2 Replies Latest reply: Jul 9, 2013 2:09 PM by jdkemp
rsdio Level 1 Level 1 (20 points)

I have been running sendmail on Tiger Server for years. Incoming mail works fine. Outgoing mail works, too, but I have limited my use before now because I need to secure things. At the moment, I am trying to use StartTLS on port 25 or 587 along with SASL to allow relaying, so that I can send email from my iPhone or laptop in a coffee shop. I already have sendmail relaying from a private ip range that I know is secure, but in order to allow relaying for outgoing mail from dynamic ip or a non-registered ip, I need to get SASL working.

 

At the same time, I already have IMAP working (with SASL, I assume), and I can log in with my various user accounts to check incoming email.

 

 

I downloaded Cyrus SASL 2.1.18 for the headers, after determining that Tiger most likely has 2.1.18 installed (except for the headers). I then compiled sendmail 8.14.7 against these headers. sendmail seems to run fine, but all SASL accesses fail authentication.

 

I only installed Cyrus SASL 2.1.18 in /usr/local/lib/sasl2 without overriding the existing /usr/lib/sasl2 because I don't want to break anything that Apple might have customized.

 

Questions:

 

Does imapd use the same SASL database that sendmail would access?

 

Is it likely that I have the wrong "domain" or something for the SASL accesses, and that's why the authentication fails? If so, how can I change the domain for SASL? I've tried variations of account names like: "user" "user@host.com" and "user@fqdn.host.com" under the assumption that the text after the @ character can adjust the domain. Any hints?

 

Is sendmail really linking against the Apple SASL?

 

Is the Apple SASL really 2.1.18, or have significant changes been made?

 

Does Apple's Darwin source, or any other source, reflect changes to SASL 2.1.18 (and should I be looking for these changes)?

 

Where are the configuration files for Apple SASL?

 

Many documents for SASL mention that the database can be compromised, and recommend having different passwords - not the actual user account passwords - for SASL. Although IMAP seems to be happy with the actual user accounts passwords, should I actually be trying to create a separate SASL database for sendmail to use?

 

Basically, has anyone successfully deployed sendmail with SASL authentication for relaying on Tiger Server?

 

p.s. I have disable postfix


Xserve G5 (January 2005), Mac OS X (10.4.11)
  • rsdio Level 1 Level 1 (20 points)

    I took a look at Apple's source code changes to Cyrus IMAP, which is working with Open Directory. I did a diff against the original 2.2.12 sources using FileMerge and I see that Apple added code to look in Open Directory for user name and pass. So this explains why IMAP works but sendmail does not.

     

    A pertinent question at this point is: Has anyone ported sendmail to Mac OS X Open Directory, similar to what Apple did with IMAP? If so, it would save me from trying to do it myself. I can probably merge the IMAP additions into sendmail, and this would allow Workgroup Manager accounts to send SMTP using SASL authentication.

     

    Alternatively, the easier path seems to be to create a separate database for sendmail SASL, which isn't too far from what they recommend anyway.

     

    No comments from anyone?

  • jdkemp Level 1 Level 1 (0 points)

    Thanks for your post.

     

    I don't have an answer to your question, but I am working on something similar.  I am also using sendmail 8.14.7 but I prefer Dovecot, vs other imap servers.

     

    When you do resolve your issue, I would be interested in seeing your fix action.