From: Caspar Clemens Mierau (ccm at damokles dot de)
Date: Sun Nov 14 2004 - 08:37:48 EST
Hello all,
I'm in trouble setting up SASL2 with Sendmail and MySQL to auth against
LOGIN.
Sendmails works fine together with sasl2, auxprop and mysql when clients
like mozilla or opera mail use cram-md5. login is not accepted, though it is
enabled and trusted in sendmail as seen here:
Nov 14 14:21:05 chaos sm-mta[742]: AUTH: available mech=PLAIN LOGIN GSSAPI
DIGEST-MD5 CRAM-MD5 ANONYMOUS, allowed mech=EXTERNAL LOGIN PLAIN DIGEST-MD5
CRAM-MD5 GSSAPI KERBEROS_V4
but when trying LOGIN i get the following error:
Nov 14 14:27:48 chaos sm-mta[2752]: iAEDRlSP002752: AUTH failure (LOGIN):
authentication failure (-13) SASL(-13): authentication failure: checkpass
failed
the corresponding sql queries are correct (only return the password in plain
text).
I hope you have any hints,
thanks in advance - configuration follows:
###system setup:
OpenBSD 3.6
cyrus-sasl-2.1.19-sql
Sendmail 8.13.0
mysql-server-4.0.20
###sendmail.mc:
(Tried with "define(`confAUTH_OPTIONS', `A')dnl" and without it.)
--------snip---------
divert(0)dnl
VERSIONID(`@(#)openbsd-auth.mc $Revision: 1.6 $')
OSTYPE(openbsd)
FEATURE(nouucp, `reject')
FEATURE(`no_default_msa')
FEATURE(`accept_unresolvable_domains')
FEATURE(`accept_unqualified_senders')
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')
DOMAIN(gangway.de)dnl
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl
define(`confLOG_LEVEL',`100')
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
MAILER(local)
MAILER(smtp)
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN DIGEST-MD5 CRAM-MD5 GSSAPI
KERBEROS_V4')dnl
define(`confAUTH_MECHANISMS',`EXTERNAL LOGIN PLAIN DIGEST-MD5 CRAM-MD5
GSSAPI KERBEROS_V4')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth/auth-info')dnl
DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Name=MTA')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
INPUT_MAIL_FILTER(`avmilter',`S=inet:3333 at localhost,F=T,T=S:10m;R:10m;E:5m')
dnl
dnl Some broken nameservers will return SERVFAIL (a temporary failure)
dnl on T_AAAA (IPv6) lookups.
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
dnl
dnl Enforce valid Message-Id to help stop spammers
dnl
LOCAL_RULESETS
HMessage-Id: $>CheckMessageId
SCheckMessageId
R< $+ @ $+ > $@ OK
R$* $#error $: 553 Header Error
--------snap---------
###Sendmail.conf:
(Tried with setting mechs manually and without)
--------snip---------
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_user: <USER>
sql_passwd: <PASSWORD>
sql_database: mail
sql_select: SELECT userPassword FROM users WHERE user = '%u' AND realm =
'%r' AND valid = '1'
--------snap---------
###cyrus sasl libs
--------snip---------
libanonymous.a
libanonymous.la
libanonymous.so.2.19
libcrammd5.a
libcrammd5.la
libcrammd5.so.2.19
libdigestmd5.a
libdigestmd5.la
libdigestmd5.so.2.19
libgssapiv2.a
libgssapiv2.la
libgssapiv2.so.2.19
liblogin.a
liblogin.la
liblogin.so.2.19
libotp.a
libotp.la
libotp.so.2.19
libplain.a
libplain.la
libplain.so.2.19
libsasldb.a
libsasldb.la
libsasldb.so.2.19
libsql.a
libsql.la
libsql.so.2.19
--------snap---------
|
|
|