Re: question about SMTP-authentication (3rd )

2012-03-12 Thread Paul Macdonald 

On 12/03/2012 15:47, kamolpat wrote:

Dear Matthew,

Ok, I got sendmail complied. Thanks.
But seem like ...
POP3 still working in clear text usr/pwd sending to Server (but it 
work, I can get mail from server normal). When I chose option in 
ThunderBird to another mode, it doesn't work (accept "connection 
security: none", "authentication method: password transmitted 
insecurity" this is the option that TB dectected during setting mail 
account)



SMTP doesn't work it declare
from Thunder Bird:

Send Message Error
The Kerberos/GSSAPI ticket was not accepted by the SMTP server 
mail.dmaccess.co.th Please check that you are logged in to the 
Kerberos/GSSAPI realm.
(event I change "authentication method: Kerberos/GSSAPI", it still 
inform this message)


from /var/log/maillog
Mar 12 22:38:04 ns1 sendmail[93331]: q2CMc4jF093331: 
ppp-58-8-130-33.revip2.asianet.co.th [58.8.130.33] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MSA




what are you using as the authentication method for sasl?

there are multiple authentication mechansims available for sasl(2), 
simplest is probably saslauthd


*In /etc/rc.conf
*saslauthd_enable=yes

In /usr/local/lib/sasl2/Sendmail.conf have:

pwcheck_method: saslauthd

make sure its running
/usr/local/etc/rc.d/saslauthd start

add a user with saslpasswd2

Test your u/p locally with testsaslauthd
testsaslauthd -u  -p 

(if thats not working it won't work over the network either)

have TB set to conn security to STARTTLS and password security set to 
"normal password", (for non encrypted password obv)


Paul.



--
-
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-
t: 0131 5548070
m: 07970339546

Re: question about SMTP-authentication (3rd )

2012-03-12 Thread kamolpat 

Dear Matthew,

Ok, I got sendmail complied. Thanks.
But seem like ...
POP3 still working in clear text usr/pwd sending to Server (but it work, 
I can get mail from server normal). When I chose option in ThunderBird 
to another mode, it doesn't work (accept "connection security: none", 
"authentication method: password transmitted insecurity" this is the 
option that TB dectected during setting mail account)



SMTP doesn't work it declare
from Thunder Bird:

Send Message Error
The Kerberos/GSSAPI ticket was not accepted by the SMTP server 
mail.dmaccess.co.th Please check that you are logged in to the 
Kerberos/GSSAPI realm.
(event I change "authentication method: Kerberos/GSSAPI", it still 
inform this message)


from /var/log/maillog
Mar 12 22:38:04 ns1 sendmail[93331]: q2CMc4jF093331: 
ppp-58-8-130-33.revip2.asianet.co.th [58.8.130.33] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MSA



this is my test on server
=
ns1:kamolpat:/etc>telnet dmaccess.co.th 25
Trying 202.170.122.33...
Connected to dmaccess.co.th.
Escape character is '^]'.
220 ns1.dmaccess.co.th ESMTP Sendmail 8.14.4/8.14.4; Mon, 12 Mar 2012 
22:23:14 GMT

ehlo dmaccess.co.th
250-ns1.dmaccess.co.th Hello ns1.dmaccess.co.th [202.170.122.33], 
pleased to meet you

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 ns1.dmaccess.co.th closing connection
Connection closed by foreign host.


this is my /etc/mail/freebsd.mc
=
Other  
dnl Uncomment the first line to change the location of the default 
 

Other  
dnl /etc/mail/local-host-names and comment out the second line. 
 

Other  
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw') 
 

*Define* 
 
define(`confCW_FILE', `-o /etc/mail/local-host-names') 
 


Other   


Other  
dnl Enable for both IPv4 and IPv6 (optional) 
 

Other  
DAEMON_OPTIONS(`Name=IPv4, Family=inet') 
 

Other  
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') 
 


Other   


*Define* 
 
define(`confBIND_OPTS', `WorkAroundBroken') 
 

*Define* 
 
define(`confNO_RCPT_ACTION', `add-to-undisclosed') 
 

*Define* 
 
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') 
 


Other   


Other  
GENERICS_DOMAIN_FILE(`/etc/mail/genericdomains'); 
 


Other

Re: question about SMTP-authentication (2nd )

2012-03-12 Thread Matthew Seaman 
On 12/03/2012 13:26, kamolpat wrote:
> According to your recommendation   (as following). When I do make at
> /usr/src/sur.sbin/sendmail it show as following.
> ns1:kamolpat:/usr/src/usr.sbin/sendmail>make clean
> rm -f sm_os.h sendmail alias.o arpadate.o bf.o collect.o conf.o
> control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o
> headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o
> ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o
> sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o
> udb.o usersmtp.o util.o version.o mailq.1.gz newaliases.1.gz
> aliases.5.gz sendmail.8.gz mailq.1.cat.gz newaliases.1.cat.gz
> aliases.5.cat.gz sendmail.8.cat.gz
> ns1:kamolpat:/usr/src/usr.sbin/sendmail>make
> ln -sf
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h
> sm_os.h
> cc -O2 -pipe  -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src
> -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB
> -DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS
> -D_FFR_TLS_1 -I/usr/local/include/sasl -DSASL=2 -std=gnu99
> -fstack-protector  -c
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c
> In file included from
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:135:25:
> error: sasl/sasl.h: No such file or directory
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:136:29:
> error: sasl/saslutil.h: No such file or directory
> In file included from
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:607:
> error: expected '=', ',', ';', 'asm' or '__attribute__' before ':' token
> /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:691:
> error: expected specifier-qualifier-list before 'sasl_conn_t'
> *** Error code 1
> 
> Stop in /usr/src/usr.sbin/sendmail.
> 
> 
> then I try to find where is sasl.h
> 
> ns1:kamolpat:/usr>find . -name "sasl.h"
> ./local/include/sasl/sasl.h
> ./ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.25/include/sasl.h
> ./ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.25/include/sasl.h
> 
> 
> What should I do next? Shold I just copy the sasl.h to
> /usr/src/contrib/sendmail/src/sendmail   ?

No.  Don't do that.  It won't help anything.

You need to follow my instructions correctly.  Specifically this line
needs to be in /etc/make.conf in order to pick up the SASL header files:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2

Where, you will note, this does *not* say /usr/local/include/sasl, which
is what appears in your compiler output.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey




signature.asc
Description: OpenPGP digital signature

Re: question about SMTP-authentication (2nd )

2012-03-12 Thread kamolpat 

Dear Matthew,

According to your recommendation   (as following). When I do make at 
/usr/src/sur.sbin/sendmail it show as following.

ns1:kamolpat:/usr/src/usr.sbin/sendmail>make clean
rm -f sm_os.h sendmail alias.o arpadate.o bf.o collect.o conf.o 
control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o 
headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o 
ratectrl.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o 
sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o 
udb.o usersmtp.o util.o version.o mailq.1.gz newaliases.1.gz 
aliases.5.gz sendmail.8.gz mailq.1.cat.gz newaliases.1.cat.gz 
aliases.5.cat.gz sendmail.8.cat.gz

ns1:kamolpat:/usr/src/usr.sbin/sendmail>make
ln -sf 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h 
sm_os.h
cc -O2 -pipe  -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src 
-I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB 
-DNIS -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DNETINET6 -DSTARTTLS 
-D_FFR_TLS_1 -I/usr/local/include/sasl -DSASL=2 -std=gnu99 
-fstack-protector  -c 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c
In file included from 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:135:25: 
error: sasl/sasl.h: No such file or directory
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:136:29: 
error: sasl/saslutil.h: No such file or directory
In file included from 
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/alias.c:14:
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:607: 
error: expected '=', ',', ';', 'asm' or '__attribute__' before ':' token
/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/sendmail.h:691: 
error: expected specifier-qualifier-list before 'sasl_conn_t'

*** Error code 1

Stop in /usr/src/usr.sbin/sendmail.


then I try to find where is sasl.h

ns1:kamolpat:/usr>find . -name "sasl.h"
./local/include/sasl/sasl.h
./ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.25/include/sasl.h
./ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.25/include/sasl.h

What should I do next? Shold I just copy the sasl.h to 
/usr/src/contrib/sendmail/src/sendmail   ?


Thanks
Kamolpat

On 3/9/2012 12:34 AM, Matthew Seaman wrote:

On 08/03/2012 15:55, kamolpat wrote:

Setup Reference
==
1. I read the how to setup from  FreeBSD Handbook (online)->  Chapter 29
Electronic Mail ->  29.10 SMTP Authentication  from freebsd.org
2. setup for cyrus-sasl2 was fine (setup via
usr/ports/security/cyrus-sasl2)
3. setup for openssl was 90% fine (setup via port) reference to FreeBSD
Handbook (online)->Chapter 15 Security ->  15.8 OpenSSL
 accept the "STARTTLS" line doesn't appear  as mention on the last
part of article.


Did you rebuild sendmail with the right flags so that it would enable
all the SASL bits?  Apart from that you seem to have done all the right
stuff that I can see.

You need to add this to /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

and then rebuild sendmail -- assuming you have system sources installed:

# cd /usr/src/usr.sbin/sendmail
# make clean
# make
# make install

If you haven't got the system sources installed, then you can get them
easily enough with csup(1) or freebsd-update(8) or several other ways.
Or you could just install sendmail from ports -- obviously, make sure to
choose the option to enable SASL in the config dialogue.  If you use the
ports sendmail, so long as you set up mailer.conf(5) to point to the
ports version -- like so:

lucid-nonsense:/etc/mail:% cat mailer.conf
# $FreeBSD: stable/8/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z
gshapiro $
#
# Execute the "real" sendmail program, named /usr/local/sbin/sendmail
#
sendmail/usr/local/sbin/sendmail
send-mail   /usr/local/sbin/sendmail
mailq   /usr/local/sbin/sendmail
newaliases  /usr/local/sbin/sendmail
hoststat/usr/local/sbin/sendmail
purgestat   /usr/local/sbin/sendmail

and put the following in /etc/make.conf so it uses the latest
configuration file bits:

SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
MAKEMAP=/usr/local/sbin/makemap

then the ports sendmail is pretty much a drop-in replacement for the
system one, and you can use all the config bits in /etc/mail in exactly
the same way as normal.

Cheers,

Matthew







E-mail message checked by Internet Security (7.0.0.508)
Database version: 6.19440
http://www.pctools.com/en/internet-security/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: question about SMTP-authentication

2012-03-08 Thread Julian H. Stacey 
kamolpat wrote:
> To whom it may concern:

I hope you get a more useful reply than mine later, & no time here, sorry
but I've had SASL-1 running fine for years FreeBSD both ends.
Documented here, 
http://www.berklix.com/~jhs/txt/sasl.html 
There's various URLs there to SASL-2

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
 Reply below not above, cumulative like a play script, & indent with "> ".
 Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
Mail from @yahoo dumped @berklix.  http://berklix.org/yahoo/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: question about SMTP-authentication

2012-03-08 Thread Matthew Seaman 
On 08/03/2012 15:55, kamolpat wrote:
> Setup Reference
> ==
> 1. I read the how to setup from  FreeBSD Handbook (online)-> Chapter 29
> Electronic Mail -> 29.10 SMTP Authentication  from freebsd.org
> 2. setup for cyrus-sasl2 was fine (setup via
> usr/ports/security/cyrus-sasl2)
> 3. setup for openssl was 90% fine (setup via port) reference to FreeBSD
> Handbook (online)->Chapter 15 Security -> 15.8 OpenSSL
> accept the "STARTTLS" line doesn't appear  as mention on the last
> part of article.
> 

Did you rebuild sendmail with the right flags so that it would enable
all the SASL bits?  Apart from that you seem to have done all the right
stuff that I can see.

You need to add this to /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

and then rebuild sendmail -- assuming you have system sources installed:

# cd /usr/src/usr.sbin/sendmail
# make clean
# make
# make install

If you haven't got the system sources installed, then you can get them
easily enough with csup(1) or freebsd-update(8) or several other ways.
Or you could just install sendmail from ports -- obviously, make sure to
choose the option to enable SASL in the config dialogue.  If you use the
ports sendmail, so long as you set up mailer.conf(5) to point to the
ports version -- like so:

lucid-nonsense:/etc/mail:% cat mailer.conf
# $FreeBSD: stable/8/etc/mail/mailer.conf 93858 2002-04-05 04:25:14Z
gshapiro $
#
# Execute the "real" sendmail program, named /usr/local/sbin/sendmail
#
sendmail/usr/local/sbin/sendmail
send-mail   /usr/local/sbin/sendmail
mailq   /usr/local/sbin/sendmail
newaliases  /usr/local/sbin/sendmail
hoststat/usr/local/sbin/sendmail
purgestat   /usr/local/sbin/sendmail

and put the following in /etc/make.conf so it uses the latest
configuration file bits:

SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
MAKEMAP=/usr/local/sbin/makemap

then the ports sendmail is pretty much a drop-in replacement for the
system one, and you can use all the config bits in /etc/mail in exactly
the same way as normal.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey




signature.asc
Description: OpenPGP digital signature

question about SMTP-authentication

2012-03-08 Thread kamolpat 

To whom it may concern:

Hello, may I need your help about SMTP authentication?

Problems:
=
SMTP-authen  doesn't functioning, when I use ThunderBird I try to set 
authentication method as Kerberos/GSSAPI or Encrypted password, it 
doesn't work.


Background:
===
I'm intermediate FreeBSD sysadmin. I used to run only normal mail 
service in my company, which use POP3 on myserver and SMTP from ISP. Now 
my ISP always get problem, so I prefer to set SMTP service on my server 
and provide to staffs in company. However to set pure SMTP is not safe, 
then I prefer to use SMTP-authenicate.


Setup Reference
==
1. I read the how to setup from  FreeBSD Handbook (online)-> Chapter 29 
Electronic Mail -> 29.10 SMTP Authentication  from freebsd.org

2. setup for cyrus-sasl2 was fine (setup via usr/ports/security/cyrus-sasl2)
3. setup for openssl was 90% fine (setup via port) reference to FreeBSD 
Handbook (online)->Chapter 15 Security -> 15.8 OpenSSL
accept the "STARTTLS" line doesn't appear  as mention on the last 
part of article.


Raw info for considers

from /var/log/maillog
---
revip2.asianet.co.th is my provider , the dmaccess.co.th is my server

Mar  8 22:35:35 ns1 sendmail[18640]: q28MZZ4l018640: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:37:29 ns1 sendmail[18644]: q28MbSv3018644: ruleset=check_rcpt, 
arg1=, 
relay=ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248], reject=550 
5.7.1 Mar  8 22:37:34 ns1 sendmail[18644]: q28MbSv3018644: 
from=, size=778, class=0, nrcpts=0, 
proto=ESMTP, daemon=IPv4, relay=ppp-58-8-163-248.revip2.asianet.co.th [58.
Mar  8 22:38:31 ns1 sendmail[18646]: q28McVl2018646: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:39:55 ns1 sendmail[18650]: q28MdsOC018650: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:40:57 ns1 sendmail[18688]: q28MevLw018688: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4
Mar  8 22:42:05 ns1 sendmail[18689]: q28Mffbd018689: 
ppp-58-8-163-248.revip2.asianet.co.th [58.8.163.248] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to IPv4


from /etc/mail/freebsd.mc
--
dnl set SASL options
TRUST_AUTH_MECH (`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

dnl SSL Options
define(`confCACERT_PATH',`/etc/ssl')dnl
define(`confCACERT',`/etc/ssl/dm_new.crt')dnl
define(`confSERVER_CERT',`/etc/ssl/dm_new.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/dm_ca.key')dnl
define(`confTLS_SRV_OPTIONS',`V')dnl

MAILER(local)
MAILER(smtp)


Thanks in advance

Kamolpat








E-mail message checked by Internet Security (7.0.0.508)
Database version: 6.19420
http://www.pctools.com/en/internet-security/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"