For reasons I can't get into at the moment, I'm authenticating to an SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it matters) with a Mint Linux server in the domain with Samba 4.11.6 using Sendmail 8.15.2. I have Thunderbird on a third, Windows machine. The mail server also has Dovecot 2.3.7.2 installed. From Thunderbird, I can view, open and manipulate mailboxes with domain credentials. However, I cannot send mail, the same credentials that work to open the mailbox via Dovecot fail password validation when trying to send to port 587 on Sendmail. I do have a local account for the domain user, I'm told Dovecot needs that in order to keep its data. It seems to me that I somehow have to tell Sendmail to use the domain credentials rather than the local ones, but while I can see how to tell it how to accept credentials, I don't see how to tell it how to authenticate them. Am I missing something?
1 Answers
So I found an answer, but I've hit a wall. I'll post what I know, for the sake of future visitors, and may expand on this later if it turns out that there is information that I've missed.
The specific answer is, SMTP AUTH authenticates users by querying sasl. A standard install of Debian Linux may include parts of sasl but not all of it; it appears that you have to retrieve and install sasl-bin as well, in order to get saslauthd, and then edit its config file in order to enable and start the daemon. Of course pretty much all of the documentation an internet search returns is about sasl and what's available is sasl2, but recent versions of sendmail, despite things I've seen that say otherwise, do support sasl2.
Edit: As mentioned in the comments below, the last two pieces were eventually found.
First, I had forgotten that passwords expire by default.
Second, the SASL DB has to be group accessible, and Sendmail has to be told that's OK. The way you do that is, in the Sendmail MC file, you include
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
- 905
- 3
- 14
-
Did you ever get this resolved? Could you share links to the docs that helped you please? I'm having a similar problem. – Doug McLean Jul 22 '22 at 08:49
-
I did, and it makes me feel a bit stupid... I had forgotten that by default passwords expire. Once I reset the passwords for my test users, all was fine. I'll note that it is also important to keep `samba` up to date if you're using that for authentication. – tsc_chazz Jul 22 '22 at 20:11
-
Oh, another thing: you have to let Sendmail accept that the SASL DB is group accessible. In the Sendmail MC file, that's `define(\`confDONT_BLAME_SENDMAIL',\`GroupReadableSASLDBFile')dnl` – tsc_chazz Jul 24 '22 at 22:04
-
Great, thanks! In my case I was just a bit new to sasl and not getting the config quite right. That last nugget was a big help, thanks again – Doug McLean Jul 25 '22 at 18:40