Attachment #40263 for bug #63289

View | Details | Raw Unified | Return to bug 63289
Collapse All | Expand All

Lines 10-16 Link Here

(-)Makefile (-1 / +1 lines)
10	PORTREVISION= 2	10	PORTREVISION= 2
11	CATEGORIES= security ipv6	11	CATEGORIES= security ipv6
12		12
13	MAINTAINER= ports@FreeBSD.org	13	MAINTAINER= FreeBSD-Maintainer@westbend.net
14	COMMENT= RFC 2222 SASL (Simple Authentication and Security Layer)	14	COMMENT= RFC 2222 SASL (Simple Authentication and Security Layer)
15		15
16	DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \	16	DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \




   The DONT_BLAME_SENDMAIL option GroupReadableSASL[DB]File is needed when you
   are using cyrus-imapd and sendmail on the same server that requires access
   to the sasldb database.

----

To test Authentication with the sendmail server:

   You'll need to install the following PERL ports:
	converters/p5-MIME-Base64
	security/p5-Digest-MD5
	security/p5-Digest-HMAC

   Then use one of the following procedures to test:

   A. PLAIN Mech:
      1. Create your Base64 encoded username/password.

         #perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
         dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

      2. telnet to port 25 of your sendmail server

      3. send "EHLO <client.host.name>"
         a. check for "250-AUTH *" in the response
         b. check that the PLAIN mech is listed.

      4. Send "AUTH PLAIN <Base64 username/password>"

         AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

         you should now see the following response from the server:

         235 Authentication successful

      5. Type "QUIT" to close the telnet session to sendmail.

   B. LOGIN Mech:
      1. Create your Base64 encoded username and password.

         #perl -MMIME::Base64 -e 'print encode_base64("username");'
         dXNlcm5hbWU=
         #perl -MMIME::Base64 -e 'print encode_base64("password");'
         cGFzc3dvcmQ=

      2. telnet to port 25 of your sendmail server

      3. send "EHLO <client.host.name>"
         a. check for "250-AUTH *" in the response
         b. check that the LOGIN mech is listed.

      4. Send "AUTH LOGIN", then the base64 encoded username and passwords.

         C: AUTH LOGIN
	 S: 334 VXNlcm5hbWU6  (base64 encoded "Username:")
         C: dXNlcm5hbWU=
         S: 334 UGFzc3dvcmQ6  (base64 encode "Password:")
         C: cGFzc3dvcmQ=
         S: 235 2.0.0 OK Authenticated

      5. Type "QUIT" to close the telnet session to sendmail.

   C. DIGEST-MD5 Mech:

      1. telnet to port 25 of your sendmail server

      2. send "EHLO <client.host.name>"
         a. check for "250-AUTH *" in the response
         b. check that the DIGEST-MD5 mech is listed.

      3. Send "AUTH DIGEST-MD5"

         C: AUTH DIGEST-MD5
         S: 334 ?

      4. Calculate the DIGEST-MD5 response (use another telnet, ssh, or X Window)

         ?

      5. Send the DIGEST-MD5 response to the server.

         C: ?
         S: 235 2.0.0 OK Authenticated

      6. Type "QUIT" to close the telnet session to sendmail.

   D. CRAM-MD5 Mech:

      1. telnet to port 25 of your sendmail server

      2. send "EHLO <client.host.name>"
         a. check for "250-AUTH *" in the response
         b. check that the CRAM-MD5 mech is listed.

      3. Send "AUTH CRAM-MD5"

         C: AUTH CRAM-MD5
         S: 334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
		(base64 encoded timestamp and hostname)

      4. Calculate the CRAM-MD5 response (use another telnet, ssh, or X Window)

         perl '-MDigest::HMAC_MD5 qw(hmac_md5 hmac_md5_hex)' -MMIME::Base64 \
           -e 'print encode_base64("username " . hmac_md5_hex(decode_base64("<ticket>"),"password"));'

         The "<ticket>" is the response received from the server in step 3.

         (i.e. PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+)

         Using the above ticket our CRAM-MD5 response is:

           dXNlcm5hbWUgMDZkMGEzMjVmMDU0NjQ4NjQ2ZTA3MmNkNGZlYjE3YzQ=

      5. Send the CRAM-MD5 response to the server.

         C: dXNlcm5hbWUgMDZkMGEzMjVmMDU0NjQ4NjQ2ZTA3MmNkNGZlYjE3YzQ=
         S: 235 2.0.0 OK Authenticated

      6. Type "QUIT" to close the telnet session to sendmail.




# BEFORE: mail imap
# KEYWORD: FreeBSD shutdown
#
# NOTE for FreeBSD 5.0+:
# If you want this script to start with the base rc scripts
# move cyrus_pwcheck.sh to /etc/rc.d/cyrus_pwcheck

prefix=%%PREFIX%%


#	/etc/rc.conf.local
#	/etc/rc.conf.d/cyrus_pwcheck
#
# DO NOT CHANGE THE DEFAULT VALUES HERE

cyrus_pwcheck_enable=${cyrus_pwcheck_enable:-"%%ENABLE_PWCHECK%%"}

# pwcheck program to use (pwcheck/pwcheck_pam)
cyrus_pwcheck_program=${cyrus_pwcheck_program:-"${prefix}/sbin/%%PWCHECK%%"}

. %%RC_SUBR%%





# BEFORE: mail imap
# KEYWORD: FreeBSD shutdown
#
# NOTE for FreeBSD 5.0+:
# If you want this script to start with the base rc scripts
# move saslauthd1.sh to /etc/rc.d/saslauthd1

prefix=%%PREFIX%%


#	/etc/rc.conf.local
#	/etc/rc.conf.d/saslauthd1
#
# DO NOT CHANGE THE DEFAULT VALUES HERE 

saslauthd1_enable=${saslauthd1_enable:-"%%ENABLE_SASLAUTHD%%"}
saslauthd1_flags=${saslauthd1_flags:-"-a pam}
saslauthd1_flags="-a pam"			# Flags to saslauthd program

. %%RC_SUBR%%

Return to bug 63289

Lines 72-74 Link Here

(-)files/Sendmail.README (+116 lines)
72	The DONT_BLAME_SENDMAIL option GroupReadableSASL[DB]File is needed when you	72	The DONT_BLAME_SENDMAIL option GroupReadableSASL[DB]File is needed when you
73	are using cyrus-imapd and sendmail on the same server that requires access	73	are using cyrus-imapd and sendmail on the same server that requires access
74	to the sasldb database.	74	to the sasldb database.
		75
		76	----
		77
		78	To test Authentication with the sendmail server:
		79
		80	You'll need to install the following PERL ports:
		81	converters/p5-MIME-Base64
		82	security/p5-Digest-MD5
		83	security/p5-Digest-HMAC
		84
		85	Then use one of the following procedures to test:
		86
		87	A. PLAIN Mech:
		88	1. Create your Base64 encoded username/password.
		89
		90	#perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
		91	dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
		92
		93	2. telnet to port 25 of your sendmail server
		94
		95	3. send "EHLO <client.host.name>"
		96	a. check for "250-AUTH *" in the response
		97	b. check that the PLAIN mech is listed.
		98
		99	4. Send "AUTH PLAIN <Base64 username/password>"
		100
		101	AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
		102
		103	you should now see the following response from the server:
		104
		105	235 Authentication successful
		106
		107	5. Type "QUIT" to close the telnet session to sendmail.
		108
		109	B. LOGIN Mech:
		110	1. Create your Base64 encoded username and password.
		111
		112	#perl -MMIME::Base64 -e 'print encode_base64("username");'
		113	dXNlcm5hbWU=
		114	#perl -MMIME::Base64 -e 'print encode_base64("password");'
		115	cGFzc3dvcmQ=
		116
		117	2. telnet to port 25 of your sendmail server
		118
		119	3. send "EHLO <client.host.name>"
		120	a. check for "250-AUTH *" in the response
		121	b. check that the LOGIN mech is listed.
		122
		123	4. Send "AUTH LOGIN", then the base64 encoded username and passwords.
		124
		125	C: AUTH LOGIN
		126	S: 334 VXNlcm5hbWU6 (base64 encoded "Username:")
		127	C: dXNlcm5hbWU=
		128	S: 334 UGFzc3dvcmQ6 (base64 encode "Password:")
		129	C: cGFzc3dvcmQ=
		130	S: 235 2.0.0 OK Authenticated
		131
		132	5. Type "QUIT" to close the telnet session to sendmail.
		133
		134	C. DIGEST-MD5 Mech:
		135
		136	1. telnet to port 25 of your sendmail server
		137
		138	2. send "EHLO <client.host.name>"
139	a. check for "250-AUTH *" in the response
140	b. check that the DIGEST-MD5 mech is listed.
141
142	3. Send "AUTH DIGEST-MD5"
143
144	C: AUTH DIGEST-MD5
145	S: 334 ?
146
147	4. Calculate the DIGEST-MD5 response (use another telnet, ssh, or X Window)
148
149	?
150
151	5. Send the DIGEST-MD5 response to the server.
152
153	C: ?
154	S: 235 2.0.0 OK Authenticated
155
156	6. Type "QUIT" to close the telnet session to sendmail.
157
158	D. CRAM-MD5 Mech:
159
160	1. telnet to port 25 of your sendmail server
161
162	2. send "EHLO <client.host.name>"
163	a. check for "250-AUTH *" in the response
164	b. check that the CRAM-MD5 mech is listed.
165
166	3. Send "AUTH CRAM-MD5"
167
168	C: AUTH CRAM-MD5
169	S: 334 PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
170	(base64 encoded timestamp and hostname)
171
172	4. Calculate the CRAM-MD5 response (use another telnet, ssh, or X Window)
173
174	perl '-MDigest::HMAC_MD5 qw(hmac_md5 hmac_md5_hex)' -MMIME::Base64 \
175	-e 'print encode_base64("username " . hmac_md5_hex(decode_base64("<ticket>"),"password"));'
176
177	The "<ticket>" is the response received from the server in step 3.
178
179	(i.e. PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+)
180
181	Using the above ticket our CRAM-MD5 response is:
182
183	dXNlcm5hbWUgMDZkMGEzMjVmMDU0NjQ4NjQ2ZTA3MmNkNGZlYjE3YzQ=
184
185	5. Send the CRAM-MD5 response to the server.
186
187	C: dXNlcm5hbWUgMDZkMGEzMjVmMDU0NjQ4NjQ2ZTA3MmNkNGZlYjE3YzQ=
188	S: 235 2.0.0 OK Authenticated
189
190	6. Type "QUIT" to close the telnet session to sendmail.

Lines 8-16 Link Here

(-)files/pwcheck.sh (-8 / +6 lines)
8	# BEFORE: mail imap	8	# BEFORE: mail imap
9	# KEYWORD: FreeBSD shutdown	9	# KEYWORD: FreeBSD shutdown
10	#	10	#
11	# NOTE for FreeBSD 5.0+:
12	# If you want this script to start with the base rc scripts
13	# move cyrus_pwcheck.sh to /etc/rc.d/cyrus_pwcheck
14		11
15	prefix=%%PREFIX%%	12	prefix=%%PREFIX%%
16		13
Lines 19-29 Link Here
19	# /etc/rc.conf.local	16	# /etc/rc.conf.local
20	# /etc/rc.conf.d/cyrus_pwcheck	17	# /etc/rc.conf.d/cyrus_pwcheck
21	#	18	#
22	# DO NOT CHANGE THESE DEFAULT VALUES HERE	19	# DO NOT CHANGE THE DEFAULT VALUES HERE
23	#	20
24	cyrus_pwcheck_enable="%%ENABLE_PWCHECK%%" # Enable pwcheck daemon	21	cyrus_pwcheck_enable=${cyrus_pwcheck_enable:-"%%ENABLE_PWCHECK%%"}
25	cyrus_pwcheck_program="${prefix}/sbin/%%PWCHECK%%" # pwcheck program to use	22
26	# (pwcheck/pwcheck_pam)	23	# pwcheck program to use (pwcheck/pwcheck_pam)
		24	cyrus_pwcheck_program=${cyrus_pwcheck_program:-"${prefix}/sbin/%%PWCHECK%%"}
27		25
28	. %%RC_SUBR%%	26	. %%RC_SUBR%%
29		27

Lines 8-16 Link Here

(-)files/saslauthd.sh (-8 / +4 lines)
8	# BEFORE: mail imap	8	# BEFORE: mail imap
9	# KEYWORD: FreeBSD shutdown	9	# KEYWORD: FreeBSD shutdown
10	#	10	#
11	# NOTE for FreeBSD 5.0+:
12	# If you want this script to start with the base rc scripts
13	# move saslauthd1.sh to /etc/rc.d/saslauthd1
14		11
15	prefix=%%PREFIX%%	12	prefix=%%PREFIX%%
16		13
Lines 19-29 Link Here
19	# /etc/rc.conf.local	16	# /etc/rc.conf.local
20	# /etc/rc.conf.d/saslauthd1	17	# /etc/rc.conf.d/saslauthd1
21	#	18	#
22	# DO NOT CHANGE THESE DEFAULT VALUES HERE	19	# DO NOT CHANGE THE DEFAULT VALUES HERE
23	#	20
24	saslauthd1_enable="%%ENABLE_SASLAUTHD%%" # Enable saslauthd	21	saslauthd1_enable=${saslauthd1_enable:-"%%ENABLE_SASLAUTHD%%"}
25	#saslauthd1_program="${prefix}/sbin/saslauthd1" # Location of saslauthd1	22	saslauthd1_flags=${saslauthd1_flags:-"-a pam}
26	saslauthd1_flags="-a pam" # Flags to saslauthd program
27		23
28	. %%RC_SUBR%%	24	. %%RC_SUBR%%