Sendmail [was OpenSSL]

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Jul 15 23:53:09 UTC 2004 

Am Do, den 15.07.2004 schrieb James Kosin um 22:45:

> | Maybe a little misunderstanding: the default entry in Sendmail.conf is
> | "pwcheck_method:saslauthd". Then the saslauthd must be running (service
> | saslauthd status). The saslauthd is by default configured to auth
> | against the shadow file. If you want to change that you will have to
> | create a file /etc/sysconfig/saslauthd with content i.e. "MECH=pam",
> | this will override the setting in the init script.
> 
> There is a file /etc/sysconfig/saslauthd that I did not create.  It
> contains the following:
> # To read about how postfix uses saslauthd read this:
> # /usr/share/doc/postfix-*/README-Postfix-SASL-RedHat.txt
> #
> # To see a list of authentication mechanisms supported by saslauthd
> execute this command
> # /usr/sbin/saslauthd -v
> #
> # Default to pam
> MECH=pam
> 
> Maybe this is another postfix change....  When I installed FC1, I
> usually install everything.  It saves having to find something when I
> need it.

Ok, I did not know that the Postfix package comes with that file and
that it has a different default setup for AUTH than Sendmail.

> Should I set the entry in Sendmail.conf to pwcheck_method:saslauthd.
> Then change the /etc/sysconfig/saslauthd to use shadow?  Maybe, I'm a
> little confused how this is suppose to work properly.....

You can leave your setup as it is now. But I think the SASL developers
have a reason why the version 2 of SASL has the saslauthd daemon service
running for authentification and not letting the application directly
communicate with the AUTH MECHs. Decide yourself what you like. The
default would be to set /usr/lib/sasl2/Sendmail.conf to
pwcheck_method:saslauthd and the saslauthd either use MECH=pam or
MECH=shadow (first seems Postfix package setup, second is Sendmail
package setup). Be sure the saslauthd is enabled by running "chkconfig
saslauthd on".

> | I don't know what you did, but it sounds not proper. The cacert is
> | something very different then the client certificates as ipop3d.pem.
> | Maybe should post you a brief description of the necessary steps.
> |
> 
> The ipop3d.pem is needed for the server to authenticate with the client
> when connecting.  The client then imports this certificate into its
> database of accepted certs.  The ipop3d.pem is a server cert that
> identifies (in my case the server: beta.support.intcomgrp.com on IP
> 192.168.10.20).

Of course that is right. I just wondered about the steps you did as that
sounded to me like something wrong. See the reply by Mike to your mail.
His first posted link describes creating self-signed certificates not
using the CA.sh|CA.pl scripts but directly calling the OpenSSH
functions, but that is not so important. Important is the fact, that it
very clearly shows you what which part of the files created is! Handling
the serial is in that description necessary because it does not create a
demo_CA hierarchy. The serial is important of you would work with
revocations.

> | One last note: The default setting in sendmail.mc is not to force
> | STARTTLS being active for PLAIN and LOGIN AUTH. If you did not already
> | change that, then change that to allow LOGIN and PLAIN only after
> | STARTTLS has been done:
> |
> | define(`confAUTH_OPTIONS', `A p')dnl
> |
> | Else it matters how the user configured his client, if he did activate
> | SSL/TLS in his mail client. And you know, never trust the user.
> 
> Already done...  although I've even seen one setup on the web that
> suggests `A p y'.

Yes, the "y" parameter means not allowing anonymous logins. I too use

define(`confAUTH_OPTIONS', `A p y')dnl

> James

Hope I did not confuse you more :)

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) Athlon CPU kernel 2.6.6-1.435.2.3.uml
Serendipity 01:20:21 up 2 days, 23:02, load average: 0.78, 0.33, 0.15 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040716/fe2ec66e/attachment-0001.sig>

More information about the fedora-list mailing list