Security :: ConfAUTH_OPTIONS Fails With 'p' Running Sendmail 8.14.4 And Saslauthd 2.1.23?
May 3, 2011
I'm building a new machine with slackware 13.37 64bit and so far all has gone well except for secure smtp. My previous setup was with slackware 13.1 32bit which worked fine. If I run with (`confAUTH_OPTIONS', `A p y') in my sendmail config it shows "AUTH warning: no mechanisms" in my maillog and obviously fails to authenticate. When I take the 'p' out and run with (`confAUTH_OPTIONS', `A y') then it does list the defined confAUTH_MECHANISMS and works. I would prefer to run with the 'p' option and require the security layer.
Most of my setup guidance has come from the "Sendmail SMTP AUTH Howto":
http://www.linuxquestions.org/questi...-howto-224543/
The Sendmail "TLS SASL SMTP-AUTH" page on slackwiki:
http://www.slackwiki.org/Sendmail_TLS_SASL_SMTP-AUTH
And this page for debugging "How to test Sendmail SASL Authentication":
http://networking.ringofsaturn.com/P...entication.php
[Code]...
My hope is that I'm just missing something simple. Does anyone have insight into why adding the 'p' to confAUTH_OPTIONS is causing this behavior?
I'm building a new machine with slackware 13.37 64bit and so far all has gone well except for secure smtp. My previous setup was with slackware 13.1 32bit which worked fine.
If I run with (`confAUTH_OPTIONS', `A p y') in my sendmail config it shows "AUTH warning: no mechanisms" in my maillog and obviously fails to authenticate.
When I take the 'p' out and run with (`confAUTH_OPTIONS', `A y') then it does list the defined confAUTH_MECHANISMS and works.
I would prefer to run with the 'p' option and require the security layer.
Most of my setup guidance has come from the "Sendmail SMTP AUTH Howto":
My goal is to be able to send mail remotely with secure authentication. If the way I'm trying to go about it is old and there is some newer/better way I'm happy to go with that - but sendmail/saslauthd has worked for me in the past.
Sendmail is version 8.14.4 and looks like it has the necessary options compiled in:
Code:
saslauthd is version 2.1.23 and supports shadow:
Code:
I did discover the need to link /etc/sasl2 to /usr/lib64/sasl2 and created the Sendmail.conf file there:
Code:
Here's the sendmail configuration script I'm using. Its really just the vanilla /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc file with my cert file names:
Code:
When I try to connect with (`confAUTH_OPTIONS', `A p y') in the config here is the output I get in maillog (none of the other logs seem to show anything and I dont see any errors/warnings when I restart sendmail):
Code:
If I change the option so its just (`confAUTH_OPTIONS', `A y') then it does work and this is the log output I get:
Code:
My client is configured to use SSL and when I go through the setup, it does appear to authenticate against the smtp server and it validates. The fail comes in when trying to actually send mail.
Does anyone have insight into why adding the 'p' to confAUTH_OPTIONS is causing this behavior?
I have an init script running as a special build user which performs an automated build that fails with (Too many open files).I updated /etc/security/limits to allow the special user more open files, but that didn't work - the init script still isn't allowed more open files.Here's a demonstration of the problem;
I have installed postfix and dovecot on my server and thought postfix will not only take SMTP connection from my e-mail client like Outlook, but also handles "mailx" commands from the server. However, it looks like sendmail is still responsible for sending mails from "mailx". I tested this by turning it on/off using "service sendmail stop" and "service sendmail start". Mails sent using "mailx" will only be sent when sendmail is up. When I did "yum info sendmail", it lists sendmail as an installed package. Is is safe to remove sendmail by running "yum erase sendmail", and let postfix handles "mailx" also?
I am facing a problem that sendmail gets failed during startup and the server could not get forward after that server gets hanged.I triedr several times and finally i have to resetup the os.A few days back i also faced same problem with Squid gets failed after rebooting the server and the server cant get to login screens.How to get rid of this problem
I have a setup with Centos 5.5, Nagios 3.2.3, sendmail 8.13.8. When a insident is happening Nagios notify-by-mail is triggered and Nagios sends via sendmail. Unfortunately there is a trailing $-sign added to the $CONTACTEMAIL. Sendmail cannot mail to xxx@mail.address$
A hack is to insert mailaddress in misccommands.cfg but I would like to have a more clean way.
I am new to Slackware and sendmail. 1) I want to make sendmail more resist from spammers. Can You suggest some lines in sendmail.mc (My server is iauto.lv) Can I do, that my server recieves mails, but users cannot send mails with SMTP through my server?
2) Many mailservers returned mails, because I have no reverse DNS. What I must to do?
Checking the process table for the running sendmail, I would like to know the full path to the sendmail binary a la the ps -ef on a Sun or other servers. How do I get ps to give me the actual path, or should I use a different tool on my Linux servers?
I want to block a domain name in sendmail server. I added the domain name and "REJECT"in /etc/mail/access file. What has to be done for the changes to take effect? when i run make command in /etc/mail dir i get following error : make: Nothing to be done for `all'.
I'm migrating from a system that has sasldb enabled as a mechanism for saslauthd. For CentOS, this feature is commented out (disabled) in the *.spec file for the RPM, and the default mech in /etc/sysconfig/saslauthd is MECH=pam. I would prefer the authentication passwords be separate from the system login (in my case, /etc/passwd).
I tried rebuilding the SRPM with rpmbuild, but ran into errors after adding the switch --enable-auth-sasldb. Is there some clever way around this, where I can get the /etc/sasldb2 used under PAM? Or am I just approaching this incorrectly.
I am using postfix as spam Mailscanner to protect my mail server running sendmail. The problem is that when I forward an email from MailScanner mail me back with the following error:
<postmaster@localhost.@mydomain.com.>... Real domain name required for sender address (in reply to MAIL FROM command)) Jul 27 13:15:59 smtp postfix/local[28465]: C68AC1000001: to=<root@smtp.mydomain.com>,
1. Issue booting from grub The Xen kernel option in grub starts then the screen goes black and after a few seconds white starts to creep in from the edges.
2. When I run Virtual Machine Manager I get this message.
A hupervisor is not running. For Kvm, load the kvm kernel modules. If you want to run xen, reboot and load the xen kernel. The last options causes the error mentioned under issue 1.
I am using webmin for my daily tasks. I have fedora 13, whenever I click on ''Sendmail M4 Configuration'' or Outgoing Addresses (generics)'' I get the following error message
Quote:
The Sendmail M4 configuration base directory /usr/share/sendmail-cf was not found on your system, or is not the correct directory. Maybe it has not been installed (common for packaged installs of Sendmail), or the module config is incorrect. I read documentation at sendmail.org, it seems that structure of directories for send mail has been changed in version sendmail-8.1.4 shipped with FC13. In webmin config module we have
Quote:
Sendmail M4 base directory = /usr/share/sendmail-cf
which is not there. I did a locate / sendmail-cf on the command line, it finds nothing
I have been trying to set up ssmtp so I can send email using Gmail's ssmtp servers. However, when I try to send mail (using mailx), I get the following message:
Code:
Can't send mail: sendmail process failed
Here's the last line from dmesg (the only one applicable, according to the timestamps and message content):
Code:
[484114.608378] sendmail[17975]: segfault at 0 ip b7dbbbf3 sp bfb0dc4c error 4 in libc-2.11.2.so[b7d44000+14e000]
Here's my ssmtp.conf:
Code:
# # /etc/ssmtp.conf -- a config file for sSMTP sendmail. #
I was wondering about the security implications of running a GUI in a VM. I know that a GUI adversely affects security, but don't know how this works when visualization is thrown into the mix.
1. Is the security of the host OS affected by the presence of a guest OS with a GUI, or is it just the guest OS that would take the hit?
2. If the host OS does not have a GUI, and the guest OS does have a GUI, would it be possible to see the GUI of the guest OS?
I'm an Oracle DBA and started working for my current employer about 4 months ago. This past weekend an alert re: FS space brought my attention to /var/spool/clientmqueue (full of mail re: cron jobs) and the fact that sendmail is not running on our Linux servers.I'm told that the IT security team deemed sendmail too vulnerable so we don't run it.Aside from FS filling up and missing notification of issues with crontab entries, I'm concerned that we may be missing notification of potential issues. In other Unix/Linux environments I've seen emails from the print daemon when it experienced problems with specific jobs.
Are there other Linux facilities aside from cron and lpd that use email to advise the users of possible issues? Are there ways to secure sendmail or secure alternatives to sendmail? My primary need/desire is to make sure that emails regarding issues on the server get to the appropriate users. Secondary goal would be to have the ability to use mailx to send mail out. There is No need/desire to receive mail from outside.
I recently modified sendmail.cf to use a third party SMTP server to send emails. It works great. But when I run sendmail from the command line, I have to specify the -C flag and force feed it the location of my sendmail.cf, or else it doesn't work.
So in other words, the following works great:
However, if I don't specify the -C flag, sendmail doesn't consider what's in the sendmail.cf and barfs:
I don't run sendmail as a daemon. I'm only using it to send emails. I know my modifications of sendmail.cf are correct because it works perfectly when I use the -C flag. I searched my disk to see if I could find another sendmail.cf on the machine and only the one in /etc/mail came up.
Why sendmail is not reading my sendmail.cf?
I'm running Sendmail version 8.14.2 on Fedora Core 8.
Brand new to Linux. Sort of got thrown in front of the bus if you know what I mean. The company I work for has a Linux server running CentOS 5.4 Company uses Linux for their Email, FTP and Web Server. Have been here a few years dabbling in and out of Linux and now that the old Admin has left the company.....I need to learn it ASAP. The server has run pretty solid until today.
The email server runs SendMail and SpamAssasin. Received lots of complaints today regarding extra SPAM. Noticed that SpamAssassin was not running. Tried to restart it through the WebMin tools and got the following error: Starting spamd: child process [3956] exited or timed out without signaling production of a PID file: exit 255 at /usr/bin/spamd line 2588.
I've added my public key to the remote machine's authorized_keys file, and I can ssh over without password. But when I try to mount the remote share using sshfs it -always- asks for my user's password. I have set sshd_config|PasswordAuthentication no ... and when I mount the share as root it says, "read: Connection reset by peer". My mount is being done as user, so it shouldn't be a root authentication problem: sshfs#bill@droog://media/droogfuseuser,noauto,gid=6,umask=007,cache=no,ServerAliveInterval=15,reconnect,allow_other,comment=sshfs 0 0 I can't mount as user because /dev/fuse is not suid, and I'd rather not set it such.
I recently made a custom spin of fedora on 29th August 2009. It initially failed to go past the slash screen but a solution was found here on fedora forum. It included adding the following to kernel line in grub.
enforcing=0
I later checked SElinux and found the option to do a filesystem relabel at next boot was enabled. I rebooted the system without adding the above words "enforcing=o" and it got stuck after the the splash screen (the blue screen with a fedora bubble). I then did some more research on SElinux and filesystem relabelling. There were several comments that said that a notice is given in the event of a filesystem relabel. I went to the konsole and as root I wrote the following commands:
touch /.autorelabel reboot
I gave my pc 20Hrs 48min and nothing happened. My HDD is 80GB but it only had 7.5GB of data. There were no messages that indicated that the filesystem relabel was in progress or even if it had started. I also tried the following command but failed:
make relabel
I have now had to edit grub.conf and added the words "enforcing=0" as it is the only way the system will go passed the splash screen.
I have a CGI script that when called runs another script as a different user. Yet when the script does run I keep getting a permission denied in the logs and the script fails
In the sudoers file- Defaults env_reset www-data ALL=(charly) NOPASSWD=ALL
For the full question- When looking at /etc/sudoers there is the defaults line that you can add things to. When doing a sudo -L so that I can see what I can put on that defaults line. Can an individual user have specific defaults? Ones that don't effect the rest of the people in /etc/sudoers?
I'm running eeebuntu on a Toshiba Satellite R10, I installed the Netbook Remix Package which was apparently a horrible idea. I cant click properly. I tried to open synaptic package manager to uninstall it but it tells me my password is wrong, which i know it is not. Is there anyway to fix this, i can open terminal.
What the most harmful thing can malware program started as separate limited user account do if it has access to the X server? Network and filesystem things are already considered by chroot and netfilter.
It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?
I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?
I was wondering how one could set up tcpdump to run in the background, dumping all output to a file until I terminate the process.Here is the dilema... I SSH into the box that will be listening (using tcpdump)...
ssh> sudo tcpdump -i eth0 > dump_file yadda yadda...
then if I exit my ssh session, tcpdump closes.
If I do a... ssh> sudo tcpdump -i eth0 > dump_file & [1] 12938 yadda yadda.
