SMTP AUTH for sendmail 8.10: Realms and Examples

Last Update 2000-06-24

Realms?

Since some of the mechanisms used in SMTP AUTH don't support realms, Cyrus SASL uses a hack (starting with 1.5.10) for those: it appends @HOST.DOMAIN to the authid before looking it up in sasldb. This is at least used for CRAM-MD5 and for PLAIN if
pwcheck_method: sasldb
has been chosen in Sendmail.conf

pwcheck_method

For the authentication mechanisms PLAIN and LOGIN the password check method (pwcheck_method) in the Sendmail.conf configuration file can be
sasldb
The user is looked up in sasldb with the realm.
passwd
The user is looked up via getpwnam()
shadow
The user is looked up via getspnam()
PAM
The user is looked up via PAM
kerberos_v4
The user is looked up via KERBEROS V4
pwcheck
The user/passwd combination is checked via a seperate daemon.

Realms and PLAIN/LOGIN

As it can see from the list of possible pwcheck_methods, some of them support realms for PLAIN/LOGIN while others don't. This requires either a patch for lib/checkpw.c (applies to 1.5.15, at least integrated since 1.5.20) or the client to add @HOST.DOMAIN to the authid.

Realms and CRAM-MD5

CRAM-MD5 does not really support realms, either. A patch for plugins/cram.c (applies to 1.5.17, at least integrated since 1.5.20) can solve this problem if the client doesn't add @HOST.DOMAIN to the authid.

Examples

The following lists some example SMTP AUTH dialogues. These can be logged if the -X logfile option for the sendmail server is used or a sendmail client is called with -v. The DefaultAuthInfo files contains:
test
test
tEst42
wiz.example.com
So sasldb contains the string:
test\0wiz.example.com\0...

DIGEST-MD5

250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250 HELP
>>> AUTH DIGEST-MD5
334 bm9uY2U9IkFKUlVjNUp4MFVRYnY1U0o5Rm95VW5hWnBxWklIRGhMVFUrQXduL0swVXc9Iixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==
>>> dXNlcm5hbWU9InRlc3QiLHJlYWxtPSJ3aXouZXhhbXBsZS5jb20iLG5vbmNlPSJBSlJVYzVKeDBVUWJ2NVNKOUZveVVuYVpwcVpJSERoTFRVK0F3bi9LMFV3PSIsY25vbmNlPSJBSlJVYzVKeDBVUWJ2NVNKOUZveVVuYVpwcVpJSERoTFRVK0F3bi9LMFV3PSIsbmM9MDAwMDAwMDEscW9wPWF1dGgtY29uZixjaXBoZXI9InJjNCIsY2hhcnNldD11dGYtOCxkaWdlc3QtdXJpPSJzbXRwL2xvY2FsaG9zdC5zZW5kbWFpbC5jb20uIixyZXNwb25zZT0wZTdjZmNhZTcxN2VlYWM5NzJmYzlkNTYwNmExMDgzZA==
334 cnNwYXV0aD03NDM5ODBjODQ0MmRiYjcxNmQ0ZWE5ZTQ5OTNiMDFkMA==
>>> 
235 2.0.0 OK Authenticated
Decoded:
nonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",charset=utf-8,algorithm=md5-sess

username="test",realm="wiz.example.com",nonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",cnonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",nc=00000001,qop=auth-conf,cipher="rc4",charset=utf-8,digest-uri="smtp/localhost.sendmail.com.",response=0e7cfcae717eeac972fc9d5606a1083d

rspauth=743980c8442dbb716d4ea9e4993b01d0

PLAIN

According to RFC 2595 the client must send: [authorize-id] \0 authenticate-id \0 password. pwcheck_method has been set to sasldb for the following example.
>>> AUTH PLAIN dGVzdAB0ZXN0QHdpei5leGFtcGxlLmNvbQB0RXN0NDI=
235 2.0.0 OK Authenticated
Decoded:
test\000test@wiz.example.com\000tEst42
With patch for lib/checkpw.c or a pwcheck_method that doesn't support realms:
>>> AUTH PLAIN dGVzdAB0ZXN0AHRFc3Q0Mg==
Decoded:
test\000test\000tEst42

LOGIN

pwcheck_method has been set to sasldb for the following example.
>>> AUTH LOGIN
334 VXNlcm5hbWU6
>>> dGVzdEB3aXouZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
>>> dEVzdDQy
235 2.0.0 OK Authenticated
Decoded:
test@wiz.example.com
tEst42
With patch for lib/checkpw.c or a pwcheck_method that doesn't support realms:
>>> AUTH LOGIN
334 VXNlcm5hbWU6
>>> dGVzdA==
334 UGFzc3dvcmQ6
>>> dEVzdDQy
235 2.0.0 OK Authenticated
Decoded:
test
tEst42

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.