Wednesday, February 07, 2018

Solaris 11.4: Setting up Sendmail / SASL to handle SMTP AUTH

With the release of Solaris 11.4 Beta we finally get SASL implementation based on the open source Cyrus SASL version 2.1.26 with a few changes. Which means that Solaris can now handle SMTP AUTH out of the box.

I have been here before with previous blog entries:
- Can Solaris 11 Sendmail / SASL handle SMTP AUTH
- Solaris 11: Setting up Sendmail / SASL to handle SMTP AUTH

Ref: Using Simple Authentication and Security Layer


  •  Solaris 11.4 Beta now comes with SASL support
# /usr/lib/sendmail -d0 -bt < /dev/null
Version 8.15.2+Sun
 Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
                MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB
               
NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
               
USERDB USE_LDAP_INIT XDEBUG
  • Need to modify the sendmail configuration file slightly to add AUTH and AUTH methods 
# cd /etc/mail/cf/cf
# cat > sasl.mc
divert(0)dnl
VERSIONID(`sendmail.mc (Sun)')
OSTYPE(`solaris11')dnl
DOMAIN(`solaris-generic')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_NET_CONFIG
R$* < @ $* .$m. > $*    $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3


# make sasl.cf
test ! -f sasl.cf || /usr/bin/mv sasl.cf sasl.cf.prev
/usr/bin/m4 ../m4/cf.m4 sasl.mc > sasl.cf

# cp sasl.cf ../../sendmail.cf
# svcadm restart sendmail
  • Setup the SASL plugin via Sendmail.conf file
# cat /etc/sasl2/Sendmail.conf
pwcheck_method: saslauthd
  • For authentication to work the saslauthd has to be started, so you can start it as a one off process (good for debugging). Naturally this needs to go into a SMF, but that has been covered in the blogs above before.
# saslauthd -n 1 -V -d -a pam
saslauthd[7495] :main            : num_procs  : 1
saslauthd[7495] :main            : mech_option: NULL
saslauthd[7495] :main            : run_path   : /var/run/saslauthd
saslauthd[7495] :main            : auth_mech  : pam
saslauthd[7495] :detach_tty      : master pid is: 0
saslauthd[7495] :ipc_init        : door on: /var/run/saslauthd/mux
...the following will appear after the following command executed
saslauthd[7495] :do_auth         : auth success: [user=MyUserName] [service=imap] [realm=] [mech=pam]
saslauthd[7495] :do_request      : response: OK

# /usr/lib/sasl/tests/testsaslauthd -u MyUserName -p MyPassword
0: OK "Success."
  • Now test the sendmail part, but first we need encrypted username and password: 
# perl -MMIME::Base64 -e 'print encode_base64("\000MyUser\000MyPassword")'
AE15VXNlcgBNeVBhc3N3b3Jk

# /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
220 delphi.dcs.bbk.ac.uk ESMTP Sendmail 8.15.2+Sun/8.15.2; Wed, 7 Feb 2018 12:44:02 GMT
EHLO localhost    
250-delphi.dcs.bbk.ac.uk Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN AE15VXNlcgBNeVBhc3N3b3Jk
235 2.0.0 OK Authenticated
quit
  • Looking at /var/log/syslog after doing the above you will see (errors mainly becaue I have not set up Certificates up completely on this test setup):
#####AFTER STARTING /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
Feb  7 12:38:13 delphi sendmail[8043]: [ID 801593 mail.info] NOQUEUE: connect from root@localhost
Feb  7 12:38:13 delphi sendmail[8043]: [ID 702911 mail.warning] STARTTLS: ServerCertFile missing
Feb  7 12:44:02 delphi sendmail[8275]: [ID 702911 mail.info] AUTH: available mech=SCRAM-SHA-1 GSS-SPNEGO GSSAPI OTP LOGIN PLAIN, allowed mech=DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Feb  7 12:38:13 delphi sendmail[8043]: [ID 801593 mail.info] w17CcDMH008043: Milter: no active filter


#####AFTER AUTH PLAIN AHdzdHVkZW50AEExczJkM2Y0ZzU=
Feb  7 12:44:42 delphi sendmail[8275]: [ID 702911 mail.info] AUTH=server, relay=root@localhost, authid=MyUserName, mech=PLAIN, bits=0

  • That is it and Oracle Solaris 11.4


Tuesday, October 10, 2017

Setting up Oracle Solaris iSCSI Targets for Multipathed

After wasting 2 weeks on getting this to work I thought I would post a step-by-step guide.

I have been using iscsi targets on Oracle Solaris for years, but only with the installation of a new storage system with two VLANS (multipathed) for failover I needed Solaris to recognise the different VLANs in case of a interface failure.

This wasn't easy, since the Oracle Solaris documentation  is very unclear about it. It has all the information there but finding it and understanding it is near impossible.

The following steps show you the procedure to connect and a single iscsi target accessible via two interfaces for failover.

Thursday, May 11, 2017

Oracle Solaris 11.3 PHP and LDAPS now work together

Well 2 years ago I complained about LDAPS did not work with PHP in Solaris 11.2 well with Oracle Solaris 11.3 and a recent SRU they are now working in partnership.

Monday, August 15, 2016

Gotchas when migrating from Samba to Oracle Solaris 11 SMB Server

I am in the middle of migrating "Oracle Solaris 11 non-global zone running Samba" to an "Oracle Solaris 11 kernel zone running SMB server".
This blog isn't going to explain why you want to move and/or advantages/disadvantages, but I may get to do that at a later date. It is he to warn you about some things which you may not be aware of.

Thursday, July 28, 2016

How to copy a file from Solaris Global Zone to a Kernel Zone without a network

I posted this Tweet on twitter a while ago
Damn wish there was a way to copy a file from global zone to a kernel zone with out going over network.
and Darren Moffat pointed out a /system/shared which is read only from the zone but is writeable from the global zone. Here is a quick example:

Hoy to copy a file from Solaris Global Zone to a Kernel Zone without a network

I posted this Tweet on twitter a while ago
Damn wish there was a way to copy a file from global zone to a kernel zone with out going over network.
and Darren Moffat pointed out a /system/shared which is read only from the zone but is writeable from the global zone.
solaris-kz# ls /system/shared/
solaris-kz# touch /system/shared/ReadOnly
touch: cannot create /system/shared/ReadOnly: Read-only file system

solaris-kz# df /system/shared/
/system/shared     (/dev/kz/sdir/shared@0):296322344 blocks 28136253 files


global-zone# zoneadm list -vc
  ID NAME        STATUS   PATH  BRAND      IP   
   0 global      running  /     solaris    shared
   1 solaris-kz  running  -     solaris-kz excl 


global-zone# ls /system/volatile/zones/solaris-kz/zonepath/root/shared/
global-zone# touch /system/volatile/zones/mysqlsrv/zonepath/root/shared/myfile   

solaris-kz# ls /system/shared/
myfile

Monday, July 11, 2016

Compile GEOS geometry library on Solaris 11 using Oracle Developer Studio 12.5

This is a follow on from my posts about installing PostGIS in those posts I used GNU compilers, but I have managed to get parts to compile with Developer Studio 12.5.

If you are looking for the GNU version then it is here: Compile PostgreGIS (GEOS geometry library) on Solaris 11 (11.3) using gcc

Compile Proj4 reprojection library on Solaris 11 using Oracle Developer Studio 12.5

This is a follow on from my posts about installing PostGIS in those posts I used GNU compilers, but I have managed to get parts to compile with Developer Studio 12.5.

If you are looking for the GNU version then it is here: Compile PostgreGIS (Proj4 reprojection library) on Solaris 11 (11.3) using gcc

Monday, July 04, 2016

Install PostGIS on Solaris 11 (11.3)

I said I would install PostGIS for a student project but I wish I never said yes, since it has taken over a week to compile it.

As you may guess there are not many working instruction out in the wild!

I will break down this step-by-step guide into different blogs entries otherwise it will get very long.
I had to compile all software using GCC since Solaris Studio gave to many problems:

Compile PostgreGIS (GDAL) on Solaris 11 (11.3)

Before you install PostGIS you will need to install some of the requirements.

GDAL. is a translator library for raster and vector geospatial data format.

Compile PostgreGIS (GEOS geometry library) on Solaris 11 (11.3)

Before you install PostGIS you will need to install some of the requirements.

GEOS geometry library, version 3.3 or greater, but GEOS 3.5+ is recommended to take full advantage of all the new functions and features.

Compile PostgreGIS (Proj4 reprojection library) on Solaris 11 (11.3)

Before you install PostGIS you will need to install some of the requirements.

Proj4 reprojection library is used to provide coordinate reprojection support within PostGIS.

Compile PostgreSQL on Solaris 11 (11.3)

I know PostgreSQL is available as a binary from http://www.postgresql.org and to be honest I have always used it but just in case you need to go down the PostGIS route then you may need to recompile it.

References: PostgreSQL 9.5.3 Documentation

# pkg install developer/gcc-45 build/gnu-make
# export PATH=/usr/gcc/4.5/bin:/usr/bin:/usr/sbin:/usr/sfw/bin:/usr/lib:/usr/gnu/bin:
# bzip2 -dc postgresql-9.5.3.tar.bz2 | tar xf -
# cd postgresql-9.5.3