help diagnosing smtp auth problem

[mabu]

I'm running into a problem with Sendmail trying to implement SMTP-auth. I"m running 8.14.5 and have saslauthd running. I don't believe I have starttls enabled - just looking for basic auth, but am wondering if my configuration is not compatible with modern mail clients? I don't think I have any certs set up.

It seems an older version of Microsoft Outlook Express works fine with SMTP-auth with no problems, but Outlook 2010 won't work, and neither will Eudora (basic settings to not use encryption and use same uid/pw as pop3 account name).

When trying to send mail the server reports:

550 571 Relaying Denied. Proper authentication required.

Is there some config that I am missing? Why does it work with Outlook Express but not other e-mail clients?

My site.config.m4 has:

APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
dnl APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl2')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/include')

# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxxt ESMTP Sendmail 8.14.5/8.14.5; Fri, 15 Jun 2012 18:28:03 -0500
(CDT)
ehlo localhost
250-xxxx Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP

Anyone have any ideas?

 

[mabu]

I have this in my sendmail.mc

define(`ConfAUTH_OPTIONS',`A')
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`ConfAUTH_MECHANISMS',`LOGIN PLAIN')dnl

Still no luck. Anyone have any ideas?

 

[mabu]

I'm also wondering if enabling STARTTLS will help but I am not sure how to define certs since the instructions I see assume there's an /etc/mail/ssl directory with a sendmail.pem in it and there isn't. Do I need to find the cert paths in sendmail.mc before 250-STARTTLS will be an option?

 

[kpa]

You don't need TLS to get the AUTH part working, it's a separate functionality that can be used with AUTH but is not required. Have you tried the method from the handbook?

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html

 

[mabu]

I followed that whole procedure, and I'm still stumped. How can I debug what's wrong?

 

[mabu]

The version with the ports/pkg system is 8.14.2 - I tried that, no luck. I have been using the source version I compiled manually and no luck with that either.

I have been wrestling with this for days, scouring the net and cannot find anything that helps. It could be something as simple as a configuration glitch, I just don't know. If anybody can help it would be so much appreciated. It's been troubling me for the last six months.

 

[mabu]

Here's what's weird. I can test the auth this way:

# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxxx ESMTP Sendmail 8.14.5/8.14.5; Sat, 16 Jun 2012 14:58:59 -0500 (CDT)
ehlo localhost
250-xx Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP

AUTH LOGIN (base64uid)
334 xxxxx
(base64 password)
235 2.0.0 OK Authenticated
quit
221 2.0.0 xx closing connection
Connection closed by foreign host.

 

[DutchDaemon]

@mabu, format your posts.

 

[mabu]

I cleared things out and went to /usr/ports/mail/sendmail-sasl and installed that version. I'm still getting auth errors. Anyone have any ideas? Here's loglevel 14 messages:

Jun 17 00:27:35 x sm-mta[59290]: NOQUEUE: connect from x [x]
Jun 17 00:27:35 x sm-mta[59290]: AUTH: available mech=SCRAM-SHA-1 GSSAPI DIGEST-MD5 OTP CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS, allowed mech=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jun 17 00:27:35 x sm-mta[59290]: q5H5RZd4059290: Milter: no active filter
Jun 17 00:27:35 x sm-mta[59290]: q5H5RZd4059290: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: user: x@myhost.com property: cmusaslsecretCRAM-MD5 not found in sasldb, relay=x [x]
Jun 17 00:27:36 x sm-mta[59290]: q5H5RZd5059290: ruleset=check_rcpt, arg1=<x@gmail.com>, relay=x [x], reject=550 5.7.1 <x@gmail.com>... Relaying denied. Proper authentication required.
Jun 17 00:27:36 x sm-mta[59290]: q5H5RZd5059290: from=<x>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MSA, relay=x [x]

For user it lists username@hostname - I do not know if it's expecting usernames in /etc/password to be @hostname or that's just the log format, or there's an auth mechanism that is not property working? I take it programs like Eudora default to CRAM-MD5?


What's odd is, I managed to get auth to work by using this in sendmail.mc:

TRUST_AUTH_MECH(`DIGEST-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 LOGIN PLAIN')dnl

If I took out CRAM-MD5 as auth method it worked. Anyone know why? Does Sendmail mess up the user id format for that mechanism? Or is there an incompatibility with FreeBSD?