Automatic email relay agent?

Hongwei Li hongwei at wustl.edu
Thu Dec 1 19:45:56 UTC 2005


> Am Do, den 01.12.2005 schrieb Hongwei Li um 17:13:
>
>> > http://www.joreybump.com/code/howto/smtpauth.html
>
>> My system is fc3 linux, using sendmail-8.13.1-2 as email server.
>
> Ok, so the path to the SSL certs is the old one, which changed first
> with FC4.
>
>> I followed the steps on that web page:
>>
>> # cd /usr/share/ssl/certs/
>> # make sendmail.pem
>> ... (I put our server's fully qualified domain name for the Common Name
>> prompt)
>
> Good.
>
>> # chkconfig saslauthd on
>> # service saslauthd restart
>
> The saslauthd restart wasn't necessary.
>
>> # cd /etc/mail/
>> # vi sendmail.mc
>> (changes:
>>
>> define(`confAUTH_OPTIONS', `A p y')dnl
>
> Fine, that enables AUTH, forbids anonymous and enforces a secure
> connection requirement for weak auth mechanisms LOGIN and PLAIN.
>
>> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
>> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
>
> Ok.
>
>> define(`confCACERT_PATH',`/usr/share/ssl/certs')
>> define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
>> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
>> define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
>
> Looks good.
>
>> define(`confLOG_LEVEL', `14')dnl
>
> For debugging the changed log_level is fine.
>
>> # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
>> # service sendmail restart
>
> The service restart includes an automatic rebuilding of the .cf files if
> changes of the .mc files are detected.
>
>> Then, I set a guest Outlook account by checking the boxes under Advanced
>> Setting page:
>>
>> Incoming server (POP3) -- This server requires an encrypted connection (SSL)
>> -- the port changes from 110 to 995
>
> That has nothing to do with the MTA part. So if you want to provide
> secure POP3 connection - like through dovecot - that service has to be
> configured for that as well, and has to know about a certificate to use.

-- yes, I have enabled secure pop3 through dovecot and the port 995 is opened
in iptable.

>> Outgoing server (SMTP) -- This server requires an encrypted connection (SSL)
>> -- the port number remains as 25
>
> Correct. Do not select "Secure Password Authentication" (SPA) if that is
> offered somewhere in the client's menu. Else authentication will fail.

-- no, I did not select this.

>> When I check the incoming emails, it shows the message about server
>> certificate.  I click Yes to continue, then it received all incoming emails.
>
> The client may show you that message always, unless you import the CA's
> certificate into your client.
>
>> However, when I try to send email out, I first see the message:
>> "An encrypted email connection has been detected...."  I click OK, but
>> failed
>> sending email out.  The error message is:
>>
>> ... error (0x800CCC7D): "Your outgoing (SMTP) server does not support
>> SSL-encrypted connection....
>
> Hm, i may be advised to restart Outlook / OE. You too should clear the
> SSL cache. Because of the integration of different applications you
> reach this option through Internet Exploder options menu. A different
> reason for that problem can be an anti-virus scanner running in
> background. Well known for this broken (since years) and probably never
> fixed behaviour is Norton Antivirus.
> Of course, before trying any "tricks", be sure you have the latest
> version of OE on your system.
>
>> The system maillog shows:
>> ...
>> Dec  1 10:07:52 morpheus sendmail[26574]: jB1G7ogu026574: Milter accept:
>> message
>> Dec  1 10:07:52 morpheus sendmail[26578]: jB1G7pt6026578: [128.252.85.103]
>> did
>> not issue MAIL/EXPN/VRFY/ETRN during connectio
>> n to MTA
>> Dec  1 10:07:52 morpheus sendmail[26602]: NOQUEUE: connect from
>> [128.252.85.103]
>> Dec  1 10:07:52 morpheus sendmail[26602]: AUTH: available mech=CRAM-MD5
>> DIGEST-MD5, allowed mech=LOGIN PLAIN
>
> That does not look correct. The both MD5 mechs shouldn't been listed due
> to your configuration.

-- where sohuld I change?  I checked sendmail.mc, but could not find which
line to change.

>> Did I miss something?  Thanks for all help!
>>
>> Hongwei
>
> You can debug the situation by directly accessing the Sendmail MTA on
> command line:
>
> telnet <sendmail host> 25
> ehlo foo.bar
> -> server will print out some info, interesting is the part behind
> "250-AUTH": it shouldn't list anything now.
>
> Then run in SSL mode:
>
> openssl s_client -connect <sendmail host>:25 -starttls smtp
>
> That should print out a lot of lines which tell you something about
> encryption going on. It finally will give you again the greet message of
> Sendmail. Then enter again:
>
> ehlo foo.bar
>
> ... and watch out for an AUTH line. It now must offer you "250-AUTH
> LOGIN PLAIN". You end the session by entering QUIT.
>
> If things aren't fixed now, then run "service sendmail restart" and
> watch the /var/log/maillog for any errors / problems reported during
> daemon startup.
>
> Alexander
>

Below is what I did and got.

# telnet morpheus.wustl.edu 25 Trying 128.252.85.129...
Connected to morpheus.wustl.edu (128.252.85.129). Escape character is '^]'.
220 morpheus.wustl.edu ESMTP Sendmail 8.13.1/8.13.1; Thu, 1 Dec 2005 11:38:28
-0600
ehlo foo.bar
250-morpheus.wustl.edu Hello morpheus.wustl.edu [128.252.85.129], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 morpheus.wustl.edu closing connection
Connection closed by foreign host.
#

# openssl s_client -connect morpheus.wustl.edu:25 -starttls smtp
CONNECTED(00000003)
depth=0 /C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research
Unit/CN=morpheus.wustl.edu/emailAddress=root at morpheus.wustl.edu
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research
Unit/CN=morpheus.wustl.edu/emailAddress=root at morpheus.wustl.edu
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research
Unit/CN=morpheus.wustl.edu/emailAddress=root at morpheus.wustl.edu
   i:/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research
Unit/CN=morpheus.wustl.edu/emailAddress=root at morpheus.wustl.edu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID9DCCA12gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMCVVMx
...
-----END CERTIFICATE-----
subject=/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research
Unit/CN=morpheus.wustl.edu/emailAddress=root at morp
heus.wustl.edu
issuer=/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research
Unit/CN=morpheus.wustl.edu/emailAddress=root at morpheus.wustl.edu
---Acceptable client certificate CA names
/C=US/ST=Utah/L=Salt Lake City/O=Xcert EZ by DST/CN=Xcert EZ by
DST/emailAddress=ca at digsigtrust.com
/C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA
/C=US/O=American Express Company, Inc./OU=American Express
Technologies/CN=American Express Certificate Authority
...
/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN
Certificate Authority/emailAddress=rhn-noc at redhat.com---SSL handshake has read
10759 bytes and written 298 bytes---New, TLSv1/SSLv3, Cipher is
DHE-RSA-AES256-SHAServer public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID: 74250E3AB88FE415C19840AA00EA329F8405503621B7234B3643156814DDE944
Session-ID-ctx:
Master-Key:
B82FCB44A32F94E5E842EB2D6DA844F17CFD5A5E8A1A6E97F634D80E38F072B57025F11C4D5D3E2839051E57DAF8FA01
Key-Arg   : None
Krb5 Principal: None
Start Time: 1133458889
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 morpheus.wustl.edu ESMTP Sendmail 8.13.1/8.13.1; Thu, 1 Dec 2005 11:41:29
-0600
ehlo foo.bar
250-morpheus.wustl.edu Hello morpheus.wustl.edu [128.252.85.129], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 morpheus.wustl.edu closing connection
closed
#

I cleaned SSL cache, cookies, etc. restart Outlook / OE, test it on 3
different computers, still got the same error.

Also, when I try OE, the error message is:

Unable to establish SSL connection with the server. Account "morpheus",
Server: "morpheus.wustl.edu', Protocol: SMTP, Server Response: '454 TLS not
available due to temporary reason', Port: 25, Secure(SSL): Yes, Server Error:
454, Error Number: 0x800CCC7F

Could you give me more help?  Thanks!

Hongwei





More information about the fedora-list mailing list