I'm moving a mail server from one CentOS 6 to another. I use sendmail with sasl pam authentication. When I try to send mail it fails because the user is not authenticated and the mail client does not require password. All the configurations files are the same on both new and old servers. I tested this with telnet (new server):
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 new.mldb.org ESMTP Sendmail 8.14.4/8.14.4; Wed, 4 Feb 2015 14:05:18 +0100
ehlo localhost
250-new.mldb.org Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
old server:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mldb.org ESMTP Sendmail 8.14.4/8.14.4; Wed, 4 Feb 2015 16:07:23 +0200
ehlo localhost
250-mldb.org Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
this line
250-AUTH LOGIN PLAIN
is missing on the new server.
Here are parts of sendmail config:
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
I tested sasl using this command
# testsaslauthd -s smtp -u <user> -p <password>
0: OK "Success."
other files that I've checked:
# cat /etc/sasl2/Sendmail.conf
pwcheck_method:saslauthd
saslauthd_path:/var/run/saslauthd
mech_list: LOGIN PLAIN
# cat /etc/pam.d/smtp
#%PAM-1.0
auth include password-auth
account include password-auth
# cat /etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
MECH=pam
FLAGS=
when I try to send a mail I get this in log:
# tail /var/log/maillog
Feb 4 15:17:38 new sendmail[12070]: STARTTLS=server, relay=*******.spectrumnet.bg [****], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb 4 15:17:38 new sendmail[12070]: t14EHba9012070: ruleset=check_rcpt, arg1=<****@mail.bg>, relay=*****.spectrumnet.bg [**********], reject=550 5.7.1 <****@mail.bg>... Relaying denied. Proper authentication required.
Feb 4 15:17:40 new sendmail[12070]: t14EHba9012070: from=<*****@*****.eu>, size=422, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=*******.spectrumnet.bg [******]
after I change anything /etc/mail I run "make"
What should be the reason sendmail not to offer auth?
UPDATE
The main reason that sendmail did not require auth was that I didn't have this packet installed:
cyrus-sasl-plain
I installed it and now the mail client asks for password, but password always fails.
More from configurations:
# grep TrustAuthMech sendmail.cf
C{TrustAuthMech}EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
R$* $| $={TrustAuthMech} $# RELAY
# grep AuthMechanisms sendmail.cf
O AuthMechanisms=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Best Answer
Your sendmail.mc looks ok. Apart from stopping and starting sendmail again (which I would guess you have already done). I would look at the actual configuration file which would be called sendmail.cf.
Make sure you see the lines:
and
If LOGIN PLAIN is not there then your 'make' is not generating the .cf file from the .mc file.