Automatic email relay agent?
ad+lists at uni-x.org
Thu Dec 1 17:00:37 UTC 2005
Am Do, den 01.12.2005 schrieb Hongwei Li um 17:13:
> > http://www.joreybump.com/code/howto/smtpauth.html
> My system is fc3 linux, using sendmail-8.13.1-2 as email server.
Ok, so the path to the SSL certs is the old one, which changed first
> I followed the steps on that web page:
> # cd /usr/share/ssl/certs/
> # make sendmail.pem
> ... (I put our server's fully qualified domain name for the Common Name prompt)
> # chkconfig saslauthd on
> # service saslauthd restart
The saslauthd restart wasn't necessary.
> # cd /etc/mail/
> # vi sendmail.mc
> define(`confAUTH_OPTIONS', `A p y')dnl
Fine, that enables AUTH, forbids anonymous and enforces a secure
connection requirement for weak auth mechanisms LOGIN and PLAIN.
> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> define(`confLOG_LEVEL', `14')dnl
For debugging the changed log_level is fine.
> # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
> # service sendmail restart
The service restart includes an automatic rebuilding of the .cf files if
changes of the .mc files are detected.
> Then, I set a guest Outlook account by checking the boxes under Advanced
> Setting page:
> Incoming server (POP3) -- This server requires an encrypted connection (SSL)
> -- the port changes from 110 to 995
That has nothing to do with the MTA part. So if you want to provide
secure POP3 connection - like through dovecot - that service has to be
configured for that as well, and has to know about a certificate to use.
> Outgoing server (SMTP) -- This server requires an encrypted connection (SSL)
> -- the port number remains as 25
Correct. Do not select "Secure Password Authentication" (SPA) if that is
offered somewhere in the client's menu. Else authentication will fail.
> When I check the incoming emails, it shows the message about server
> certificate. I click Yes to continue, then it received all incoming emails.
The client may show you that message always, unless you import the CA's
certificate into your client.
> However, when I try to send email out, I first see the message:
> "An encrypted email connection has been detected...." I click OK, but failed
> sending email out. The error message is:
> ... error (0x800CCC7D): "Your outgoing (SMTP) server does not support
> SSL-encrypted connection....
Hm, i may be advised to restart Outlook / OE. You too should clear the
SSL cache. Because of the integration of different applications you
reach this option through Internet Exploder options menu. A different
reason for that problem can be an anti-virus scanner running in
background. Well known for this broken (since years) and probably never
fixed behaviour is Norton Antivirus.
Of course, before trying any "tricks", be sure you have the latest
version of OE on your system.
> The system maillog shows:
> Dec 1 10:07:52 morpheus sendmail: jB1G7ogu026574: Milter accept: message
> Dec 1 10:07:52 morpheus sendmail: jB1G7pt6026578: [220.127.116.11] did
> not issue MAIL/EXPN/VRFY/ETRN during connectio
> n to MTA
> Dec 1 10:07:52 morpheus sendmail: NOQUEUE: connect from [18.104.22.168]
> Dec 1 10:07:52 morpheus sendmail: AUTH: available mech=CRAM-MD5
> DIGEST-MD5, allowed mech=LOGIN PLAIN
That does not look correct. The both MD5 mechs shouldn't been listed due
to your configuration.
> Did I miss something? Thanks for all help!
You can debug the situation by directly accessing the Sendmail MTA on
telnet <sendmail host> 25
-> server will print out some info, interesting is the part behind
"250-AUTH": it shouldn't list anything now.
Then run in SSL mode:
openssl s_client -connect <sendmail host>:25 -starttls smtp
That should print out a lot of lines which tell you something about
encryption going on. It finally will give you again the greet message of
Sendmail. Then enter again:
... and watch out for an AUTH line. It now must offer you "250-AUTH
LOGIN PLAIN". You end the session by entering QUIT.
If things aren't fixed now, then run "service sendmail restart" and
watch the /var/log/maillog for any errors / problems reported during
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 17:34:14 up 33 days, 15:34, load average: 0.29, 0.24, 0.19
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
More information about the fedora-list