[Pkg-exim4-users] SMTP AUTH and Cyrus SASL problem

Juha Koho jmcsa00 at gmail.com
Fri Aug 8 07:55:52 UTC 2008 

Hello,

I'm trying to configure CRAM-MD5 and DIGEST-MD5 SMTP AUTH using Cyrus
SASL but I'm having strange problems. I also have Cyrus IMAP installed
and in Cyrus these authentication mechanisms work fine. The problem is
that exim segfaults every time.

Authenticator configuration in exim:
cram_md5_sasl_server:
  driver = cyrus_sasl
  public_name = CRAM-MD5
  server_realm = <removed>
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

digest_md5_sasl_server:
  driver = cyrus_sasl
  public_name = DIGEST-MD5
  server_realm = <removed>
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif


/usr/lib/sasl2/exim.conf:
mech_list: digest-md5 cram-md5 plain login
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldaps://<address removed>/
ldapdb_id: <id removed>
ldapdb_pw: <pwd removed>
ldapdb_mech: CRAM-MD5


Output from exim4 -bd -d+auth:
Exim version 4.69 uid=0 gid=0 pid=17392 D=fbb95cfd
Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
changed uid/gid: forcing real = effective
  uid=0 gid=0 pid=17392
  auxiliary group list: <none>
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00612605
cwd=/etc/exim4 3 args: exim4 -bd -d+auth
trusted user
admin user
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
seeking password data for user "mail": using cached result
getpwnam() succeeded uid=8 gid=8
Cyrus SASL knows about: PLAIN
Cyrus SASL driver plain_sasl_server: PLAIN initialised
Cyrus SASL knows about: CRAM-MD5
Cyrus SASL driver cram_md5_sasl_server: CRAM-MD5 initialised
Cyrus SASL knows about: DIGEST-MD5
Cyrus SASL driver digest_md5_sasl_server: DIGEST-MD5 initialised
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
17392 listening on 127.0.0.1 port 25
17392 listening on <server ip removed> port 25
17392 pid written to /var/run/exim4/exim.pid
17392 changed uid/gid: running as a daemon
17392   uid=101 gid=103 pid=17392
17392   auxiliary group list: 45 61 103
17392 LOG: MAIN
17392   exim 4.69 daemon started: pid=17392, no queue runs, listening
for SMTP on [127.0.0.1]:25 [<server ip removed>]:25
17392 set_process_info: 17392 daemon: no queue runs, listening for
SMTP on [127.0.0.1]:25 [<server ip removed>]:25
17392 daemon running with uid=101 gid=103 euid=101 egid=103
17392 Listening...
17438 Connection request from 192.168.1.30 port 1108
17438 search_tidyup called
17438 1 SMTP accept process running
17438 Listening...
17445 host in rfc1413_hosts? yes (matched "*")
17445 doing ident callback
17445 ident connection to 192.168.1.30 failed: Connection refused
17445 sender_fullhost = [192.168.1.30]
17445 sender_rcvhost = [192.168.1.30]
17445 Process 17445 is handling incoming connection from [192.168.1.30]
17445 host in host_lookup? yes (matched "*")
17445 looking up host name for 192.168.1.30
17445 DNS lookup of 30.1.168.192.in-addr.arpa (PTR) succeeded
17445 IP address lookup yielded <removed>
17445 gethostbyname2(af=inet6) returned 4 (NO_DATA)
17445 gethostbyname2 looked up these IP addresses:
17445   name=<removed> address=192.168.1.30
17445 checking addresses for <removed>
17445   192.168.1.30 OK
17445 sender_fullhost = <removed> [192.168.1.30]
17445 sender_rcvhost = <removed> ([192.168.1.30])
17445 set_process_info: 17445 handling incoming connection from
<removed> [192.168.1.30]
17445 host in host_reject_connection? no (option unset)
17445 host in sender_unqualified_hosts? no (option unset)
17445 host in recipient_unqualified_hosts? no (option unset)
17445 host in helo_verify_hosts? no (option unset)
17445 host in helo_try_verify_hosts? no (option unset)
17445 host in helo_accept_junk_hosts? no (option unset)
17445 SMTP>> 220 <server name removed> ESMTP
17445 Process 17445 is ready for new message
17445 smtp_setup_msg entered
17445 SMTP<< EHLO [127.0.0.1]
17445 sender_fullhost = <removed> ([127.0.0.1]) [192.168.1.30]
17445 sender_rcvhost = <removed> ([192.168.1.30] helo=[127.0.0.1])
17445 set_process_info: 17445 handling incoming connection from
<removed> ([127.0.0.1]) [192.168.1.30]
17445 host in pipelining_advertise_hosts? yes (matched "*")
17445 host in auth_advertise_hosts? yes (matched "*")
17445 host in tls_advertise_hosts? yes (matched "*")
17445 SMTP>> 250-<server name removed> Hello <removed> [192.168.1.30]
17445 250-SIZE 52428800
17445 250-PIPELINING
17445 250-STARTTLS
17445 250 HELP
17445 SMTP<< STARTTLS
17445 initializing GnuTLS as a server
17445 read D-H parameters from file
17445 initialized D-H parameters
17445 certificate file = /etc/ssl/exim.crt
17445 key file = /etc/ssl/exim.key
17445 verify certificates = /etc/ssl/certs/ca-certificates.crt size=219184
17445 initialized certificate stuff
17445 host in tls_verify_hosts? no (option unset)
17445 host in tls_try_verify_hosts? yes (matched "*")
17445 initialized GnuTLS session
17445 SMTP>> 220 TLS go ahead
17445 gnutls_handshake was successful
17445 no peer certificate supplied
17445 TLS certificate verify failure (not supplied) overridden (host
in tls_try_verify_hosts): peerdn=
17445 cipher: TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32
17445 sender_fullhost = <removed> [192.168.1.30]
17445 sender_rcvhost = <removed> ([192.168.1.30])
17445 set_process_info: 17445 handling incoming TLS connection from
<removed> [192.168.1.30]
17445 TLS active
17445 Calling gnutls_record_recv(17f4ea0, 17fb8e0, 4096)
17445 SMTP<< EHLO [127.0.0.1]
17445 sender_fullhost = <removed> ([127.0.0.1]) [192.168.1.30]
17445 sender_rcvhost = <removed> ([192.168.1.30] helo=[127.0.0.1])
17445 set_process_info: 17445 handling TLS incoming connection from
<removed> ([127.0.0.1]) [192.168.1.30]
17445 host in pipelining_advertise_hosts? yes (matched "*")
17445 host in auth_advertise_hosts? yes (matched "*")
17445 tls_do_write(156a580, 149)
17445 gnutls_record_send(SSL, 156a580, 149)
17445 outbytes=149
17445 SMTP>> 250-<server name removed> Hello <removed> [192.168.1.30]
17445 250-SIZE 52428800
17445 250-PIPELINING
17445 250-AUTH PLAIN CRAM-MD5 DIGEST-MD5
17445 250 HELP
17445 Calling gnutls_record_recv(17f4ea0, 17fb8e0, 4096)
17445 SMTP<< AUTH CRAM-MD5
17445 Calling sasl_server_start(CRAM-MD5,"")
17445 SMTP>> 334 PDgzMzQ2Mjc1MC4xMDIyMTIwNEBvcmlvbi50cmluZWNvLmZpPg==
17445 tls_do_write(15598d0, 58)
17445 gnutls_record_send(SSL, 15598d0, 58)
17445 outbytes=58
17445 Calling gnutls_record_recv(17f4ea0, 17fb8e0, 4096)
17445 SMTP<< a29obyBkZjU5ZmNkNmYyMTI1MjZiMzBlM2UwNTU0NDIyZDBmNA==
17445 Calling sasl_server_step("a29obyBkZjU5ZmNkNmYyMTI1MjZiMzBlM2UwNTU0NDIyZDBmNA==")
17445 Cyrus SASL CRAM-MD5 authentication succeeded for <email removed>
17438 child 17445 ended: status=0xb
17438 0 SMTP accept processes now running
17438 Listening...


Syslog:
exim4[17445]: segfault at 11 ip 7f717b6ac200 sp 7fff85f74db8 error 4
in libpthread-2.7.so[7f717b6a4000+16000]


Nothing appears in exim own log.

Am I missing some settings here or what? Seems that authentication
works because of the line "Cyrus SASL CRAM-MD5 authentication
succeeded for" but exim segfaults and message is not delivered. And as
I mentioned Cyrus IMAP works just fine with these settings.

Regards,
Juha

More information about the Pkg-exim4-users mailing list