From root@kolokol.ru  Sat Jun  1 10:15:00 2002
Return-Path: <root@kolokol.ru>
Received: from kolokol.ru (zvuki.ru [81.19.69.2])
	by hub.freebsd.org (Postfix) with ESMTP id 1066437B400
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Jun 2002 10:14:58 -0700 (PDT)
Received: from kolokol.ru (localhost [127.0.0.1])
	by kolokol.ru (8.12.3/8.12.3) with ESMTP id g51HEtmb001561
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Sat, 1 Jun 2002 21:14:55 +0400 (MSD)
	(envelope-from root@kolokol.ru)
Received: (from root@localhost)
	by kolokol.ru (8.12.3/8.12.3/Submit) id g51HEs97001503;
	Sat, 1 Jun 2002 21:14:54 +0400 (MSD)
	(envelope-from root)
Message-Id: <200206011714.g51HEs97001503@kolokol.ru>
Date: Sat, 1 Jun 2002 21:14:54 +0400 (MSD)
From: Seva Gluschenko <gvs@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: noc@rinet.ru
Subject: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         38801
>Category:       ports
>Synopsis:       sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 01 10:20:01 PDT 2002
>Closed-Date:    Wed May 07 07:27:22 PDT 2003
>Last-Modified:  Wed May  7 07:30:15 PDT 2003
>Originator:     Kolokoa.Rul &
>Release:        FreeBSD 4.6-RC i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD kolokol.ru 4.6-RC FreeBSD 4.6-RC #4: Sat Jun 1 19:19:43 MSD 2002 root@kolokol.ru:/usr/obj/usr/src/sys/KOLOKOL i386


	
>Description:
	making Cyrus SASL library (used for SMTP AUTH) from ports results
	to non-working LOGIN authentication mechanism. Experiments show this
	situation to be result of sasl_apop_patch application.
>How-To-Repeat:
	cd /usr/ports/security/cyrus-sasl
	make
	make install

	then recompile sendmail with SASL (as described in /etc/mail/README,
	/etc/defaults/make.conf and sendmail documentation), install sendmail,
	change sendmail configuration file and restart sendmail.

	N.B.: It wasn't tested against pwcheck method, only with SaslDB.
	Try every MUA which is capable of LOGIN authentication (e.g. MSOE 5.5
	and higher). Sendmail will continuously re-request password, strings
	in maillog will look like

	Jun  1 20:37:39 kolokol sm-mta[26436]: g51GbdVS026436: demo.rinet.ru
	[195.54.192.69] did not issue MAIL/EXPN/VRFY/ETRN during connection
	to MTA

>Fix:

	Recompile SASL by yourself not applying sasl_apop_patch or edit
	/usr/ports/security/cyrus-sasl/Makefile and remove referral to this
	patch. Probably you may use the following patch (untested, however).

	My great thanks to port maintainer for returning me to distrust to
	sensitive ports %-/ as well as the time wasted in attempts to get
	rid of the problem.


--- Makefile.orig	Sat Jun  1 21:10:59 2002
+++ Makefile	Sat Jun  1 21:12:26 2002
@@ -22,8 +22,7 @@
 
 PATCH_SITES=	ftp://ftp.westbend.net/pub/cyrus-mail/contrib/ \
 		http://www.imasy.or.jp/~ume/ipv6/
-PATCHFILES=	sasl_apop_patch.gz \
-		${DISTNAME}-ipv6-${IPV6_VER}.diff.gz
+PATCHFILES=	${DISTNAME}-ipv6-${IPV6_VER}.diff.gz
 
 MAINTAINER=	hetzels@westbend.net
 


>Release-Note:
>Audit-Trail:

From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Seva Gluschenko" <gvs@rinet.ru>,
	<FreeBSD-gnats-submit@FreeBSD.ORG>
Cc: <noc@rinet.ru>
Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
Date: Wed, 19 Jun 2002 15:16:18 -0500

 From: "Seva Gluschenko" <gvs@rinet.ru>
 > >Description:
 > making Cyrus SASL library (used for SMTP AUTH) from ports results
 > to non-working LOGIN authentication mechanism. Experiments show this
 > situation to be result of sasl_apop_patch application.
 > >How-To-Repeat:
 > cd /usr/ports/security/cyrus-sasl
 > make
 > make install
 >
 > then recompile sendmail with SASL (as described in /etc/mail/README,
 > /etc/defaults/make.conf and sendmail documentation), install sendmail,
 > change sendmail configuration file and restart sendmail.
 >
 > N.B.: It wasn't tested against pwcheck method, only with SaslDB.
 > Try every MUA which is capable of LOGIN authentication (e.g. MSOE 5.5
 > and higher). Sendmail will continuously re-request password, strings
 > in maillog will look like
 >
 > Jun  1 20:37:39 kolokol sm-mta[26436]: g51GbdVS026436: demo.rinet.ru
 > [195.54.192.69] did not issue MAIL/EXPN/VRFY/ETRN during connection
 > to MTA
 >
 I have rebuilt sendmail w/Cyrus-SASL support, and I can only reproduce the
 problem if "/usr/local/lib/sasl/Sendmail.conf" has the pwcheck_method set
 to"sasldb" (default) and the user hasn't been added to the sasldb database.
 Changing pwcheck_method to "pwcheck" in Sendmail.conf, and restarting
 sendmail, allows OE to use the LOGIN authentication method.
 
 The Sendmail.conf file is even mentioned in the
 PREFIX/share/doc/cyrus-sasl/Sendmail.README file.
 
 This PR can be closed as there is no problem with the APOP patch.
 
 Scot
 

From: Seva Gluschenko <gvs@rinet.ru>
To: "Scot W. Hetzel" <hetzels@westbend.net>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, <noc@rinet.ru>
Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
Date: Thu, 20 Jun 2002 21:19:35 +0400 (MSD)

 Message of Scot W. Hetzel at Jun 19 15:16 ...
 
 SWH> > N.B.: It wasn't tested against pwcheck method, only with SaslDB.
 
 SWH> I have rebuilt sendmail w/Cyrus-SASL support, and I can only
 SWH> reproduce the problem if "/usr/local/lib/sasl/Sendmail.conf" has
 SWH> the pwcheck_method set to"sasldb" (default) and the user hasn't
 SWH> been added to the sasldb database. Changing pwcheck_method to
 SWH> "pwcheck" in Sendmail.conf, and restarting sendmail, allows OE to
 SWH> use the LOGIN authentication method.
 
 Did you see the N.B. above? I've disabled pwcheck because it doesn't
 feet my needs, and the user was exist in sasldb. The problems IS
 present.
 
 SWH>
 SWH> The Sendmail.conf file is even mentioned in the
 SWH> PREFIX/share/doc/cyrus-sasl/Sendmail.README file.
 SWH>
 SWH> This PR can be closed as there is no problem with the APOP patch.
 SWH>
 SWH> Scot
 SWH>
 
 SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
 Cronyx Plus / RiNet network administrator.      | GVS-RIPE | GVS3-RIPN
 

From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Seva Gluschenko" <gvs@rinet.ru>,
	<FreeBSD-gnats-submit@FreeBSD.ORG>
Cc: <noc@rinet.ru>
Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
Date: Thu, 29 Aug 2002 22:38:23 -0500

 From: "Seva Gluschenko" <gvs@rinet.ru>
 > making Cyrus SASL library (used for SMTP AUTH) from ports results
 > to non-working LOGIN authentication mechanism. Experiments show this
 > situation to be result of sasl_apop_patch application.
 
 > N.B.: It wasn't tested against pwcheck method, only with SaslDB.
 > Try every MUA which is capable of LOGIN authentication (e.g. MSOE 5.5
 > and higher). Sendmail will continuously re-request password, strings
 > in maillog will look like
 >
 > Jun  1 20:37:39 kolokol sm-mta[26436]: g51GbdVS026436: demo.rinet.ru
 > [195.54.192.69] did not issue MAIL/EXPN/VRFY/ETRN during connection
 > to MTA
 >
 
 I looked into this problem further, and still can't get the original problem
 to occur with the apop patch (No pwcheck or saslauthd1 daemons running and
 Sendmail.conf's pwcheck_method set to sasldb).
 
 The only problem I had was a mismatch between the servers 'hostname' and
 DNS.  The problem is that saslpasswd uses `hostname` found on the system for
 the default realm.  While sendmail does a DNS lookup to determine the
 hostname of the mail server, and then uses it for the SASL realm name.  On
 my test system I had 'hostname' and DNS names in different cases:
 
     hostname        - Test.domain.org
     DNS Lookup  -  TEST.domain.org
 
 # sasldblistusers
 user: testuser realm: Test.domain.org mech: PLAIN
 user: testuser realm: Test.domain.org mech: CRAM-MD5
 user: testuser realm: Test.domain.org mech: PLAIN-APOP
 user: testuser realm: Test.domain.org mech: DIGEST-MD5
 
 With the realm set to "Test.domain.org", sendmail would fail to authenticate
 the user (OE would ask for username and password repeatedly), and sendmail
 would report:
 
 Aug 29 21:41:36 Test sm-mta[8111]: g7U2faWr008111: wrkstation.domain.org
 [10.0.0.2] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
 
 Using saslpasswd's domain option (-u), to first remove and then reenter the
 "testuser":
 
     saslpasswd -d -u Test.domain.org testuser
     saslpasswd -c -u TEST.domain.org testuser
 
 allowed OE to login (changing DNS would also have worked).
 
 I also tested the SASL library without the APOP patch and had the same
 problem due to mismatched realms between sendmail and the sasldb database.
 
 I don't know why you had success with the removal of the APOP patch, unless
 someone had changed the case of the DNS entry for the server, while you were
 testing.
 
 If you could setup a test server, give it another try with the APOP patch
 and let us know the results.
 
 Scot W. Hetzel
 

From: Seva Gluschenko <gvs@rinet.ru>
To: "Scot W. Hetzel" <hetzels@westbend.net>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, <noc@rinet.ru>
Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
Date: Fri, 30 Aug 2002 11:27:03 +0400 (MSD)

 Hello, Scot,
 
 Message of Scot W. Hetzel at Aug 29 22:38 ...
 
 SWH> The only problem I had was a mismatch between the servers
 SWH> 'hostname' and DNS.  The problem is that saslpasswd uses
 SWH> `hostname` found on the system for the default realm.  While
 SWH> sendmail does a DNS lookup to determine the hostname of the mail
 SWH> server, and then uses it for the SASL realm name.
 
 A-ha, got it. That's maybe a real root of problem, 'cause I never
 tried to reuse another realm. The domain name might be completely
 different, not just a case variant (that host serves several
 domains). Pityfully, sendmail provides no information about the realm
 it asked in its logs, so I didn't recognized the problem myself. Thank
 you for your point.
 
 SWH> I also tested the SASL library without the APOP patch and had the
 SWH> same problem due to mismatched realms between sendmail and the
 SWH> sasldb database.
 
 SWH> I don't know why you had success with the removal of the APOP
 SWH> patch, unless someone had changed the case of the DNS entry for
 SWH> the server, while you were testing.
 
 nope, for sure. I'm using cyrus-sasl compiled by hand (not from ports)
 on several hosts serving many virtual domains and I never had negative
 experience with that. Right now I have successfully authorized SASL
 users which use realm taken from 'hostname' while it couldn't be taken
 from DNS back-resolve at all.
 
 SWH> If you could setup a test server, give it another try with the
 SWH> APOP patch and let us know the results.
 
 Not right now, but I'll put it onto pending state. If I have newer
 information, I'll report. Thank you again.
 
 SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
 Cronyx Plus / RiNet network administrator.      | GVS-RIPE | GVS3-RIPN
 
State-Changed-From-To: open->feedback 
State-Changed-By: arved 
State-Changed-When: Mon Mar 31 09:57:39 PST 2003 
State-Changed-Why:  
Is this still a problem? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38801 
State-Changed-From-To: feedback->closed 
State-Changed-By: arved 
State-Changed-When: Wed May 7 07:26:18 PDT 2003 
State-Changed-Why:  
Submitter can't verify the problem anymore, because he changed his setup.  

http://www.freebsd.org/cgi/query-pr.cgi?pr=38801 

From: Seva Gluschenko <gvs@demos.net>
To: Tilman Linneweh <arved@freebsd.org>
Cc: freebsd-ports-bugs@freebsd.org
Subject: Re: ports/38801: sasl_apop_patch.gz breaks LOGIN mech (SMTP AUTH)
Date: Tue, 1 Apr 2003 01:20:18 +0400 (MSD)

 Message of Tilman Linneweh at Mar 31 09:58 ...
 
 TL> Is this still a problem?
 
 Sorry, can't verify that because stuck in "don't fix it were it works"
 state. Later, those hosts appear beyond my control. If anything
 happens to me about SASL again, I'll drop a note. It's better to use
 cyrus-sasl2 now, though.
 
 SY, Seva Gluschenko, just stranger on The Road.
 Demos-Internet NOC	| GVS-RIPE | GVS3-RIPN
>Unformatted:
