On Monday, May 7 at 09:19 PM, quoth Andreas Krummrich:
I build a new qmail with this patch, but without luck. I just
increased the logging of my postfix server, for TLS. Perhaps this
helps a bit:
I think it may, yes:
May 7 21:12:01 santa postfix/smtpd[28035]: 41CC2CD57D:
client=bart.springfield.home[10.10.42.10], sasl_method=CRAM-MD5,
sasl_username=brutus
Aha! CRAM-MD5 requires special support on the part of your
checkpassword program, and can be hard to get working in some
circumstances (because in order to get it working, checkpassword has
to have access to a cleartext version of your password, which is not
something typically provided by password storage mechanisms (such as
PAM)). Recompile qmail and *disable* CRAM-MD5 advertising. According
to Bill Shupp's patch, that's a matter of removing the line in
qmail-smtpd.c that looks like this:
#define CRAM-MD5
So now... what's the rest of this...?
May 7 21:12:01 santa postfix/smtp[28038]: TLS connection
established to rom.iunius.org: TLSv1 with cipher
EDH-RSA-DES-CBC3-SHA (168/168 bits)
er? Isn't that who we were talking to earlier?
May 7 21:12:01 santa postfix/smtp[28038]: 41CC2CD57D:
to=<krummrich@msim.de>, relay=rom.iunius.org[81.169.142.6], delay=0,
status=bounced (host rom.iunius.org[81.169.142.6] said: 553 sorry, that
domain isn't in my list of allowed rcpthosts; no valid cert for
gatewaying (#5.7.1))
So, no information at all about how it tried to authenticate? I'm not
understanding the logical flow here.
Anyway, try disabling CRAM-MD5 advertising in qmail-smtpd.c, and see
where that gets you.
~Kyle
--
A woman has the last word in any argument. Anything a man says after
that is the beginning of a new argument.
-- Unknown
pgpNLlIjZVTFb.pgp
Description: PGP signature
|