Hi. I have been using various clients to connect to my sendmail
server using port 587 and using starttls to encrypt the connections
and then using the plain mechanism to send the user name and password
to authenticate.

Last day or so this has stopped working -- I don't know that I changed
anything (famous last words), but I do see the following if I run
saslauthd -v
saslauthd 2.1.28
authentication mechanisms: sasldb getpwent pam rimap shadow
but I have in my Sendmail.conf file in /usr/lib64/sasl2
pwcheck_method: saslauthd
allowanonymouslogin: 0
allowplaintext: 1
mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
log_level: 3
#
and this seems to be why if I run sendmail at a high enough loglevel
I get the message saying
authwarning: no mechanisms.

So, after all that, anyone have an idea as to how to fix?

Thanks.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/4/22 7:31 AM, John Covici wrote:

Hi. I have been using various clients to connect to my sendmail
server using port 587 and using starttls to encrypt the connections
and then using the plain mechanism to send the user name and password
to authenticate.

Last day or so this has stopped working -- I don't know that I changed anything (famous last words),

Assume that your configuration is at least acceptable until you have a
reason to think otherwise.

So, after all that, anyone have an idea as to how to fix?

Start with the simpler thing first.

Is the SASL authentication daemon running?

Did your (START)TLS certificate expire? Contemporary clients may
silently refuse to use expired certs.

Thanks.

You're welcome.

Feel free to poke things and respond with more questions / details /
errors / etc.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/5/22 10:39 AM, John Covici wrote:

saslauthd is running, but it seems to ignore the Sendmail.conf .

I think it's the other way around.

Sendmail is told to support authentication via one or more methods, one
of which can be SASL and co.

The actual SASL auth daemon just listens on a unix socket and / or TCP
port for clients to test authentication pairs, returning a pass fail
type message.

I used openssl s_client to connect to my sendmail, it was happy with
the certs, but in response to the ehlo gives me no auth line at all.

:-/

Very strange.

Very annoying, definitely.

I don't know if it's strange yet or not. I think the strangeness will
be confirmed or refuted after finding out why Sendmail isn't offering
AUTH options.

My favorite thing to turn to when things that used to work and now don't
is to restore a backup of the configuration file and compare them. Can
you do that with your sendmail.cf or sendmail.mc file?

There's also a chance that it's your submit.cf or submit.mc file since
we're talking about the MSA on port 587. (Unless you aren't using the
separate MSA which has been standard for 15+ years.)



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 05 May 2022 12:22:55 -0400,
Grant Taylor wrote:

On 5/4/22 7:31 AM, John Covici wrote:

Hi. I have been using various clients to connect to my sendmail
server using port 587 and using starttls to encrypt the connections
and then using the plain mechanism to send the user name and password
to authenticate.

Last day or so this has stopped working -- I don't know that I changed anything (famous last words),

Assume that your configuration is at least acceptable until you
have a reason to think otherwise.

So, after all that, anyone have an idea as to how to fix?

Start with the simpler thing first.

Is the SASL authentication daemon running?

Did your (START)TLS certificate expire? Contemporary clients may
silently refuse to use expired certs.

Thanks.

You're welcome.

Feel free to poke things and respond with more questions /
details / errors / etc.

saslauthd is running, but it seems to ignore the Sendmail.conf . I
used openssl s_client to connect to my sendmail, it was happy with the
certs, but in response to the ehlo gives me no auth line at all. Very
strange.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/5/22 1:24 PM, John Covici wrote:

I do have a submit.mc file, but I have not changed this at all.
What is strange to me is that if I do saslauthd -v should not I get everything that my Sendmail.conf has?

I would not assume so.

I say that based on my understanding of how SASL and Sendmail interact.

In many ways, Sendmail and SASL are two entirely separate sub-systems.
Sendmail (as I usually see it configured) wholesale outsources
outsources testing authentication credentials. It does so by asking the completely independent SASL authentication daemon to test the
credentials (nominally a username and password pair) to see if they are
valid. SASL returns a yes / no to Sendmail. Sendmail alters what it
does based on that answer.

Since Sendmail and SASL are independent entities there is no reason for
SASL to know anything about how Sendmail is configured.

I can check an old backup and see if I have one for my sendmail.mc and
get back.

ACK



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 05 May 2022 12:52:45 -0400,
Grant Taylor wrote:

On 5/5/22 10:39 AM, John Covici wrote:

saslauthd is running, but it seems to ignore the Sendmail.conf .

I think it's the other way around.

Sendmail is told to support authentication via one or more
methods, one of which can be SASL and co.

The actual SASL auth daemon just listens on a unix socket and /
or TCP port for clients to test authentication pairs, returning a
pass fail type message.

I used openssl s_client to connect to my sendmail, it was happy
with the certs, but in response to the ehlo gives me no auth
line at all.

:-/

Very strange.

Very annoying, definitely.

I don't know if it's strange yet or not. I think the strangeness
will be confirmed or refuted after finding out why Sendmail isn't
offering AUTH options.

My favorite thing to turn to when things that used to work and
now don't is to restore a backup of the configuration file and
compare them. Can you do that with your sendmail.cf or
sendmail.mc file?

There's also a chance that it's your submit.cf or submit.mc file
since we're talking about the MSA on port 587. (Unless you
aren't using the separate MSA which has been standard for 15+
years.)

I do have a submit.mc file, but I have not changed this at all. What
is strange to me is that if I do saslauthd -v should not I get
everything that my Sendmail.conf has?

I can check an old backup and see if I have one for my sendmail.mc and
get back.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

So, I restored all the files, I could like sendmail.mc and the
Sendmail.conf, but no joy, still no authentication mechanisms. I
restored them to about first of April. This still leads me to saslauthd.

On Thu, 05 May 2022 12:52:45 -0400,
Grant Taylor wrote:

On 5/5/22 10:39 AM, John Covici wrote:

saslauthd is running, but it seems to ignore the Sendmail.conf .

I think it's the other way around.

Sendmail is told to support authentication via one or more
methods, one of which can be SASL and co.

The actual SASL auth daemon just listens on a unix socket and /
or TCP port for clients to test authentication pairs, returning a
pass fail type message.

I used openssl s_client to connect to my sendmail, it was happy
with the certs, but in response to the ehlo gives me no auth
line at all.

:-/

Very strange.

Very annoying, definitely.

I don't know if it's strange yet or not. I think the strangeness
will be confirmed or refuted after finding out why Sendmail isn't
offering AUTH options.

My favorite thing to turn to when things that used to work and
now don't is to restore a backup of the configuration file and
compare them. Can you do that with your sendmail.cf or
sendmail.mc file?

There's also a chance that it's your submit.cf or submit.mc file
since we're talking about the MSA on port 587. (Unless you
aren't using the separate MSA which has been standard for 15+
years.)

--
Grant. . . .
unix || die

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 06 May 2022 10:47:15 -0400,
Grant Taylor wrote:

On 5/6/22 4:09 AM, John Covici wrote:

So, I restored all the files, I could like sendmail.mc and the Sendmail.conf, but no joy, still no authentication
mechanisms. I restored them to about first of April.

Well darn. :-/

This still leads me to saslauthd.

I didn't mean to imply that it /wasn't/ SASL, just that the two
are separate.

Have you been maintaining your sendmail.cf via the sendmail.mc
file? Or are there unaccounted for hand edits? -- I'll often
test new things in sendmail.cf directly and then promote them to
sendmail.mc once I have identified what I want.

Likewise with submit.cf / submit.mc.

Would you be willing to share your sendmail.mc and submit.mc
files? Feel free to "REDACT" things as necessary. (Please make
sure it's easy to tell what is redacted.)

I do not usually modify my sendmail.cf, I probably would make a
mistake somewhere.

So, here is my sendmail.mc, no passwords or anything secret that I am
aware of.

divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc,v 1.2 2004/12/07 01:59:31 g2boojum Exp $')dnl

OSTYPE(mklinux)
define(`confDONT_BLAME_SENDMAIL', `IncludeFileInUnsafeDirPath,AssumeSafeChown, GroupWritableForwardFileSafe, ForwardFileInGroupWritableDirPath,groupreadablekeyfile groupreadableSASLdbfile')dnl
define(`LOCAL_MAILER_PATH', `/usr/sbin/mail.local')dnl define(`LOCAL_MAILER_FLAGS', `Ermn9')dnl
define(`LOCAL_MAILER_ARGS', `mail $u')dnl
FEATURE(`access_db')dnl
FEATURE(`delay_checks', `friend')dnl

dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts... FEATURE(`greet_pause', `1000')dnl 1 seconds
dnl # Stop connections that overflow our concurrent and time connection rates FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
dnl #

FEATURE(`mailertable')dnl
FEATURE(`authinfo')dnl
LOCAL_DOMAIN(`covici.com')dnl
dnl #
dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
dnl # Remove `, Addr=' clauses to receive from any interface
dnl # If you want to support IPv6, switch the commented/uncommentd lines FEATURE(`no_default_msa')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=587', `M=Ea')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, Addr=::1')dnl dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')dnl define(`confMAX_HEADERS_LENGTH', `65536')dnl
define(`confDELAY_LA', `20')dnl
define(`confQUEUE_LA', `30')dnl
define(`confREFUSE_LA', `20')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confTO_MAIL', `10m')dnl
define(`confTO_RCPT', `1h')dnl
define(`confTO_DATAINIT', `10m')dnl
define(`confTO_DATABLOCK', `1h')dnl
define(`confTO_DATAFINAL', `1h')dnl
define(`confTO_MISC', `5m')dnl
define(`confTO_AUTH', `20m')dnl
define(`confAUTH_OPTIONS', `A p y')dnl
define(`TRUST_AUTH_MECH', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confTLS_SRV_OPTIONS', `V')dnl
dnl # CRL not found... do not issue warnings on it!
undefine(`confCRL')dnl
define(`confCACERT_PATH', `/etc/letsencrypt/live/ccs.covici.com/')dnl define(`confCACERT',`/etc/letsencrypt/live/ccs.covici.com/fullchain.pem')dnl define(`confCLIENT_CERT', `/etc/letsencrypt/live/ccs.covici.com/cert.pem')dnl define(`confCLIENT_KEY', `/etc/letsencrypt/live/ccs.covici.com/privkey.pem')dnl define(`confSERVER_CERT', `/etc/letsencrypt/live/ccs.covici.com/cert.pem')dnl define(`confSERVER_KEY', `/etc/letsencrypt/live/ccs.covici.com/privkey.pem')dnl

LOCAL_CONFIG
OA/etc/mail/bfg_list.txt
define(`SMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
FEATURE(`local_lmtp')dnl
define(`LOCAL_MAILER_ARGS', `TCP $h 8024')dnl
MAILER(local)
MAILER(smtp)

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/6/22 4:09 AM, John Covici wrote:

So, I restored all the files, I could like sendmail.mc and the
Sendmail.conf, but no joy, still no authentication mechanisms.
I restored them to about first of April.

Well darn. :-/

This still leads me to saslauthd.

I didn't mean to imply that it /wasn't/ SASL, just that the two are
separate.

Have you been maintaining your sendmail.cf via the sendmail.mc file? Or
are there unaccounted for hand edits? -- I'll often test new things in sendmail.cf directly and then promote them to sendmail.mc once I have identified what I want.

Likewise with submit.cf / submit.mc.

Would you be willing to share your sendmail.mc and submit.mc files?
Feel free to "REDACT" things as necessary. (Please make sure it's easy
to tell what is redacted.)



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

So, I went on to the sasl mailing list and someone found a patch --
seems to be available for the freebsd port, and the patch was specific
to sendmail and dev-libs/cyrus-sasl 2.1.28. I modified it for gentoo
and it fixed everything up! I wonder if I should file this somewhere
-- funny no one else noticed this before -- I saw nothing on bgo.

On Fri, 06 May 2022 10:47:15 -0400,
Grant Taylor wrote:

On 5/6/22 4:09 AM, John Covici wrote:

So, I restored all the files, I could like sendmail.mc and the Sendmail.conf, but no joy, still no authentication
mechanisms. I restored them to about first of April.

Well darn. :-/

This still leads me to saslauthd.

I didn't mean to imply that it /wasn't/ SASL, just that the two
are separate.

Have you been maintaining your sendmail.cf via the sendmail.mc
file? Or are there unaccounted for hand edits? -- I'll often
test new things in sendmail.cf directly and then promote them to
sendmail.mc once I have identified what I want.

Likewise with submit.cf / submit.mc.

Would you be willing to share your sendmail.mc and submit.mc
files? Feel free to "REDACT" things as necessary. (Please make
sure it's easy to tell what is redacted.)

--
Grant. . . .
unix || die

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 5/12/22 8:42 AM, John Covici wrote:

So, I went on to the sasl mailing list and someone found a patch --
seems to be available for the freebsd port, and the patch was specific
to sendmail and dev-libs/cyrus-sasl 2.1.28. I modified it for gentoo
and it fixed everything up! I wonder if I should file this somewhere
-- funny no one else noticed this before -- I saw nothing on bgo.

Hi John,

I'm glad that you found a solution.

I'm sorry that I've not responded to your detailed message yet. Life /
$WORK has been really busy this week. I was planing on giving your
message the attention it deserved this weekend.

Yes, I suspect that a patch or at least a bug report to Gentoo would be
good.

I'd suggest starting communications with the Gentoo package maintainer
if there is no better place. I expect that they will receive the patch
and / or redirect you somewhere better.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 12 May 2022 11:53:16 -0400,
Grant Taylor wrote:

On 5/12/22 8:42 AM, John Covici wrote:

So, I went on to the sasl mailing list and someone found a
patch -- seems to be available for the freebsd port, and the
patch was specific to sendmail and dev-libs/cyrus-sasl 2.1.28.
I modified it for gentoo and it fixed everything up! I wonder
if I should file this somewhere -- funny no one else noticed
this before -- I saw nothing on bgo.

Hi John,

I'm glad that you found a solution.

I'm sorry that I've not responded to your detailed message yet.
Life / $WORK has been really busy this week. I was planing on
giving your message the attention it deserved this weekend.

Yes, I suspect that a patch or at least a bug report to Gentoo
would be good.

I'd suggest starting communications with the Gentoo package
maintainer if there is no better place. I expect that they will
receive the patch and / or redirect you somewhere better.

OK, I will see if I can find the maintainer, I saw lots of references
in the bug list to maintainer wanted, we shall see.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
covici@ccs.covici.com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)