Re: Sendmail SMTP AUTH no longer works

To: netbsd-users%netbsd.org@localhost
Subject: Re: Sendmail SMTP AUTH no longer works
From: Stephen Borrill <netbsd%precedence.co.uk@localhost>
Date: Tue, 26 Apr 2022 15:20:34 +0100 (BST)

On Tue, 26 Apr 2022, Stephen Borrill wrote:

On Thu, 21 Apr 2022, Stephen Borrill wrote:
I've upgraded to pkgsrc-2022Q1 and now SMTP AUTH no longer works. Thisupgrades all the cyrus stuff to 2.1.28 from 2.1.27 as well as revbumpingsendmail 8.16.1. The configuration files have not changed and yes, I'minstalling the cy2-plain, etc. plugins.
I've found that if I revert to my previous pkg set and then upgrade justthe cyrus components to 2.1.28, then it still works. If I upgrade sendmailfrom 8.16.1 to 8.16.1nb1 (which also requires me to force upgradeopenldap-client) then this stops AUTH working (whichever version of thecyrus components are in place).
I've tried to use ktrace to work out what's happening, but sendmail seemsto be successfully opening the various sasl files and I don't see anyobvious differences between the good and bad traces. Any ideas on how todebug this?
I've done further testing. If I have cyrus-sasl 2.1.28 installed when I buildsendmail, SMTP AUTH does not work. If I have 2.1.27 installed when building(but all other packages from pkgsrc-2022Q1), it does work. After buildingsendmail, I can upgrade sasl from 2.1.27 to 2.1.28 though and it
continues to work.

By not work, I mean:
a) No 250-AUTH LOGIN PLAIN line in response to EHLO over TLS
b) "AUTH warning: no mechanisms" in maillog

I rebuilt the cyrus 2.1.28 packages just in case which make nodifference.

Both the 2.1.27 and 2.1.28 packages show the full list of plugins usingthe pluginviewer command. The only difference is that the order of PLAIN andLOGIN mechanisms are swapped, i.e.

 Installed and properly configured SASL (server side) mechanisms are:
-  EXTERNAL NTLM PLAIN LOGIN
+  EXTERNAL NTLM LOGIN PLAIN
 Available SASL (server side) mechanisms matching your criteria are:
-  NTLM PLAIN LOGIN
+  NTLM LOGIN PLAIN

Here's the output with 2.1.27:

Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 8
        supports store: yes

Installed and properly configured SASL (server side) mechanisms are:
  EXTERNAL NTLM PLAIN LOGIN
Available SASL (server side) mechanisms matching your criteria are:
  NTLM PLAIN LOGIN
List of server plugins follows
Plugin "ntlm" [loaded],         API version: 4
        SASL mechanism: NTLM, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features:
Installed and properly configured SASL (client side) mechanisms are:
  EXTERNAL NTLM PLAIN LOGIN
Available SASL (client side) mechanisms matching your criteria are:
  EXTERNAL NTLM PLAIN LOGIN
List of client plugins follows
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "ntlm" [loaded],         API version: 4
        SASL mechanism: NTLM, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: SERVER_FIRST

I'm confused a bit about the sendmail+sasl build process. sendmail isbuilt with -DSASL=2 but the source suggests that this should be 20127for 2.1.27, etc. Building with anything != 2 doesn't work though.


# if SASL >= 20000
        result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
                                 NULL, 0, conn);
# elif SASL > 10505
        /* use empty realm: only works in SASL > 1.5.5 */
        result = sasl_server_new("smtp", hostname, "", NULL, 0, conn);
# else /* SASL >= 20000 */
        /* use no realm -> realm is set to hostname by SASL lib */
        result = sasl_server_new("smtp", hostname, NULL, NULL, 0,
                                 conn);
# endif /* SASL >= 20000 */

--
Stephen

References:
- Sendmail SMTP AUTH no longer works
  - From: Stephen Borrill
- Re: Sendmail SMTP AUTH no longer works
  - From: Stephen Borrill

Prev by Date: Re: Sendmail SMTP AUTH no longer works
Next by Date: pop3 server on NetBSD
Previous by Thread: Re: Sendmail SMTP AUTH no longer works
Next by Thread: Is there any way i could use amdgpu on an r7 amd a8 apu or an r7-240 ?
Indexes:

Home | Main Index | Thread Index | Old Index