Re: Sendmail with relay (SMART_HOST), STARTTLS and AUTH
Hello, Le Tue, Oct 05, 2021 at 12:26:30PM -0400, Jason Mitchell a écrit : > On 10/5/21 12:12 PM, Manuel Bouyer wrote: > > On Tue, Oct 05, 2021 at 04:27:27PM +0200, tlaro...@polynum.com wrote: > > > Hello, > > > > > > I'm trying to set-up a node with sendmail(8). > > > > > > In order to not be blocked, eventually, by some firewall rule on port > > > 25, I'm relaying mail to a smart host, listening on port 587 for > > > STARTTLS, and I need to authentify using LOGIN or PLAIN mechanisme. > > > > > > For relaying, forwarding to port 587 and starting TLS with sendmail, no > > > problem after adding the needed options for the compilation of the > > > package. > > > > > > But whatever I'm trying to do, having added a > > > /usr/pkg/etc/sasl2/Sendmail.conf configuration and having installed > > > cyrus-sasl2 and cyrus-saslauthd, and launching the saslauthd daemon, > > > sendmail, without dialoguing with the server (for this; STARTTLS > > > is OK) always answers: > > > > > > no worthy mechs found > > > > > > So the blocking comes from sendmail. I have verified by telnet, that > > > doing authenfication by hand works. > > > > > > >From a search on the Web, when this kind of message is issued with > > > Postfix, on Linux based distribution, the problem is solved whether > > > by adding sasl modules or by specifying a configuration variable > > > for Postfix allowing plaintext authenfications (that is not allowed > > > by default). > > > > > > But as far as I understand, pkgsrc cyrus-sasl2 and cyrus-saslauthd > > > are sufficient and there is no such thing as this sasl-security > > > conf variable for sendmail. > > For sasl suport (as a server, not as a client though) I have to build > > sendmail > > with > > PKG_OPTIONS.sendmail+=sasl tls > > > It doesn't look like you installed the cy2_login and cy2_plain packages. I > don't quite understand how it all fits together, but you need to install the > cy2_ package for whatever mech you want to support. I guess these are where > the modules live on NetBSD? You are very probably right since this matches what other installations (postfix on linuces) require: the modules. It's a bit unfortunate that in pkgsrc the library and the saslauthd are prefixed "cyrus" while the modules are prefixed "cy2". I brutally grep'ed for "cyrus*" and found nothing more. I will send a message for archive for other users if this is indeed the solution, but it seems very likely---I gather that saslauthd is for dialoguing with a user trying to connect to the sendmail server on the node, but that sendmail, as a client, uses with authinfo the library and hence the mechanisms provided and, at the moment, there is indeed none... Thanks a lot! -- Thierry Laronde http://www.kergis.com/ http://kertex.kergis.com/ http://www.sbfa.fr/ Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
Re: Sendmail with relay (SMART_HOST), STARTTLS and AUTH
Le Tue, Oct 05, 2021 at 06:12:18PM +0200, Manuel Bouyer a écrit : > On Tue, Oct 05, 2021 at 04:27:27PM +0200, tlaro...@polynum.com wrote: > > Hello, > > > > I'm trying to set-up a node with sendmail(8). > > > > In order to not be blocked, eventually, by some firewall rule on port > > 25, I'm relaying mail to a smart host, listening on port 587 for > > STARTTLS, and I need to authentify using LOGIN or PLAIN mechanisme. > > > > For relaying, forwarding to port 587 and starting TLS with sendmail, no > > problem after adding the needed options for the compilation of the > > package. > > > > But whatever I'm trying to do, having added a > > /usr/pkg/etc/sasl2/Sendmail.conf configuration and having installed > > cyrus-sasl2 and cyrus-saslauthd, and launching the saslauthd daemon, > > sendmail, without dialoguing with the server (for this; STARTTLS > > is OK) always answers: > > > > no worthy mechs found > > > > So the blocking comes from sendmail. I have verified by telnet, that > > doing authenfication by hand works. > > > > >From a search on the Web, when this kind of message is issued with > > Postfix, on Linux based distribution, the problem is solved whether > > by adding sasl modules or by specifying a configuration variable > > for Postfix allowing plaintext authenfications (that is not allowed > > by default). > > > > But as far as I understand, pkgsrc cyrus-sasl2 and cyrus-saslauthd > > are sufficient and there is no such thing as this sasl-security > > conf variable for sendmail. > > For sasl suport (as a server, not as a client though) I have to build sendmail > with > PKG_OPTIONS.sendmail+=sasl tls > This was done and testing sendmail the support is here. But I think that Jason Mitchell has answered: I need to add the support for the mechanisms with cyrus modules but I grep'ed for "cyrus*" and the modules are prefixed "cy2*"... -- Thierry Laronde http://www.kergis.com/ http://kertex.kergis.com/ http://www.sbfa.fr/ Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
Re: Sendmail with relay (SMART_HOST), STARTTLS and AUTH
Le Tue, Oct 05, 2021 at 04:27:27PM +0200, tlaro...@polynum.com a écrit : > Hello, > > I'm trying to set-up a node with sendmail(8). > > In order to not be blocked, eventually, by some firewall rule on port > 25, I'm relaying mail to a smart host, listening on port 587 for > STARTTLS, and I need to authentify using LOGIN or PLAIN mechanisme. > > For relaying, forwarding to port 587 and starting TLS with sendmail, no > problem after adding the needed options for the compilation of the > package. > > But whatever I'm trying to do, having added a > /usr/pkg/etc/sasl2/Sendmail.conf configuration and having installed > cyrus-sasl2 and cyrus-saslauthd, and launching the saslauthd daemon, > sendmail, without dialoguing with the server (for this; STARTTLS > is OK) always answers: > > no worthy mechs found > > So the blocking comes from sendmail. I have verified by telnet, that > doing authenfication by hand works. > > >From a search on the Web, when this kind of message is issued with > Postfix, on Linux based distribution, the problem is solved whether > by adding sasl modules or by specifying a configuration variable > for Postfix allowing plaintext authenfications (that is not allowed > by default). > > But as far as I understand, pkgsrc cyrus-sasl2 and cyrus-saslauthd > are sufficient and there is no such thing as this sasl-security > conf variable for sendmail. > > FWIW, here is the relevant part of my .mc file: > > define(`SMART_HOST',`mail.example.com')dnl > dnl # Do I really need this since I'm not doing local authentification? > define(`TRUST_AUTH_MECH', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN > PLAIN')dnl > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN > PLAIN')dnl > define(`confAUTH_OPTIONS', `A p')dnl > FEATURE(`authinfo')dnl > FEATURE(`no_default_msa')dnl turn off default entry for MSA > DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl > > If someone has any clue, I would be very grateful! The solution was given by Jason Mitchell: one needs to add the sasl modules, i.e., for pkgsrc, the security/cy2-* packages corresponding to the mechanisms to use. Once installed, it works. Thank you to Jason for the helpful answer! -- Thierry Laronde http://www.kergis.com/ http://kertex.kergis.com/ http://www.sbfa.fr/ Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
Re: Sendmail with relay (SMART_HOST), STARTTLS and AUTH
On 10/5/21 12:12 PM, Manuel Bouyer wrote: On Tue, Oct 05, 2021 at 04:27:27PM +0200, tlaro...@polynum.com wrote: Hello, I'm trying to set-up a node with sendmail(8). In order to not be blocked, eventually, by some firewall rule on port 25, I'm relaying mail to a smart host, listening on port 587 for STARTTLS, and I need to authentify using LOGIN or PLAIN mechanisme. For relaying, forwarding to port 587 and starting TLS with sendmail, no problem after adding the needed options for the compilation of the package. But whatever I'm trying to do, having added a /usr/pkg/etc/sasl2/Sendmail.conf configuration and having installed cyrus-sasl2 and cyrus-saslauthd, and launching the saslauthd daemon, sendmail, without dialoguing with the server (for this; STARTTLS is OK) always answers: no worthy mechs found So the blocking comes from sendmail. I have verified by telnet, that doing authenfication by hand works. >From a search on the Web, when this kind of message is issued with Postfix, on Linux based distribution, the problem is solved whether by adding sasl modules or by specifying a configuration variable for Postfix allowing plaintext authenfications (that is not allowed by default). But as far as I understand, pkgsrc cyrus-sasl2 and cyrus-saslauthd are sufficient and there is no such thing as this sasl-security conf variable for sendmail. For sasl suport (as a server, not as a client though) I have to build sendmail with PKG_OPTIONS.sendmail+=sasl tls It doesn't look like you installed the cy2_login and cy2_plain packages. I don't quite understand how it all fits together, but you need to install the cy2_ package for whatever mech you want to support. I guess these are where the modules live on NetBSD? HTH, Jason M.
Re: Sendmail with relay (SMART_HOST), STARTTLS and AUTH
On Tue, Oct 05, 2021 at 04:27:27PM +0200, tlaro...@polynum.com wrote: > Hello, > > I'm trying to set-up a node with sendmail(8). > > In order to not be blocked, eventually, by some firewall rule on port > 25, I'm relaying mail to a smart host, listening on port 587 for > STARTTLS, and I need to authentify using LOGIN or PLAIN mechanisme. > > For relaying, forwarding to port 587 and starting TLS with sendmail, no > problem after adding the needed options for the compilation of the > package. > > But whatever I'm trying to do, having added a > /usr/pkg/etc/sasl2/Sendmail.conf configuration and having installed > cyrus-sasl2 and cyrus-saslauthd, and launching the saslauthd daemon, > sendmail, without dialoguing with the server (for this; STARTTLS > is OK) always answers: > > no worthy mechs found > > So the blocking comes from sendmail. I have verified by telnet, that > doing authenfication by hand works. > > >From a search on the Web, when this kind of message is issued with > Postfix, on Linux based distribution, the problem is solved whether > by adding sasl modules or by specifying a configuration variable > for Postfix allowing plaintext authenfications (that is not allowed > by default). > > But as far as I understand, pkgsrc cyrus-sasl2 and cyrus-saslauthd > are sufficient and there is no such thing as this sasl-security > conf variable for sendmail. For sasl suport (as a server, not as a client though) I have to build sendmail with PKG_OPTIONS.sendmail+=sasl tls -- Manuel Bouyer NetBSD: 26 ans d'experience feront toujours la difference --
Sendmail with relay (SMART_HOST), STARTTLS and AUTH
Hello, I'm trying to set-up a node with sendmail(8). In order to not be blocked, eventually, by some firewall rule on port 25, I'm relaying mail to a smart host, listening on port 587 for STARTTLS, and I need to authentify using LOGIN or PLAIN mechanisme. For relaying, forwarding to port 587 and starting TLS with sendmail, no problem after adding the needed options for the compilation of the package. But whatever I'm trying to do, having added a /usr/pkg/etc/sasl2/Sendmail.conf configuration and having installed cyrus-sasl2 and cyrus-saslauthd, and launching the saslauthd daemon, sendmail, without dialoguing with the server (for this; STARTTLS is OK) always answers: no worthy mechs found So the blocking comes from sendmail. I have verified by telnet, that doing authenfication by hand works. >From a search on the Web, when this kind of message is issued with Postfix, on Linux based distribution, the problem is solved whether by adding sasl modules or by specifying a configuration variable for Postfix allowing plaintext authenfications (that is not allowed by default). But as far as I understand, pkgsrc cyrus-sasl2 and cyrus-saslauthd are sufficient and there is no such thing as this sasl-security conf variable for sendmail. FWIW, here is the relevant part of my .mc file: define(`SMART_HOST',`mail.example.com')dnl dnl # Do I really need this since I'm not doing local authentification? define(`TRUST_AUTH_MECH', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A p')dnl FEATURE(`authinfo')dnl FEATURE(`no_default_msa')dnl turn off default entry for MSA DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl If someone has any clue, I would be very grateful! TIA, -- Thierry Laronde http://www.kergis.com/ http://kertex.kergis.com/ http://www.sbfa.fr/ Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
