Automatic email relay agent?

Alexander Dalloz ad+lists at
Thu Dec 1 17:00:37 UTC 2005

Am Do, den 01.12.2005 schrieb Hongwei Li um 17:13:

> >

> My system is fc3 linux, using sendmail-8.13.1-2 as email server.

Ok, so the path to the SSL certs is the old one, which changed first
with FC4.

> I followed the steps on that web page:
> # cd /usr/share/ssl/certs/
> # make sendmail.pem
> ... (I put our server's fully qualified domain name for the Common Name prompt)


> # chkconfig saslauthd on
> # service saslauthd restart

The saslauthd restart wasn't necessary.

> # cd /etc/mail/
> # vi
> (changes:
> define(`confAUTH_OPTIONS', `A p y')dnl

Fine, that enables AUTH, forbids anonymous and enforces a secure
connection requirement for weak auth mechanisms LOGIN and PLAIN.

> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl


> define(`confCACERT_PATH',`/usr/share/ssl/certs')
> define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
> define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')

Looks good.

> define(`confLOG_LEVEL', `14')dnl

For debugging the changed log_level is fine.

> # m4 /etc/mail/ > /etc/mail/
> # service sendmail restart

The service restart includes an automatic rebuilding of the .cf files if
changes of the .mc files are detected.

> Then, I set a guest Outlook account by checking the boxes under Advanced
> Setting page:
> Incoming server (POP3) -- This server requires an encrypted connection (SSL)
> -- the port changes from 110 to 995

That has nothing to do with the MTA part. So if you want to provide
secure POP3 connection - like through dovecot - that service has to be
configured for that as well, and has to know about a certificate to use.

> Outgoing server (SMTP) -- This server requires an encrypted connection (SSL)
> -- the port number remains as 25

Correct. Do not select "Secure Password Authentication" (SPA) if that is
offered somewhere in the client's menu. Else authentication will fail.

> When I check the incoming emails, it shows the message about server
> certificate.  I click Yes to continue, then it received all incoming emails.

The client may show you that message always, unless you import the CA's
certificate into your client.

> However, when I try to send email out, I first see the message:
> "An encrypted email connection has been detected...."  I click OK, but failed
> sending email out.  The error message is:
> ... error (0x800CCC7D): "Your outgoing (SMTP) server does not support
> SSL-encrypted connection....

Hm, i may be advised to restart Outlook / OE. You too should clear the
SSL cache. Because of the integration of different applications you
reach this option through Internet Exploder options menu. A different
reason for that problem can be an anti-virus scanner running in
background. Well known for this broken (since years) and probably never
fixed behaviour is Norton Antivirus.
Of course, before trying any "tricks", be sure you have the latest
version of OE on your system.

> The system maillog shows:
> ...
> Dec  1 10:07:52 morpheus sendmail[26574]: jB1G7ogu026574: Milter accept: message
> Dec  1 10:07:52 morpheus sendmail[26578]: jB1G7pt6026578: [] did
> not issue MAIL/EXPN/VRFY/ETRN during connectio
> n to MTA
> Dec  1 10:07:52 morpheus sendmail[26602]: NOQUEUE: connect from []
> Dec  1 10:07:52 morpheus sendmail[26602]: AUTH: available mech=CRAM-MD5
> DIGEST-MD5, allowed mech=LOGIN PLAIN

That does not look correct. The both MD5 mechs shouldn't been listed due
to your configuration.

> Did I miss something?  Thanks for all help!
> Hongwei

You can debug the situation by directly accessing the Sendmail MTA on
command line:

telnet <sendmail host> 25
-> server will print out some info, interesting is the part behind
"250-AUTH": it shouldn't list anything now.

Then run in SSL mode:

openssl s_client -connect <sendmail host>:25 -starttls smtp

That should print out a lot of lines which tell you something about
encryption going on. It finally will give you again the greet message of
Sendmail. Then enter again:


... and watch out for an AUTH line. It now must offer you "250-AUTH
LOGIN PLAIN". You end the session by entering QUIT.

If things aren't fixed now, then run "service sendmail restart" and
watch the /var/log/maillog for any errors / problems reported during
daemon startup.


Alexander Dalloz | Enger, Germany | GPG 0xB366A773
legal statement:
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 17:34:14 up 33 days, 15:34, load average: 0.29, 0.24, 0.19 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <>

More information about the fedora-list mailing list