Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Is knowledge knowable? If not, how do we know that?


computers / comp.mail.sendmail / Re: How does Sendmail get authentication? [dovecot accepts authentication]

SubjectAuthor
* How does Sendmail get authentication?Charles Wangersky
+- Re: How does Sendmail get authentication? [dovecot accepts authentication]Andrzej Adam Filip
+* Re: How does Sendmail get authentication?Grant Taylor
|`* Re: How does Sendmail get authentication?Charles Wangersky
| `- Re: How does Sendmail get authentication?Grant Taylor
`* Re: How does Sendmail get authentication?Claus Aßmann
 `* Re: How does Sendmail get authentication?Grant Taylor
  `* Re: How does Sendmail get authentication?Charles Wangersky
   +- Re: How does Sendmail get authentication?Grant Taylor
   `* Re: How does Sendmail get authentication?Claus Aßmann
    `* Re: How does Sendmail get authentication?Charles Wangersky
     +- Re: How does Sendmail get authentication?Claus Aßmann
     `* Re: How does Sendmail get authentication?The Doctor
      `- Re: How does Sendmail get authentication?Alex Haut

1
How does Sendmail get authentication?

<f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=283&group=comp.mail.sendmail#283

 copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:ae9:c007:: with SMTP id u7mr12623307qkk.271.1630954211090;
Mon, 06 Sep 2021 11:50:11 -0700 (PDT)
X-Received: by 2002:a25:7005:: with SMTP id l5mr16911438ybc.288.1630954210897;
Mon, 06 Sep 2021 11:50:10 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 6 Sep 2021 11:50:10 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=184.71.158.234; posting-account=EEuXDAoAAAAkUe9TUooA8_n5CGx0xDFQ
NNTP-Posting-Host: 184.71.158.234
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
Subject: How does Sendmail get authentication?
From: char...@manna.bc.ca (Charles Wangersky)
Injection-Date: Mon, 06 Sep 2021 18:50:11 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 15
 by: Charles Wangersky - Mon, 6 Sep 2021 18:50 UTC

If you are one of the 20 or so people who saw this query elsewhere, my apologies for repeating this, but I got no responses there at all.

For reasons I can't get into at the moment, I'm authenticating to an SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it matters) with a Mint Linux server in the domain with Samba 4.11.6 using Sendmail 8.15.2. I have Thunderbird on a third, Windows machine. The mail server also has Dovecot 2.3.7.2 installed. From Thunderbird, I can view, open and manipulate mailboxes with domain credentials. However, I cannot send mail, the same credentials that work to open the mailbox via Dovecot fail password validation when trying to send to port 587 on Sendmail. I do have a local account for the domain user, I'm told Dovecot needs that in order to keep its data. It seems to me that I somehow have to tell Sendmail to use the domain credentials rather than the local ones, but while I can see how to tell it how to accept credentials from the mail client, I don't see how to tell it how to authenticate them. Am I missing something?

Re: How does Sendmail get authentication? [dovecot accepts authentication]

<anfi+yacr09s0ff-l961@wp.eu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=284&group=comp.mail.sendmail#284

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: anf...@onet.eu (Andrzej Adam Filip)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication? [dovecot accepts authentication]
Date: Mon, 06 Sep 2021 19:08:22 +0000 (UTC)
Organization: It is for me to know and for you to find out.
Lines: 23
Message-ID: <anfi+yacr09s0ff-l961@wp.eu>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="3ab6696e5a551ebc7cef71186f006972";
logging-data="18062"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/1xa7fu298cfUbfnw8HEEm"
Cancel-Lock: sha1:qxZwVGd8nNbmNV+006z2HCSY2hQ=
sha1:gkm32Z4AD3sqQdJ2kVqZ6/fId2E=
 by: Andrzej Adam Filip - Mon, 6 Sep 2021 19:08 UTC

Charles Wangersky <charles@manna.bc.ca> wrote:
> If you are one of the 20 or so people who saw this query elsewhere, my apologies for repeating this, but I got no responses there at all.
>
> For reasons I can't get into at the moment, I'm authenticating to an
> SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it
> matters) with a Mint Linux server in the domain with Samba 4.11.6
> using Sendmail 8.15.2. I have Thunderbird on a third, Windows
> machine. The mail server also has Dovecot 2.3.7.2 installed. From
> Thunderbird, I can view, open and manipulate mailboxes with domain
> credentials. However, I cannot send mail, the same credentials that
> work to open the mailbox via Dovecot fail password validation when
> trying to send to port 587 on Sendmail. I do have a local account for
> the domain user, I'm told Dovecot needs that in order to keep its
> data. It seems to me that I somehow have to tell Sendmail to use the
> domain credentials rather than the local ones, but while I can see how
> to tell it how to accept credentials from the mail client, I don't see
> how to tell it how to authenticate them. Am I missing something?

Have you considered using MSA (port 587 server) provided by dovecot?
It may fix authentication problems.

--
[Andrew] Andrzej A. Filip

Re: How does Sendmail get authentication?

<sh5ps4$los$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=285&group=comp.mail.sendmail#285

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Mon, 6 Sep 2021 13:20:23 -0600
Organization: TNet Consulting
Message-ID: <sh5ps4$los$1@tncsrv09.home.tnetconsulting.net>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 6 Sep 2021 19:23:48 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="22300"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
Content-Language: en-US
 by: Grant Taylor - Mon, 6 Sep 2021 19:20 UTC

On 9/6/21 12:50 PM, Charles Wangersky wrote:
> For reasons I can't get into at the moment, I'm authenticating to
> an SMB domain (using Samba 4.9.5 on a Debian host as the DC, if it
> matters) with a Mint Linux server in the domain with Samba 4.11.6 using
> Sendmail 8.15.2. I have Thunderbird on a third, Windows machine. The
> mail server also has Dovecot 2.3.7.2 installed. From Thunderbird, I can
> view, open and manipulate mailboxes with domain credentials. However,
> I cannot send mail, the same credentials that work to open the mailbox
> via Dovecot fail password validation when trying to send to port 587
> on Sendmail. I do have a local account for the domain user, I'm told
> Dovecot needs that in order to keep its data. It seems to me that I
> somehow have to tell Sendmail to use the domain credentials rather
> than the local ones, but while I can see how to tell it how to accept
> credentials from the mail client, I don't see how to tell it how to
> authenticate them. Am I missing something?

I would expect that the two accounts for a user; local Unix, and remote
domain, to have two different names. E.g. "user" and "user@domain".

With this in mind, I would expect Sendmail to outsource the credential
checking to SASL, and that SASL would rely on it's own and / or the
system wide configuration for where unix vs domain accounts live and how
they are interfaced with.

Is the domain account integration complete enough that you can run "id"
on "user@domain" and get back similar information as when run against
the "user" unix account?

--
Grant. . . .
unix || die

Re: How does Sendmail get authentication?

<9ef9047a-7dae-456a-a656-faeb48fea34bn@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=286&group=comp.mail.sendmail#286

 copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a05:622a:44e:: with SMTP id o14mr7126692qtx.33.1630956947354;
Mon, 06 Sep 2021 12:35:47 -0700 (PDT)
X-Received: by 2002:a25:49c2:: with SMTP id w185mr17278288yba.294.1630956947201;
Mon, 06 Sep 2021 12:35:47 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 6 Sep 2021 12:35:46 -0700 (PDT)
In-Reply-To: <sh5ps4$los$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=184.71.158.234; posting-account=EEuXDAoAAAAkUe9TUooA8_n5CGx0xDFQ
NNTP-Posting-Host: 184.71.158.234
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com> <sh5ps4$los$1@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <9ef9047a-7dae-456a-a656-faeb48fea34bn@googlegroups.com>
Subject: Re: How does Sendmail get authentication?
From: char...@manna.bc.ca (Charles Wangersky)
Injection-Date: Mon, 06 Sep 2021 19:35:47 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 14
 by: Charles Wangersky - Mon, 6 Sep 2021 19:35 UTC

On Monday, September 6, 2021 at 12:20:22 PM UTC-7, Grant Taylor wrote:
> Is the domain account integration complete enough that you can run "id"
> on "user@domain" and get back similar information as when run against
> the "user" unix account?

Yes; I get the same response back for both "id user" and "id user@domain" except that the groups are listed in a slightly different order. The user "user" has GID "user", group named after the user; the user "user@domain" does not include that group but shoes GID "Domain Users".

Andrzej Adam Filip wrote:
> Have you considered using MSA (port 587 server) provided by dovecot?

I was unaware that Dovecot provided an MSA port. I'll look into that.

Re: How does Sendmail get authentication?

<sh5rtf$nbu$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=287&group=comp.mail.sendmail#287

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.kiel.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Mon, 6 Sep 2021 15:58:39 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <sh5rtf$nbu$1@news.misty.com>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 6 Sep 2021 19:58:39 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="kiel.esmtp.org:195.244.235.220";
logging-data="23934"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Mon, 6 Sep 2021 19:58 UTC

Charles Wangersky wrote:

"How does Sendmail get authentication?"
sendmail use Cyrus-SASL - so that's where you have to look.

> Thunderbird, I can view, open and manipulate mailboxes with domain credentials. However, I cannot send mail, the

What's the error? What's in the sendmail log?

> same credentials that work to open the mailbox via Dovecot fail password validation when trying to send to port
> 587 on Sendmail. I do have a local account for the domain user, I'm told Dovecot needs that in order to keep its

You need to tell Cyrus-SASL2 which "backend" to use (for autentication).
Check whether there is any documentation for it specific to your
system, otherwise you have to look into the generic info.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How does Sendmail get authentication?

<sh6082$e36$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=288&group=comp.mail.sendmail#288

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Mon, 6 Sep 2021 15:09:09 -0600
Organization: TNet Consulting
Message-ID: <sh6082$e36$1@tncsrv09.home.tnetconsulting.net>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
<sh5ps4$los$1@tncsrv09.home.tnetconsulting.net>
<9ef9047a-7dae-456a-a656-faeb48fea34bn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 6 Sep 2021 21:12:34 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="14438"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <9ef9047a-7dae-456a-a656-faeb48fea34bn@googlegroups.com>
Content-Language: en-US
 by: Grant Taylor - Mon, 6 Sep 2021 21:09 UTC

On 9/6/21 1:35 PM, Charles Wangersky wrote:
> Yes; I get the same response back for both "id user" and "id
> user@domain" except that the groups are listed in a slightly different
> order. The user "user" has GID "user", group named after the user;
> the user "user@domain" does not include that group but shoes GID
> "Domain Users".

Okay. That sounds to me like the domain integration is sufficient that
normal Unix account / permission interfaces should work. As such I
would expect that (Cyrus) SASL should also work with it similar to how
it works with traditional Unix accounts.

I ask because I've seen applications do a lateral / sideways
communications to the DC and bypass the lower Unix account / permission
sub-system. In these cases, you will almost definitely require more
configuration than when the underlying Unix account sub-system sees the
network accounts.

--
Grant. . . .
unix || die

Re: How does Sendmail get authentication?

<sh60oq$37e$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=289&group=comp.mail.sendmail#289

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Mon, 6 Sep 2021 15:18:05 -0600
Organization: TNet Consulting
Message-ID: <sh60oq$37e$1@tncsrv09.home.tnetconsulting.net>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
<sh5rtf$nbu$1@news.misty.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 6 Sep 2021 21:21:30 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="3310"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <sh5rtf$nbu$1@news.misty.com>
Content-Language: en-US
 by: Grant Taylor - Mon, 6 Sep 2021 21:18 UTC

On 9/6/21 1:58 PM, Claus Aßmann wrote:
> sendmail use Cyrus-SASL - so that's where you have to look.

Cyrus-SASL is definitely a good place to start looking. Though chances
seem to be good that there are other places to look.

> You need to tell Cyrus-SASL2 which "backend" to use (for
> autentication).

This is one of the places that I was talking about where Cyrus-SASL can
be configured to look sideways to the DC and bypass the underlying Unix
account sub-system.

Aside: I last dealt with Unix and DCs about 8 years ago, so my memory
may be having some bit rot.

I'm fairly certain that it's possible to configure Cyrus-SASL to rely on
PAM for everything /and/ configure PAM to look in different places for
different account types. E.g. local files for local accounts and DC(s)
for domain accounts.

Thus you could have the following layers involved in this process:

- Sendmail
- Cyrus-SASL (acting as Sendmail's authentication proxy)
- PAM (acting as the systems authentication switch)
- Samba (acting as the systems interface to the domain / DC)

IMHO all three; Cyrus-SASL, PAM, and Samba, can have configurations that
significantly alter what is done, including which protocols are used to
communicate with what.

> Check whether there is any documentation for it specific to your
> system, otherwise you have to look into the generic info.

I'd start with a fundamental understanding of the authentication
architecture that you're trying to use and how the various pieces
interact with each other. Then figure out how to diagnose individual
pieces. I remember that winbind had ways to test credentials from the
Samba point of view independent of everything else. I believe that PAM
and Courier can test things below them.

You may want to consider sniffing the network and / or looking at logs
on other systems like the domain's DC.

--
Grant. . . .
unix || die

Re: How does Sendmail get authentication?

<0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=290&group=comp.mail.sendmail#290

 copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:ad4:47a3:: with SMTP id a3mr934880qvz.31.1630967884018;
Mon, 06 Sep 2021 15:38:04 -0700 (PDT)
X-Received: by 2002:a25:810b:: with SMTP id o11mr18495314ybk.495.1630967883780;
Mon, 06 Sep 2021 15:38:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 6 Sep 2021 15:38:03 -0700 (PDT)
In-Reply-To: <sh60oq$37e$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=184.71.158.234; posting-account=EEuXDAoAAAAkUe9TUooA8_n5CGx0xDFQ
NNTP-Posting-Host: 184.71.158.234
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
<sh5rtf$nbu$1@news.misty.com> <sh60oq$37e$1@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com>
Subject: Re: How does Sendmail get authentication?
From: char...@manna.bc.ca (Charles Wangersky)
Injection-Date: Mon, 06 Sep 2021 22:38:04 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 14
 by: Charles Wangersky - Mon, 6 Sep 2021 22:38 UTC

So I'm not going to quote all that went before because it's beginning to look like I'm barking up a stump here.

Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): local socket name /var/run/milter-greylist/milter-greylist.sock unsafe
Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): to error state
Sep 6 13:06:42 xxmail sm-mta[94855]: 186K6b0F094855: [10.2.0.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP

From this it would appear that the milter is getting the connection before Sendmail is, and it's not getting through the greylist milter. Gives me a whole new place to investigate. I've had problems with the milter failing this way on another system years ago, and now I have to try and recall how I dealt with it.

Re: How does Sendmail get authentication?

<sh66ln$r1$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=291&group=comp.mail.sendmail#291

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Mon, 6 Sep 2021 16:58:49 -0600
Organization: TNet Consulting
Message-ID: <sh66ln$r1$1@tncsrv09.home.tnetconsulting.net>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
<sh5rtf$nbu$1@news.misty.com> <sh60oq$37e$1@tncsrv09.home.tnetconsulting.net>
<0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 6 Sep 2021 23:02:15 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="865"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com>
Content-Language: en-US
 by: Grant Taylor - Mon, 6 Sep 2021 22:58 UTC

On 9/6/21 4:38 PM, Charles Wangersky wrote:
> So I'm not going to quote all that went before because it's beginning
> to look like I'm barking up a stump here.
>
> Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): local socket name /var/run/milter-greylist/milter-greylist.sock unsafe
> Sep 6 13:06:37 xxmail sm-mta[94855]: 186K6b0F094855: Milter (greylist): to error state
> Sep 6 13:06:42 xxmail sm-mta[94855]: 186K6b0F094855: [10.2.0.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP

*FacePalm*

Been there.
Done that.

> From this it would appear that the milter is getting the connection
> before Sendmail is, and it's not getting through the greylist
> milter.

Point of order: The log lines are from sm-mta, which is how I've seen
Sendmail log for a while. These log lines support the milter is
actually downstream of Sendmail. As in Sendmail handles the TCP
connection and divvies out various tests to various milters as part of
how they operate. ;-)

> Gives me a whole new place to investigate. I've had problems with
> the milter failing this way on another system years ago, and now I
> have to try and recall how I dealt with it.

I migrated away from grey listing to no-listing more than a decade ago
and I am exceedingly happy with the results. I'd encourage every
postmaster to check out no-listing, especially those that like grey
listing. At least enough to have a conceptual understanding how it
works and how it might or might not fit with needed services.

--
Grant. . . .
unix || die

Re: How does Sendmail get authentication?

<sh6tg5$lq$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=292&group=comp.mail.sendmail#292

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.kiel.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Tue, 7 Sep 2021 01:31:49 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <sh6tg5$lq$1@news.misty.com>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com> <sh5rtf$nbu$1@news.misty.com> <sh60oq$37e$1@tncsrv09.home.tnetconsulting.net> <0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 7 Sep 2021 05:31:49 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="kiel.esmtp.org:195.244.235.220";
logging-data="698"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Tue, 7 Sep 2021 05:31 UTC

Charles Wangersky wrote:

> name /var/run/milter-greylist/milter-greylist.sock unsafe

See the fine documentation
| DIRECTORY PERMISSIONS |

> From this it would appear that the milter is getting the connection before Sendmail

That is impossible because sendmail provides the information to the milter.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How does Sendmail get authentication?

<841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=293&group=comp.mail.sendmail#293

 copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a05:620a:f81:: with SMTP id b1mr14328120qkn.275.1630995370664;
Mon, 06 Sep 2021 23:16:10 -0700 (PDT)
X-Received: by 2002:a25:2ccf:: with SMTP id s198mr19569452ybs.452.1630995370504;
Mon, 06 Sep 2021 23:16:10 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 6 Sep 2021 23:16:10 -0700 (PDT)
In-Reply-To: <sh6tg5$lq$1@news.misty.com>
Injection-Info: google-groups.googlegroups.com; posting-host=184.71.158.234; posting-account=EEuXDAoAAAAkUe9TUooA8_n5CGx0xDFQ
NNTP-Posting-Host: 184.71.158.234
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
<sh5rtf$nbu$1@news.misty.com> <sh60oq$37e$1@tncsrv09.home.tnetconsulting.net>
<0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com> <sh6tg5$lq$1@news.misty.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com>
Subject: Re: How does Sendmail get authentication?
From: char...@manna.bc.ca (Charles Wangersky)
Injection-Date: Tue, 07 Sep 2021 06:16:10 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 14
 by: Charles Wangersky - Tue, 7 Sep 2021 06:16 UTC

On Monday, September 6, 2021 at 10:31:50 PM UTC-7, Claus Aßmann wrote:
> Charles Wangersky wrote:
>
> > From this it would appear that the milter is getting the connection before Sendmail
> That is impossible because sendmail provides the information to the milter.
> --

Then I don't know what is going on. Thunderbird reports bad password, and asks for a new one. Sendmail, on the other hand, reports the milter is unhappy, and that Thunderbird has gone away without doing anything. I will try to find the fine documentation - all I've found so far is the man pages - and will correct that... but the longer I look at this the loster I seem to get.

Re: How does Sendmail get authentication?

<sh740h$8v8$1@news.misty.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=294&group=comp.mail.sendmail#294

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.kiel.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Tue, 7 Sep 2021 03:22:57 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <sh740h$8v8$1@news.misty.com>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com> <0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com> <sh6tg5$lq$1@news.misty.com> <841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 7 Sep 2021 07:22:57 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="kiel.esmtp.org:195.244.235.220";
logging-data="9192"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Tue, 7 Sep 2021 07:22 UTC

Charles Wangersky wrote:

> Then I don't know what is going on. Thunderbird reports bad password, and asks for a

Does the program have a "verbose" mode to see the SMTP session?

> new one. Sendmail, on the other hand, reports the milter is unhappy, and that
> Thunderbird has gone away without doing anything. I will try to find the fine
> documentation - all I've found so far is the man pages - and will correct that... but

Download the source distribution if your OS doesn't ship the documentation.
BTW: you probably shouldn't run a greylist milter on the submission port
-- if a client authenticates it shouldn't be told "come back later".
See doc/op.* about setting milters per daemon:
DaemonPortOptions=options
....
InputMailFilters List of input mail filters for the daemon

+-----------------------+
| DIRECTORY PERMISSIONS |
+-----------------------+

Sendmail often gets blamed for many problems that are actually the
result of other problems, such as overly permissive modes on directories.
For this reason, sendmail checks the modes on system directories and
files to determine if they can be trusted. For sendmail to run without
complaining, you MUST execute the following command:

chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue

You will probably have to tweak this for your environment (for example,
some systems put the spool directory into /usr/spool instead of
/var/spool). If you set the RunAsUser option in your sendmail.cf, the
/var/spool/mqueue directory will have to be owned by the RunAsUser user.
As a general rule, after you have compiled sendmail, run the command

sendmail -v -bi

to initialize the alias database. If it gives messages such as

WARNING: writable directory /etc
WARNING: writable directory /var/spool/mqueue

then the directories listed have inappropriate write permissions and
should be secured to avoid various possible security attacks.

[[... and so on ... ]]

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: How does Sendmail get authentication?

<sh7stc$1952$89@gallifrey.nk.ca>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=296&group=comp.mail.sendmail#296

 copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.nk.ca!.POSTED.doctor.nl2k.ab.ca!not-for-mail
From: doc...@doctor.nl2k.ab.ca (The Doctor)
Newsgroups: comp.mail.sendmail
Subject: Re: How does Sendmail get authentication?
Date: Tue, 7 Sep 2021 14:27:56 -0000 (UTC)
Organization: NetKnow News
Message-ID: <sh7stc$1952$89@gallifrey.nk.ca>
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com> <0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com> <sh6tg5$lq$1@news.misty.com> <841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com>
Injection-Date: Tue, 7 Sep 2021 14:27:56 -0000 (UTC)
Injection-Info: gallifrey.nk.ca; posting-host="doctor.nl2k.ab.ca:204.209.81.1";
logging-data="42146"; mail-complaints-to="usenet@gallifrey.nk.ca"
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: doctor@doctor.nl2k.ab.ca (The Doctor)
 by: The Doctor - Tue, 7 Sep 2021 14:27 UTC

In article <841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com>,
Charles Wangersky <charles@manna.bc.ca> wrote:
>On Monday, September 6, 2021 at 10:31:50 PM UTC-7, Claus Aßmann wrote:
>> Charles Wangersky wrote:
>>
>> > From this it would appear that the milter is getting the connection
>before Sendmail
>> That is impossible because sendmail provides the information to the milter.
>> --
>
>Then I don't know what is going on. Thunderbird reports bad password,
>and asks for a new one. Sendmail, on the other hand, reports the milter
>is unhappy, and that Thunderbird has gone away without doing anything. I
>will try to find the fine documentation - all I've found so far is the
>man pages - and will correct that... but the longer I look at this the
>loster I seem to get.

You need to plug into something like cyrus-sasl for that to work.
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Canada on 20 Sept 2021 vote ! Beware https://mindspring.com

Re: How does Sendmail get authentication?

<43e9f52e-4f06-4a21-bcae-2e8ab4ff6851n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=308&group=comp.mail.sendmail#308

 copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a0c:c24c:: with SMTP id w12mr19055412qvh.48.1633961249953;
Mon, 11 Oct 2021 07:07:29 -0700 (PDT)
X-Received: by 2002:a25:5545:: with SMTP id j66mr20722421ybb.288.1633961249711;
Mon, 11 Oct 2021 07:07:29 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 11 Oct 2021 07:07:29 -0700 (PDT)
In-Reply-To: <sh7stc$1952$89@gallifrey.nk.ca>
Injection-Info: google-groups.googlegroups.com; posting-host=74.103.45.242; posting-account=Ql-QGQoAAAAKArkTQ9b8iVcz0j7SpopW
NNTP-Posting-Host: 74.103.45.242
References: <f8c41e06-b610-44ee-88ec-8b24a4108668n@googlegroups.com>
<0b09255a-64c6-437e-9e2a-1ca0ad8c2821n@googlegroups.com> <sh6tg5$lq$1@news.misty.com>
<841ae66f-3620-4825-a9d6-61f3c7f2b355n@googlegroups.com> <sh7stc$1952$89@gallifrey.nk.ca>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <43e9f52e-4f06-4a21-bcae-2e8ab4ff6851n@googlegroups.com>
Subject: Re: How does Sendmail get authentication?
From: hqu...@gmail.com (Alex Haut)
Injection-Date: Mon, 11 Oct 2021 14:07:29 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 6
 by: Alex Haut - Mon, 11 Oct 2021 14:07 UTC

Not sure which greylist milter you are using, but I replaced mine local instance by other tools with much better results. OpenDKIM, OpenDMARC and OpenARC (all available from github) combined with SPF (part of the OpenDMARC for one less thread/socket to be ran), with the Enhanced DNSBL and the now included DANE+MTA-STS features off sendmail 8.17, grey listing has not been necessary at all. Yes, three separate processes and 7 verifications in total, but it all depends on how paranoid you want to be.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor