1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • How does Sendmail get authentication?

    From Charles Wangersky@21:1/5 to All on Mon Sep 6 11:50:10 2021
    If you are one of the 20 or so people who saw this query elsewhere, my apologies for repeating this, but I got no responses there at all.

    For reasons I can't get into at the moment, I'm authenticating to an SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it matters) with a Mint Linux server in the domain with Samba 4.11.6 using Sendmail 8.15.2. I have Thunderbird on a third,
    Windows machine. The mail server also has Dovecot 2.3.7.2 installed. From Thunderbird, I can view, open and manipulate mailboxes with domain credentials. However, I cannot send mail, the same credentials that work to open the mailbox via Dovecot fail
    password validation when trying to send to port 587 on Sendmail. I do have a local account for the domain user, I'm told Dovecot needs that in order to keep its data. It seems to me that I somehow have to tell Sendmail to use the domain credentials
    rather than the local ones, but while I can see how to tell it how to accept credentials from the mail client, I don't see how to tell it how to authenticate them. Am I missing something?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrzej Adam Filip@21:1/5 to Charles Wangersky on Mon Sep 6 19:08:22 2021
    Charles Wangersky <charles@manna.bc.ca> wrote:
    If you are one of the 20 or so people who saw this query elsewhere, my apologies for repeating this, but I got no responses there at all.

    For reasons I can't get into at the moment, I'm authenticating to an
    SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it
    matters) with a Mint Linux server in the domain with Samba 4.11.6
    using Sendmail 8.15.2. I have Thunderbird on a third, Windows
    machine. The mail server also has Dovecot 2.3.7.2 installed. From Thunderbird, I can view, open and manipulate mailboxes with domain credentials. However, I cannot send mail, the same credentials that
    work to open the mailbox via Dovecot fail password validation when
    trying to send to port 587 on Sendmail. I do have a local account for
    the domain user, I'm told Dovecot needs that in order to keep its
    data. It seems to me that I somehow have to tell Sendmail to use the
    domain credentials rather than the local ones, but while I can see how
    to tell it how to accept credentials from the mail client, I don't see
    how to tell it how to authenticate them. Am I missing something?

    Have you considered using MSA (port 587 server) provided by dovecot?
    It may fix authentication problems.

    --
    [Andrew] Andrzej A. Filip

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to All on Mon Sep 6 15:58:39 2021
    Charles Wangersky wrote:

    "How does Sendmail get authentication?"
    sendmail use Cyrus-SASL - so that's where you have to look.

    Thunderbird, I can view, open and manipulate mailboxes with domain credentials. However, I cannot send mail, the

    What's the error? What's in the sendmail log?

    same credentials that work to open the mailbox via Dovecot fail password validation when trying to send to port
    587 on Sendmail. I do have a local account for the domain user, I'm told Dovecot needs that in order to keep its

    You need to tell Cyrus-SASL2 which "backend" to use (for autentication).
    Check whether there is any documentation for it specific to your
    system, otherwise you have to look into the generic info.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Charles Wangersky on Mon Sep 6 13:20:23 2021
    On 9/6/21 12:50 PM, Charles Wangersky wrote:
    For reasons I can't get into at the moment, I'm authenticating to
    an SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it
    matters) with a Mint Linux server in the domain with Samba 4.11.6 using Sendmail 8.15.2. I have Thunderbird on a third, Windows machine. The
    mail server also has Dovecot 2.3.7.2 installed. From Thunderbird, I can
    view, open and manipulate mailboxes with domain credentials. However,
    I cannot send mail, the same credentials that work to open the mailbox
    via Dovecot fail password validation when trying to send to port 587
    on Sendmail. I do have a local account for the domain user, I'm told
    Dovecot needs that in order to keep its data. It seems to me that I
    somehow have to tell Sendmail to use the domain credentials rather
    than the local ones, but while I can see how to tell it how to accept credentials from the mail client, I don't see how to tell it how to authenticate them. Am I missing something?

    I would expect that the two accounts for a user; local Unix, and remote
    domain, to have two different names. E.g. "user" and "user@domain".

    With this in mind, I would expect Sendmail to outsource the credential
    checking to SASL, and that SASL would rely on it's own and / or the
    system wide configuration for where unix vs domain accounts live and how
    they are interfaced with.

    Is the domain account integration complete enough that you can run "id"
    on "user@domain" and get back similar information as when run against
    the "user" unix account?



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Charles Wangersky@21:1/5 to Grant Taylor on Mon Sep 6 12:35:46 2021
    On Monday, September 6, 2021 at 12:20:22 PM UTC-7, Grant Taylor wrote:
    Is the domain account integration complete enough that you can run "id"
    on "user@domain" and get back similar information as when run against
    the "user" unix account?

    Yes; I get the same response back for both "id user" and "id user@domain" except that the groups are listed in a slightly different order. The user "user" has GID "user", group named after the user; the user "user@domain" does not include that group but
    shoes GID "Domain Users".

    Andrzej Adam Filip wrote:
    Have you considered using MSA (port 587 server) provided by dovecot?

    I was unaware that Dovecot provided an MSA port. I'll look into that.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Charles Wangersky on Mon Sep 6 15:09:09 2021
    On 9/6/21 1:35 PM, Charles Wangersky wrote:
    Yes; I get the same response back for both "id user" and "id
    user@domain" except that the groups are listed in a slightly different
    order. The user "user" has GID "user", group named after the user;
    the user "user@domain" does not include that group but shoes GID
    "Domain Users".

    Okay. That sounds to me like the domain integration is sufficient that
    normal Unix account / permission interfaces should work. As such I
    would expect that (Cyrus) SASL should also work with it similar to how
    it works with traditional Unix accounts.

    I ask because I've seen applications do a lateral / sideways
    communications to the DC and bypass the lower Unix account / permission sub-system. In these cases, you will almost definitely require more configuration than when the underlying Unix account sub-system sees the
    network accounts.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to All on Mon Sep 6 15:18:05 2021
    On 9/6/21 1:58 PM, Claus Aßmann wrote:
    sendmail use Cyrus-SASL - so that's where you have to look.

    Cyrus-SASL is definitely a good place to start looking. Though chances
    seem to be good that there are other places to look.

    You need to tell Cyrus-SASL2 which "backend" to use (for
    autentication).

    This is one of the places that I was talking about where Cyrus-SASL can
    be configured to look sideways to the DC and bypass the underlying Unix
    account sub-system.

    Aside: I last dealt with Unix and DCs about 8 years ago, so my memory
    may be having some bit rot.

    I'm fairly certain that it's possible to configure Cyrus-SASL to rely on
    PAM for everything /and/ configure PAM to look in different places for different account types. E.g. local files for local accounts and DC(s)
    for domain accounts.

    Thus you could have the following layers involved in this process:

    - Sendmail
    - Cyrus-SASL (acting as Sendmail's authentication proxy)
    - PAM (acting as the systems authentication switch)
    - Samba (acting as the systems interface to the domain / DC)

    IMHO all three; Cyrus-SASL, PAM, and Samba, can have configurations that significantly alter what is done, including which protocols are used to communicate with what.

    Check whether there is any documentation for it specific to your
    system, otherwise you have to look into the generic info.

    I'd start with a fundamental understanding of the authentication
    architecture that you're trying to use and how the various pieces
    interact with each other. Then figure out how to diagnose individual
    pieces. I remember that winbind had ways to test credentials from the
    Samba point of view independent of everything else. I believe that PAM
    and Courier can test things below them.

    You may want to consider sniffing the network and / or looking at logs
    on other systems like the domain's DC.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Charles Wangersky on Mon Sep 6 16:58:49 2021
    On 9/6/21 4:38 PM, Charles Wangersky wrote:
    So I'm not going to quote all that went before because it's beginning
    to look like I'm barking up a stump here.

    Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): local socket name /var/run/milter-greylist/milter-greylist.sock unsafe
    Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): to error state
    Sep 6 13:06:42 xxmail sm-mta[94855]: 186K6b0F094855: [10.2.0.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP

    *FacePalm*

    Been there.
    Done that.

    From this it would appear that the milter is getting the connection
    before Sendmail is, and it's not getting through the greylist
    milter.

    Point of order: The log lines are from sm-mta, which is how I've seen
    Sendmail log for a while. These log lines support the milter is
    actually downstream of Sendmail. As in Sendmail handles the TCP
    connection and divvies out various tests to various milters as part of
    how they operate. ;-)

    Gives me a whole new place to investigate. I've had problems with
    the milter failing this way on another system years ago, and now I
    have to try and recall how I dealt with it.

    I migrated away from grey listing to no-listing more than a decade ago
    and I am exceedingly happy with the results. I'd encourage every
    postmaster to check out no-listing, especially those that like grey
    listing. At least enough to have a conceptual understanding how it
    works and how it might or might not fit with needed services.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Charles Wangersky@21:1/5 to All on Mon Sep 6 15:38:03 2021
    So I'm not going to quote all that went before because it's beginning to look like I'm barking up a stump here.

    Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): local socket name /var/run/milter-greylist/milter-greylist.sock unsafe
    Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): to error state
    Sep 6 13:06:42 xxmail sm-mta[94855]: 186K6b0F094855: [10.2.0.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP

    From this it would appear that the milter is getting the connection before Sendmail is, and it's not getting through the greylist milter. Gives me a whole new place to investigate. I've had problems with the milter failing this way on another system
    years ago, and now I have to try and recall how I dealt with it.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Charles Wangersky on Tue Sep 7 01:31:49 2021
    Charles Wangersky wrote:

    name /var/run/milter-greylist/milter-greylist.sock unsafe

    See the fine documentation
    | DIRECTORY PERMISSIONS |

    From this it would appear that the milter is getting the connection before Sendmail

    That is impossible because sendmail provides the information to the milter.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Charles Wangersky@21:1/5 to All on Mon Sep 6 23:16:10 2021
    On Monday, September 6, 2021 at 10:31:50 PM UTC-7, Claus Aßmann wrote:
    Charles Wangersky wrote:

    From this it would appear that the milter is getting the connection before Sendmail
    That is impossible because sendmail provides the information to the milter. --

    Then I don't know what is going on. Thunderbird reports bad password, and asks for a new one. Sendmail, on the other hand, reports the milter is unhappy, and that Thunderbird has gone away without doing anything. I will try to find the fine documentation
    - all I've found so far is the man pages - and will correct that... but the longer I look at this the loster I seem to get.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Charles Wangersky on Tue Sep 7 03:22:57 2021
    Charles Wangersky wrote:

    Then I don't know what is going on. Thunderbird reports bad password, and asks for a

    Does the program have a "verbose" mode to see the SMTP session?

    new one. Sendmail, on the other hand, reports the milter is unhappy, and that Thunderbird has gone away without doing anything. I will try to find the fine documentation - all I've found so far is the man pages - and will correct that... but

    Download the source distribution if your OS doesn't ship the documentation. BTW: you probably shouldn't run a greylist milter on the submission port
    -- if a client authenticates it shouldn't be told "come back later".
    See doc/op.* about setting milters per daemon:
    DaemonPortOptions=options
    ...
    InputMailFilters List of input mail filters for the daemon


    +-----------------------+
    | DIRECTORY PERMISSIONS |
    +-----------------------+

    Sendmail often gets blamed for many problems that are actually the
    result of other problems, such as overly permissive modes on directories.
    For this reason, sendmail checks the modes on system directories and
    files to determine if they can be trusted. For sendmail to run without complaining, you MUST execute the following command:

    chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
    chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue

    You will probably have to tweak this for your environment (for example,
    some systems put the spool directory into /usr/spool instead of
    /var/spool). If you set the RunAsUser option in your sendmail.cf, the /var/spool/mqueue directory will have to be owned by the RunAsUser user.
    As a general rule, after you have compiled sendmail, run the command

    sendmail -v -bi

    to initialize the alias database. If it gives messages such as

    WARNING: writable directory /etc
    WARNING: writable directory /var/spool/mqueue

    then the directories listed have inappropriate write permissions and
    should be secured to avoid various possible security attacks.

    [[... and so on ... ]]


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From The Doctor@21:1/5 to charles@manna.bc.ca on Tue Sep 7 14:27:56 2021
    In article <841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com>,
    Charles Wangersky <charles@manna.bc.ca> wrote:
    On Monday, September 6, 2021 at 10:31:50 PM UTC-7, Claus Aßmann wrote:
    Charles Wangersky wrote:

    From this it would appear that the milter is getting the connection >before Sendmail
    That is impossible because sendmail provides the information to the milter. >> --

    Then I don't know what is going on. Thunderbird reports bad password,
    and asks for a new one. Sendmail, on the other hand, reports the milter
    is unhappy, and that Thunderbird has gone away without doing anything. I
    will try to find the fine documentation - all I've found so far is the
    man pages - and will correct that... but the longer I look at this the
    loster I seem to get.

    You need to plug into something like cyrus-sasl for that to work.
    --
    Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
    Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
    Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b Canada on 20 Sept 2021 vote ! Beware https://mindspring.com

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alex Haut@21:1/5 to All on Mon Oct 11 07:07:29 2021
    Not sure which greylist milter you are using, but I replaced mine local instance by other tools with much better results. OpenDKIM, OpenDMARC and OpenARC (all available from github) combined with SPF (part of the OpenDMARC for one less thread/socket to
    be ran), with the Enhanced DNSBL and the now included DANE+MTA-STS features off sendmail 8.17, grey listing has not been necessary at all. Yes, three separate processes and 7 verifications in total, but it all depends on how paranoid you want to be.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)