# help diagnosing smtp auth problem



## mabu (Jun 16, 2012)

I'm running into a problem with Sendmail trying to implement SMTP-auth.  I"m running 8.14.5 and have saslauthd running. I don't believe I have starttls enabled - just looking for basic auth, but am wondering if my configuration is not compatible with modern mail clients?  I don't think I have any certs set up.

It seems an older version of Microsoft Outlook Express works fine with SMTP-auth with no problems,  but Outlook 2010 won't work, and neither will Eudora (basic settings to not use encryption and use same uid/pw as pop3 account name).

When trying to send mail the server reports: 
	
	



```
550 571 Relaying Denied. Proper authentication required.
```

Is there some config that I am missing?  Why does it work with Outlook Express but not other e-mail clients?

*M*y site.config.m4 has:

```
APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
dnl APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl2')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/include')
```


```
# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxxt ESMTP Sendmail 8.14.5/8.14.5; Fri, 15 Jun 2012 18:28:03 -0500
(CDT)
ehlo localhost
250-xxxx Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP
```
*A*nyone have any ideas?


----------



## mabu (Jun 16, 2012)

I have this in my sendmail.mc


```
define(`ConfAUTH_OPTIONS',`A')
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`ConfAUTH_MECHANISMS',`LOGIN PLAIN')dnl
```

*S*till no luck. Anyone have any ideas?


----------



## mabu (Jun 16, 2012)

I'm also wondering if enabling STARTTLS will help but I am not sure how to define certs since the instructions I see assume there's an /etc/mail/ssl directory with a sendmail.pem in it and there isn't.  Do I need to find the cert paths in sendmail.mc before 250-STARTTLS will be an option?


----------



## kpa (Jun 16, 2012)

You don't need TLS to get the AUTH part working, it's a separate functionality that can be used with AUTH but is not required. Have you tried the method from the handbook?

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html


----------



## mabu (Jun 16, 2012)

I followed that whole procedure, and I'm still stumped.  How can I debug what's wrong?


----------



## mabu (Jun 16, 2012)

The version with the ports/pkg system is 8.14.2 - I tried that, no luck.  I have been using the source version I compiled manually and no luck with that either.

I have been wrestling with this for days, scouring the net and cannot find anything that helps. It could be something as simple as a configuration glitch, I just don't know. If anybody can help it would be so much appreciated. It's been troubling me for the last six months.


----------



## mabu (Jun 16, 2012)

Here's what's weird. I can test the auth this way:


```
# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxxx ESMTP Sendmail 8.14.5/8.14.5; Sat, 16 Jun 2012 14:58:59 -0500 (CDT)
ehlo localhost
250-xx Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
250-DELIVERBY
250 HELP

AUTH LOGIN (base64uid)
334 xxxxx
(base64 password)
235 2.0.0 OK Authenticated
quit
221 2.0.0 xx closing connection
Connection closed by foreign host.
```


----------



## DutchDaemon (Jun 17, 2012)

@mabu, format your posts.


----------



## mabu (Jun 17, 2012)

I cleared things out and went to /usr/ports/mail/sendmail-sasl and installed that version. I'm still getting auth errors. Anyone have any ideas? *H*ere's loglevel 14 messages:


```
Jun 17 00:27:35 x sm-mta[59290]: NOQUEUE: connect from x [x]
Jun 17 00:27:35 x sm-mta[59290]: AUTH: available mech=SCRAM-SHA-1 GSSAPI DIGEST-MD5 OTP CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS, allowed mech=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jun 17 00:27:35 x sm-mta[59290]: q5H5RZd4059290: Milter: no active filter
Jun 17 00:27:35 x sm-mta[59290]: q5H5RZd4059290: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: user: x@myhost.com property: cmusaslsecretCRAM-MD5 not found in sasldb, relay=x [x]
Jun 17 00:27:36 x sm-mta[59290]: q5H5RZd5059290: ruleset=check_rcpt, arg1=<x@gmail.com>, relay=x [x], reject=550 5.7.1 <x@gmail.com>... Relaying denied. Proper authentication required.
Jun 17 00:27:36 x sm-mta[59290]: q5H5RZd5059290: from=<x>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MSA, relay=x [x]
```

For user it lists username@hostname - I do not know if it's expecting usernames in /etc/password to be @hostname or that's just the log format, or there's an auth mechanism that is not property working?  I take it programs like Eudora default to CRAM-MD5?


What's odd is, I managed to get auth to work by using this in sendmail.mc:


```
TRUST_AUTH_MECH(`DIGEST-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 LOGIN PLAIN')dnl
```

If I took out CRAM-MD5 as auth method it worked.  Anyone know why?   Does Sendmail mess up the user id format for that mechanism?  Or is there an incompatibility with FreeBSD?


----------

