2

I'm struggling to create the satisfactory set of records in sasldb2.db. If I use the regular

saslpasswd2 -c user

I get exactly one record, according to sasldblistusers2:

user@my.example.com:    userPassword

whereas this page leads me to believe, there ought to be a line for each mechanism (DIGEST-MD5, CRAM-MD5, and so on).

If I add -n to avoid storing the plain-text (I only really need the CRAM-MD5):

saslpasswd2 -n -c user

then sasldblistusers2 finds no records to list at all. My saslpasswd.conf consists of two lines:

mech_list:      cram-md5 digest-md5 ntlm plain
log_level:      9

I tried this on FreeBSD using cyrus-sasl-2.1.26_12 and Ubuntu with 2.1.25... What am I doing wrong?

I need CRAM-MD5 because, without further reconfiguring, my sendmail only lists that and DIGEST-MD5 as the acceptable AUTH-mechanisms. And the iPhones, apparently, do not support DIGEST-MD5. And I'm only doing all of this for the sake of a couple of iPhones -- the normal computers already authenticate themselves with the client SSL-certificates issued by my own authority.

Ok, apparently, the CRAM-MD5 authentication has been succeeding all along -- despite not being listed by sasldblistusers2. I created a new question -- why does sendmail refuse relaying despite authentication's success.

Mikhail T.
  • 2,338
  • 1
  • 24
  • 55
  • I updated my question to answer yours. Now, can we, please, go back to the subject matter? Why is `saslpasswd2` not creating all of the records expected? – Mikhail T. Oct 08 '17 at 21:24
  • Iphones might work with `PLAIN`, but my sendmail does not offer it. Either way, `saslpasswd2` has to work and it does not. Can we talk about _that_, perhaps? – Mikhail T. Oct 09 '17 at 00:17
  • Maybe it’s a -u realm problem? – eckes Oct 22 '17 at 20:19
  • @eckes, at this point I'm willing to believe anything -- if _you_ manage to create a SASL db with a CRAM-MD5 entry for a user on your machine, do post the command line and, if I can reproduce it, I'll award you the bounty :) – Mikhail T. Oct 23 '17 at 14:30
  • The page you've linked to says right at the bottom in a highlighted section "In Cyrus-SASL-2.x users in sasldb2 are listed with sasldblistusers2 and the output will only produce one single line.", i.e. without the realms and mechanisms. Have you added `pwcheck_method: auxprop` and `auxprop_plugin: sasldb` to your SASL/Sendmail configuration? – bodgit Oct 23 '17 at 16:39
  • @bodgit, I tried various settings but could not get the desired result. If you manage to do it -- and post the relevant config-file(s) and command-line, the bounty is yours... – Mikhail T. Oct 24 '17 at 02:44

1 Answers1

1

I've managed to get it working with the following:

/etc/mail/sendmail.mc has the following set:

define(`confLOG_LEVEL', `13')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5')dnl

/etc/sasl2/Sendmail.conf contains the following:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list:      cram-md5 digest-md5
log_level:      9

Add a user to /etc/sasldb2 with:

# saslpasswd2 -c -u mail.example.com -a Sendmail test
<password>
<password>

Then test with:

# sendmail -O LogLevel=14 -bs -Am
220 server.example.com ESMTP Sendmail 8.14.7/8.14.7; Tue, 24 Oct 2017 09:24:44 +0100
ehlo localhost
250-server.example.com Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
AUTH CRAM-MD5
334 <challenge>
<generate response using test@mail.example.com, password and the above challenge text>
235 2.0.0 OK Authenticated

You can probably pare the settings down the absolute minimum but the above worked for me. This was on a RHEL 7 host.

bodgit
  • 4,751
  • 16
  • 27
  • Nope, not working... `sasldblistusers2` still only lists one entry and sendmail still rejects the iPhone with `403 4.7.0 not authenticated`. BTW, _how_ do you "generate response" to a `CRAM-MD5` challenge? – Mikhail T. Oct 27 '17 at 03:02
  • I used http://busylog.net/cram-md5-online-generator/ to generate the response. With the logging in Sendmail increased as I did, you should see some sort of SASL messages indicating if the authentication was successful or not. – bodgit Oct 27 '17 at 07:23