A strange problem on a Sendmail server I run on Linux for a few hundred
customer accounts: SMTP AUTH has been running fine, authenticating with
pwcheck_method: auxprop saslauthd
auxprop_plugin: sasldb
against a mixture of sasldb2 (customer) and OS (administrator) accounts.
The same database is used for authentication to a Cyrus IMAP server,
which is working perfectly fine, too, ever since I solved (so I thought)
the SASL realm headache.
Now, thinking that offering TLS secured mail transfer to said customers
would be a Good Thing(TM), and in blatant violation of the "never change
a running system" rule, I created an SSL certificate, installed it first
for Cyrus, where it worked like a charm out of the box, and then went on
to bless Sendmail with it too. However, as soon as I activate server
side STARTTLS for Sendmail by adding the lines:
define(`confCACERT', `/etc/ssl/certs/CAcert_chain.pem')dnl
define(`confSERVER_CERT', `/etc/ssl/certs/server.crt')dnl
define(`confSERVER_KEY', `/etc/ssl/private/server.key')dnl
to my sendmail.m4 file, customers who set up their mail client to
actually use it (either "always" or "if available") complain that they
cannot send mail anymore, their password being rejected as incorrect
for SMTP although it continues to work for IMAP or POP3. Meanwhile, my
own OS password continues to work fine for both. Unauthenticated SMTP
continues to work equally fine, even from the occasional adventurous
deliverer actually using the offered STARTTLS.
As soon as I revert to the previous Sendmail config (without support
for server mode TLS) the clients are happy again, though I ain't.
Having been bitten once by SASL realm mismatches/conflicts, and also
because authentication via OS password (which isn't plagued by realms)
is unaffected, I suspect it's that realm mess all over again. But how
do I prove and, more importantly, fix that? Specifically:
- Is there a way to make Sendmail/SASL tell me which username/realm
combination it is trying to look up?
- Exactly how does Sendmail determine the authentication realm it
passes to SASL, and does this depend in any way on whether the SMTP
client has STARTTLSed?
- How can I influence that so that Cyrus IMAP, Sendmail with STARTTLS
and Sendmail without STARTTLS end up all three using the same realm?
(Last time I just guessed what Sendmail used, and configured Cyrus
to match it.)
- In case it'll turn out that this new common realm will be different
from my current one, is there an easy way to change the realm on all
the existing sasldb2 entries without bothering my users to re-enter
their passwords?
Thanks in advance for any hints.
--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
