Post by Stephen BorrillI've upgraded to pkgsrc-2022Q1 and now SMTP AUTH no longer works. This
upgrades all the cyrus stuff to 2.1.28 from 2.1.27 as well as revbumping
sendmail 8.16.1. The configuration files have not changed and yes, I'm
installing the cy2-plain, etc. plugins.
I've found that if I revert to my previous pkg set and then upgrade just
the cyrus components to 2.1.28, then it still works. If I upgrade sendmail
from 8.16.1 to 8.16.1nb1 (which also requires me to force upgrade
openldap-client) then this stops AUTH working (whichever version of the
cyrus components are in place).
I've tried to use ktrace to work out what's happening, but sendmail seems
to be successfully opening the various sasl files and I don't see any
obvious differences between the good and bad traces. Any ideas on how to
debug this?
I've done further testing. If I have cyrus-sasl 2.1.28 installed when I build
sendmail, SMTP AUTH does not work. If I have 2.1.27 installed when building
(but all other packages from pkgsrc-2022Q1), it does work. After building
sendmail, I can upgrade sasl from 2.1.27 to 2.1.28 though and it
continues to work.
a) No 250-AUTH LOGIN PLAIN line in response to EHLO over TLS
b) "AUTH warning: no mechanisms" in maillog
I rebuilt the cyrus 2.1.28 packages just in case which make no
difference.
Both the 2.1.27 and 2.1.28 packages show the full list of plugins using
the pluginviewer command. The only difference is that the order of PLAIN and
LOGIN mechanisms are swapped, i.e.
Installed and properly configured SASL (server side) mechanisms are:
- EXTERNAL NTLM PLAIN LOGIN
+ EXTERNAL NTLM LOGIN PLAIN
Available SASL (server side) mechanisms matching your criteria are:
- NTLM PLAIN LOGIN
+ NTLM LOGIN PLAIN
Here's the output with 2.1.27:
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
Installed and properly configured SASL (server side) mechanisms are:
EXTERNAL NTLM PLAIN LOGIN
Available SASL (server side) mechanisms matching your criteria are:
NTLM PLAIN LOGIN
List of server plugins follows
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features:
Installed and properly configured SASL (client side) mechanisms are:
EXTERNAL NTLM PLAIN LOGIN
Available SASL (client side) mechanisms matching your criteria are:
EXTERNAL NTLM PLAIN LOGIN
List of client plugins follows
Plugin "EXTERNAL" [loaded], API version: 4
SASL mechanism: EXTERNAL, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: SERVER_FIRST
I'm confused a bit about the sendmail+sasl build process. sendmail is
built with -DSASL=2 but the source suggests that this should be 20127
for 2.1.27, etc. Building with anything != 2 doesn't work though.
# if SASL >= 20000
result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
NULL, 0, conn);
# elif SASL > 10505
/* use empty realm: only works in SASL > 1.5.5 */
result = sasl_server_new("smtp", hostname, "", NULL, 0, conn);
# else /* SASL >= 20000 */
/* use no realm -> realm is set to hostname by SASL lib */
result = sasl_server_new("smtp", hostname, NULL, NULL, 0,
conn);
# endif /* SASL >= 20000 */
--
Stephen
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de