auth methods MD5 not available

[rouse01]

I recently regenerated my sendmail.cf and now my roaming users cannot relay. It seems the only auth methods available now are LOGIN & PLAIN. I used to have DIGEST-MD5 & CRAM-MD5, but these do not show up when I telnet localhost 25:
ehlo localhost
250-mail1.domain.net Hello localhost.localdomain[127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP

my sendmail.mc:
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

my pwcheck_method has always been shadow

Any ideas what else to check? I've chased a lot of threads on the internet without success. Thanks - Keith

 

[rouse01]

I see this in the maillog:
AUTH: available mech=PLAIN LOGIN ANONYMOUS, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

 

[rouse01]

The problem has crept to the point where my users cannot reply to emails outside my domain. For now, I've disabled the authentication in sendmail and am reverting to the access filter. All ok inside the lan.
I'm looking at two possibles; A) Cisco pix firewall was installed in timeframe of problems arising or B) sasl libraries corrupt. I'm going to first try to deactivate the cisco SMTP fixup on my pix. I've read postings that seem to be relevant. I'm not sure how to fix the sasl problem and not sure why that would suddenly break after so many years of no prob op. I'm currently on rh9, but the ultimate resolution may be a upgrade to FC5.
I'll post back if I have success. Any input appreciated.

Keith

 

[rouse01]

Disabling SMTP fixup on the firewall had no affect.

I'll try the fc upgrade route.

Note to sysop: Kill this thread, as nothing was solved.

 

[RhythmAce]

Is saslauthd running? Sendmail itself doesn't do the authentication.

 

[rouse01]

saslauthd is running. Do you think the problem might be with the cyrus-sasl I'm using: Version 2.1.10? Build was Feb 2005 and all ran fine up till a few weeks ago.
I've yum'd sasl & it reports I'm running the latest.
Thanks - Keith

 

[RhythmAce]

I used to run cyrus-imapd for a while. I switched to dovecot and all my headaches went away. This would not be an option for you if you have a lot of users since cyrus keeps its own user database. I hate to see anybody resort to the "access' method since this could allow spammers to spoof the return address and your system becomes an open relay. My system is very simple because there isn't a lot of configuring to do. All I have to do is add a standard unix user to my system and we're good to go. When I creat a 'mail-only' user, they won't be logging into the system so their shell is /sbin/nologin. They also won't need a home directory so I make it /dev/null. Sendmail is my mta with saslauthd authenticating smtp. I use dovecot as my pop3/imap server because it needs no configuration hence no headaches. I have procmail send everything through spamassassin and the world is a beautiful place to be again.

 

[rouse01]

I got my auth working again, but not sure what actually mended it. On a wim, I opened my sendmail m4 configuration using webmin. It revealed a bogus line which did not show up in my normal editor (pico). Deleted the line & rebuilt sendmail config.

Meanwhile, I also changed my
usr/lib/sasl2/Sendmail.conf to:
pwcheck_method: shadow
mech_list: plain login CRAM-MD5 digest-md5 shadow

I think this last is not quite right, but my roamers are relaying again. I'll try to find the minimal and post back if anyone cares.

Thanks RythmAce for the replies.