuthOptions [undefined] If this option 
> is 'A'then the AUTH= 
> parameter for theMAIL FROM 
> command is only issuedwhen 
> authentication succeeded. [...] See doc/op/op.me 
> for details.
> 
> from: /usr/local/share/doc/sendmail/op.txt
> [no short name] List  of  options  for  SMTP
> AUTH  consisting  of  single characters with
> intervening white space or commas.
> 
> A   Use the AUTH= parameter for the MAIL FROM
> command only when authentication succeeded.
> This can be used as a workaround for broken
> MTAs that do not implement RFC 2554 
> correctly.a   protection from active (non-
> dictionary) attacksduring authentication exchange.
> c   require mechanisms which pass client 
> credentials,and allow mechanisms which can 
> pass credentialsto do so.
> d   don't permit mechanisms susceptible to passive   
>  dictionary attack.f   require forward 
> secrecy between sessions
> (breaking one won't help break next).
> p   don't permit mechanisms susceptible to simple
> passive attack (e.g., PLAIN, LOGIN), unless a
> security layer is active.y   
> don't permit mechanisms that allow anonymous login.
> 
> The first option applies to  sendmail  as  a
> client, the others to a server.  Example:
> 
> O AuthOptions=p,y
> 
> more links:
> http://www.sendmail.org/~gshapiro/
> http://www.sendmail.org/~ca/email/auth.html
> http://www.asp.ogi.edu/people/paja/linux/sendmail/
> http://blue-labs.org/clue/sendmail.php
> http://www.digitalanswers.org/sendmail/
> 
>  
> kind regards Dirk
> 
> - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
> - [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: cyrus-sasl2 setup failing

Re: cyrus-sasl2 setup failing

Re: cyrus-sasl2 setup failing

3 matches

Site Navigation

Mail list logo

Footer information