Исходное сообщение
"Sendmail SASL2 пароли из /etc/passwd" Отправлено lavr, 27-Фев-07 13:17
>>>>Если у вас фсЁ исть, дык у чем дело?! >>>>https://www.opennet.ru/search.shtml?words=freebsd+sendmail+au... >>> >>>Дык ХЗ!!! Уже на рученки косо посматриваю((( >>>Пойду учить матчасть. >>> >>>Спасибо за помощь! >> >>что мешает проверить LOGIN и AUTH используя telnet - это самая точная >>проверка. > >Пробовал, не проходит! > >a testauthd проходит > >Что характерно: >saslauthd -a getpwent >saslauthd -a sasldb >saslauthd незапущен вообще > >а ошибка одна и таже!!!! > >Я тут на права доступа грешить думаю, бо уже не знаю на >что еще. Какие права доступа?! Там все step-by-step расписано, делов на 5 МИНУТ: берем свежую машину с 6.2-RELEASE и портами от нее же, - sendmail не настроен и не стартован - cyrus+sasl2 - не установлен - cyrus+sasl2+saslauthd - не установлен - пользователей нет ставим сразу cyrus-sasl2-saslauthd - собственно этот порт БОЛВАНКА для базового порта cyrus-sasl2, который соберется автоматом с большинством МЕТОДОВ AUTH, при сборке можно самостоятельно задать, например: # make WITH_LOGIN=yes WITHOUT_PLAIN=yes и тд и тп ниже все by default, итак собираем saslauthd, комментарии по ходу: [test-1!ttyp6]~ > uname -irsm FreeBSD 6.2-RELEASE i386 HOME62 [test-1!ttyp6]~ > cd /usr/ports/security/cyrus-sasl2-saslauthd [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > make ... устанавливается как зависимость: cyrus-sasl2 на другом экране смотрим: [test-1!ttyp9]~ > ls -la /var/db/pkg/ | grep sasl drwxr-xr-x   2 root  wheel   512 Feb 26 22:15 cyrus-sasl-2.1.22 [test-1!ttyp9]~ > после установки которого было выдано сообщение: You can use sasldb2 for authentication, to add users use:         saslpasswd2 -c username If you want to enable SMTP AUTH with the system Sendmail, read Sendmail.README NOTE: This port has been compiled with a default pwcheck_method of       auxprop.  If you want to authenticate your user by /etc/passwd,       PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and       set sasl_pwcheck_method to saslauthd after installing the       Cyrus-IMAPd 2.X port.  You should also check the       /usr/local/lib/sasl2/*.conf files for the correct       pwcheck_method. прокручиваем лог сборки дальше и видим: ... checking CRAM-MD5... enabled ... checking DIGEST-MD5... enabled checking OTP... enabled ... checking for OPIE... yes checking SRP... disabled checking KERBEROS_V4... disabled ... checking GSSAPI... with implementation heimdal checking for res_search in -lresolv... (cached) no checking for gsskrb5_register_acceptor_identity... yes checking to use mutexes aroung GSS calls... no checking PLAIN... enabled checking ANONYMOUS... enabled checking LOGIN... enabled checking NTLM... disabled checking PASSDSS... disabled checking SQL... disabled checking LDAPDB... disabled ... cc  -O2 -fno-strict-aliasing -pipe  -rpath=/usr/lib:/usr/local/lib -o saslcache saslcache.o   cd /usr/ports/security/cyrus-sasl2-saslauthd/work/cyrus-sasl-2.1.22/saslauthd && make testsaslauthd `testsaslauthd' is up to date. [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > saslauthd собран, посмотрим интересующее нас как минимум: PLAIN и LOGIN: [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > grep SASLAUTHD work/cyrus-sasl-2.1.22/config.h #define HAVE_SASLAUTHD #define PATH_SASLAUTHD_RUNDIR "/var/run/saslauthd" [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > grep LOGIN work/cyrus-sasl-2.1.22/config.h /* Link LOGIN Staticly */ #define STATIC_LOGIN [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > grep PLAIN work/cyrus-sasl-2.1.22/config.h /* Link PLAIN Staticly */ #define STATIC_PLAIN [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > grep MD5 work/cyrus-sasl-2.1.22/config.h /* Link CRAM-MD5 Staticly */ #define STATIC_CRAMMD5 /* Link DIGEST-MD5 Staticly */ #define STATIC_DIGESTMD5 [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > grep GSS work/cyrus-sasl-2.1.22/config.h /* should we mutex-wrap calls into the GSS library? */ /* #undef GSS_USE_MUTEXES */ #define HAVE_GSSAPI_H #define HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY 1 /* Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE */ #define HAVE_GSS_C_NT_HOSTBASED_SERVICE /* Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME */ #define HAVE_GSS_C_NT_USER_NAME /* Link GSSAPI Staticly */ #define STATIC_GSSAPIV2 [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > делаем install: [test-1!ttyp6]/usr/ports/security/cyrus-sasl2-saslauthd > make install ... **************************************************************************** To run saslauthd from startup, add saslauthd_enable="YES" in your /etc/rc.conf. **************************************************************************** ... мы используем универсальный метод - демон saslauthd, вот и проверяем: [test-1!ttyp9]~ > cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd [test-1!ttyp9]~ > grep saslauth /etc/rc.conf #--saslauthd saslauthd_enable="YES" saslauthd_flags="-a getpwent" [test-1!ttyp9]~ > [test-1!ttyp9]~ > /usr/local/etc/rc.d/saslauthd start Starting saslauthd. [test-1!ttyp9]~ > ps axuww | grep saslauth root   67344  0,0  0,1  2864  1544  ??  Ss   10:38PM   0:00,00 /usr/local/sbin/saslauthd -a getpwent root   67345  0,0  0,1  2864  1544  ??  S    10:38PM   0:00,00 /usr/local/sbin/saslauthd -a getpwent root   67346  0,0  0,1  2864  1544  ??  S    10:38PM   0:00,00 /usr/local/sbin/saslauthd -a getpwent root   67347  0,0  0,1  2864  1544  ??  S    10:38PM   0:00,00 /usr/local/sbin/saslauthd -a getpwent root   67348  0,0  0,1  2864  1544  ??  S    10:38PM   0:00,00 /usr/local/sbin/saslauthd -a getpwent [test-1!ttyp9]~ > задаем флаги для сборки sendmail в /etc/make.conf: [test-1!ttyp6]~ > cat /etc/make.conf # added by use.perl 2007-02-20 12:50:14 PERL_VER=5.8.8 PERL_VERSION=5.8.8 USE_LINUX=rh OVERRIDE_LINUX_BASE_PORT=rh #MODULES_OVERRIDE=      sound #Sendmail with SASLv2: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 [test-1!ttyp6]~ > останавливаем saendmail, ибо будем делать позже install: [test-1!ttyp6]~ > cd /etc/mail [test-1!ttyp6]/etc/mail > make stop Stopping: sendmail sendmail-clientmqueue. [test-1!ttyp6]/etc/mail > ps axuww | grep sendmail root   71570  0,0  0,1  1600   992  p6  S+   11:57AM   0:00,00 grep sendmail [test-1!ttyp6]/etc/mail > собираем СИСТЕМНЫЙ sendmail c SASL2 поддержкой: [test-1!ttyp6]~ > rm -rf /usr/obj/usr [test-1!ttyp6]~ > cd /usr/src/lib/libsmutil/ [test-1!ttyp6]/usr/src/lib/libsmutil > make clean && make obj && make depend && make [test-1!ttyp6]/usr/src/lib/libsmutil > cd /usr/src/lib/libsm/ [test-1!ttyp6]/usr/src/lib/libsm > make clean && make obj && make depend && make [test-1!ttyp6]/usr/src/lib/libsm > cd /usr/src/usr.sbin/sendmail/ [test-1!ttyp6]/usr/src/usr.sbin/sendmail > make clean && make obj && make depend && make && make install [test-1!ttyp6]/usr/src/usr.sbin/sendmail > проверяем как собрался: [test-1!ttyp6]~ > echo \n | /usr/sbin/sendmail -bt -d0.1 | grep SASL                 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 [test-1!ttyp6]~ > создаем sendmail/submit.mc для ПРОВЕРКИ, я лично создаю для проверки, остальные под себя! [test-1!ttyp6]/etc/mail > less test.mc ----------------------------- test.mc ------------------------------------- divert(-1) # # Copyright (c) 1983 Eric P. Allman # Copyright (c) 1988, 1993 #       The Regents of the University of California.  All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright #    notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright #    notice, this list of conditions and the following disclaimer in the #    documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software #    must display the following acknowledgement: #       This product includes software developed by the University of #       California, Berkeley and its contributors. # 4. Neither the name of the University nor the names of its contributors #    may be used to endorse or promote products derived from this software #    without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # #  This is a generic configuration file for FreeBSD 5.X and later systems. #  If you want to customize it, copy it to a name appropriate for your #  environment and do the modifications there. # #  The best documentation for this .mc file is: #  /usr/share/sendmail/cf/README or #  /usr/src/contrib/sendmail/cf/README # divert(0) VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30.2.2 2006/08/23 03:31:00 gshapiro Exp $') OSTYPE(freebsd6) DOMAIN(generic) FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access') FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') dnl Only Host Relay FEATURE(relay_hosts_only) dnl Lavr - don't allow user@host.dubna.ru dnl        all outgoing mail should be user@dubna.ru dnl        converting ALL OLDER cntc.dubna.su to dubna.ru dnl MASQUERADE_AS(`dubna.ru')dnl MASQUERADE_DOMAIN(`dubna.ru')dnl FEATURE(`masquerade_entire_domain')dnl dnl Lavr - do envelope e-mail address for has chance to see it FEATURE(`masquerade_envelope')dnl dnl Dialup users should uncomment and define this appropriately define(`SMART_HOST', `mail.dubna.ru') dnl Uncomment the first line to change the location of the default dnl /etc/mail/local-host-names and comment out the second line. dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw') define(`confCW_FILE', `-o /etc/mail/local-host-names') dnl Enable for both IPv4 and IPv6 (optional) DAEMON_OPTIONS(`Name=IPv4, Family=inet') dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') define(`confBIND_OPTS', `WorkAroundBrokenAAAA') define(`confNO_RCPT_ACTION', `add-to-undisclosed') define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') MAILER(local) MAILER(smtp) ------------------------------- end of test.mc --------------------------- submit.mc: ------------------------------- submit.mc -------------------------------- divert(-1) # # Copyright (c) 2001-2003 Sendmail, Inc. and its suppliers. #       All rights reserved. # # By using this file, you agree to the terms and conditions set # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # # # #  This is the FreeBSD configuration for a set-group-ID sm-msp sendmail #  that acts as a initial mail submission program. # # divert(0)dnl VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.submit.mc,v 1.1.12.2 2006/08/23 03 :31:00 gshapiro Exp $') define(`confCF_VERSION', `Submit')dnl define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet define(`confTIME_ZONE', `USE_TZ')dnl define(`confDONT_INIT_GROUPS', `True')dnl define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl dnl dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1] FEATURE(`msp', `[127.0.0.1]')dnl dnl disable SMTP AUTH for loopback interface dnl отрубить smtp-auth для почты через localhost DAEMON_OPTIONS(`Name=NoMTA, Addr=127.0.0.1, M=EA') ----------------------------- end of submit.mc --------------------------- добавляем в /etc/make.conf переменные SENDMAIL_MC и SENDMAIL_SUBMIT_MC [test-1!ttyp6]/etc/mail > cat /etc/make.conf # added by use.perl 2007-02-20 12:50:14 PERL_VER=5.8.8 PERL_VERSION=5.8.8 USE_LINUX=rh OVERRIDE_LINUX_BASE_PORT=rh #MODULES_OVERRIDE=      sound #Sendmail with SASLv2: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 #- my mc SENDMAIL_MC=/etc/mail/test.mc SENDMAIL_SUBMIT_MC=/etc/mail/submit.mc [test-1!ttyp6]/etc/mail > собираем test[submit].cf: [test-1!ttyp6]/etc/mail > make cf /usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/   /usr/share/sendmail/cf/m4/cf.m4 /etc/mail/test.mc > /etc/mail/test.cf /usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/   /usr/share/sendmail/cf/m4/cf.m4 /etc/mail/submit.mc > /etc/mail/submit.cf [test-1!ttyp6]/etc/mail > копируем test.cf -> sendmail.cf: [test-1!ttyp6]/etc/mail > cp test.cf sendmail.cf определяем в /etc/rc.conf ПОЛНЫЙ запуск sendmail'а: [test-1!ttyp6]/etc/mail > grep sendmail /etc/rc.conf #--sendmail sendmail_enable="YES" [test-1!ttyp6]/etc/mail > стартуем sendmail: [test-1!ttyp6]/etc/mail > make start Starting: sendmail sendmail-clientmqueue. [test-1!ttyp6]/etc/mail > начинаем тестировать: [test-1!ttyp6]/etc/mail > telnet `hostname` 25 Trying 62.84.100.208... Connected to test-1. Escape character is '^]'. 220 test-1.dubna.ru ESMTP Sendmail 8.13.8/8.13.8; Tue, 27 Feb 2007 12:32:40 +030 0 (MSK) ehlo test-1 250-test-1.dubna.ru Hello test-1 [62.84.100.208], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 250-DELIVERBY 250 HELP quit 221 2.0.0 test-1.dubna.ru closing connection Connection closed by foreign host. [test-1!ttyp6]/etc/mail > Все как дохтур прописал! Заводим пользователя: [test-1!ttyp6]/etc/mail > pw useradd -n lavr -u 3000 -c "Andrey Lavrentyev" -d / home/lavr -g operator -m -s /usr/local/bin/bash [test-1!ttyp6]/etc/mail > [test-1!ttyp6]/etc/mail > pw useradd -n lavr -u 3000 -c "Andrey Lavrentyev" -d / home/lavr -g operator -m -s /usr/local/bin/bash [test-1!ttyp6]/etc/mail > passwd lavr Changing local password for lavr New Password: kukare Retype New Password: kukare [test-1!ttyp6]/etc/mail > уходим на другую машину в локальной сети: alone.dubna.ru для проверки: ниже конвертируем username и password в base64 для проверки метода LOGIN в SMTP-AUTH: [alone]~ > printf "lavr" | mmencode bGF2cg== [alone]~ > printf "kukare" | mmencode a3VrYXJl [alone]~ > произвдоим соединение по порту 25/tcp (SMTP порт): [alone]~ > telnet test-1.dubna.ru 25 Trying 62.84.100.208... Connected to test-1.dubna.ru. Escape character is '^]'. 220 test-1.dubna.ru ESMTP Sendmail 8.13.8/8.13.8; Tue, 27 Feb 2007 12:41:31 +030 0 (MSK) helo alone.dubna.ru 250 test-1.dubna.ru Hello alone.dubna.ru [62.84.100.160], pleased to meet you ehlo alone 250-test-1.dubna.ru Hello alone.dubna.ru [62.84.100.160], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP --- пробуем отправить письмо БЕЗ авторизации ---- mail from: lavr@alone.dubna.ru 250 2.1.0 lavr@alone.dubna.ru... Sender ok rcpt to: lavr@unix1.jinr.ru 550 5.7.1 lavr@unix1.jinr.ru... Relaying denied. Proper authentication required. --------------------------------^^^^^^^^^^^^^^^--^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ пшел нафик без аутентикации сбрасываем текущую mail транзакцию: rset 250 2.0.0 Reset state теперь пытаемся отправить письмо, но прежде производим аутентикацию: AUTH LOGIN 334 VXNlcm5hbWU6 bGF2cg== 334 UGFzc3dvcmQ6 a3VrYXJl 235 2.0.0 OK Authenticated mail from: lavr@alone.dubna.ru 250 2.1.0 lavr@alone.dubna.ru... Sender ok rcpt to: lavr@unix1.jinr.ru 250 2.1.5 lavr@unix1.jinr.ru... Recipient ok data 354 Enter mail, end with "." on a line by itself hello lavr . 250 2.0.0 l1R9fV78071920 Message accepted for delivery quit 221 2.0.0 test-1.dubna.ru closing connection Connection closed by foreign host. [alone]~ > PLAIN даже проверять не буду, ибо все STEP-BY-STEP по старинному руководству в котором все это step-by-step расписано и подходит как для 4.x, так и для 5.x и 6.x FreeBSD Выше метод использующий NATIVE AUTHENTIFICATION (родную - то бишь системную), никаких sasldb/saslpasswd - НИГДЕ и НИКАКИЕ ПРАВА я не трогал, верхнее step-by-step, НО И НЕ ИЗМЕНЯЛ ничего для sendmail & etc. Сборка sendmail-sasl из портов ЕЩЕ ПРОЩЕ, ну а настройка и проверки делаются аналогично Ну о-ч-е-н-ь сложно.