Upgraded to fc7, but sendmail submission with TLS no longer works

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Sep 30 02:20:57 UTC 2007 

I'm running fc7 (updated).  I updated via yum from fc6.

Oddly, Cyrus continued to work after the upgrade (it usually breaks).

This time it was sendmail that broke, even though I'm running with a
fairly stock system.

The extent of my sendmail.mc edits are below.

I get messages from sendmail saying that my client (Thunderbird on
Windows Vista and FC7), well:

Sep 29 19:21:59 mail sendmail[5288]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 29 19:22:23 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8]: possible SMTP attack: command=AUTH, count=4
Sep 29 19:22:30 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4
Sep 29 19:23:05 mail sendmail[5295]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256


but if I turn off TLS, it seems to work ok (using username/password authentication in the clear, I guess).

Since it's TLS, I couldn't use tcpdump to read the transactions...

Here are the sendmail.mc edits.  Nothing too weird:


--- sendmail.mc.orig    2006-09-05 07:27:48.000000000 -0600
+++ sendmail.mc 2007-03-08 21:26:38.000000000 -0700
@@ -41,7 +41,7 @@
 dnl # The following allows relaying if the user authenticates, and disallows
 dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
 dnl #
-dnl define(`confAUTH_OPTIONS', `A p')dnl
+define(`confAUTH_OPTIONS', `A p')dnl
 dnl # 
 dnl # PLAIN is the preferred plaintext authentication method and used by
 dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
@@ -49,18 +49,18 @@
 dnl # guaranteed secure.
 dnl # Please remember that saslauthd needs to be running for AUTH. 
 dnl #
-dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
-dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
 dnl #
 dnl # Rudimentary information on creating certificates for sendmail TLS:
 dnl #     cd /usr/share/ssl/certs; make sendmail.pem
 dnl # Complete usage:
 dnl #     make -C /usr/share/ssl/certs usage
 dnl #
-dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
-dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
-dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
-dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
+define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
 dnl #
 dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
 dnl # slapd, which requires the file to be readble by group ldap
@@ -71,8 +71,10 @@
 dnl define(`confTO_QUEUERETURN', `5d')dnl
 dnl define(`confQUEUE_LA', `12')dnl
 dnl define(`confREFUSE_LA', `18')dnl
+dnl # don't apply domain search suffixes...
+define(`confBIND_OPTS', `+AAONLY -DNSRCH -DEFNAMES')dnl
 define(`confTO_IDENT', `0')dnl
-dnl FEATURE(delay_checks)dnl
+FEATURE(delay_checks)dnl
 FEATURE(`no_default_msa', `dnl')dnl
 FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
 FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
@@ -100,27 +102,35 @@
 FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
 FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
 FEATURE(`blacklist_recipients')dnl
+dnl # Anti-spam features suggested from ACME.COM
+FEATURE(`greet_pause', `5000')dnl
+define(`confCONNECTION_RATE_WINDOW_SIZE', `60s')dnl
+FEATURE(`conncontrol')dnl
+FEATURE(`ratecontrol', `nodelay', `terminate')dnl
+define(`confBAD_RCPT_THROTTLE', `3')dnl
+define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
+define(`confMAX_DAEMON_CHILDREN', `5')dnl
 EXPOSED_USER(`root')dnl
 dnl #
 dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
 dnl # the following 2 definitions and activate below in the MAILER section the
 dnl # cyrusv2 mailer.
 dnl #
-dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
-dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
+define(`confLOCAL_MAILER', `cyrusv2')dnl
+define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
 dnl #
 dnl # The following causes sendmail to only listen on the IPv4 loopback address
 dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
 dnl # address restriction to accept email from the internet or intranet.
 dnl #
-DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
+dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
 dnl #
 dnl # The following causes sendmail to additionally listen to port 587 for
 dnl # mail from MUAs that authenticate. Roaming users who can't reach their
 dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
 dnl # this useful.
 dnl #
-dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
+DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
 dnl #
 dnl # The following causes sendmail to additionally listen to port 465, but
 dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
@@ -141,18 +151,20 @@
 dnl # enable both ipv6 and ipv4 in sendmail:
 dnl #
 dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
+DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
 dnl #
 dnl # We strongly recommend not accepting unresolvable domains if you want to
 dnl # protect yourself from spam. However, the laptop and users on computers
 dnl # that do not have 24x7 DNS do need this.
 dnl #
-FEATURE(`accept_unresolvable_domains')dnl
+dnl FEATURE(`accept_unresolvable_domains')dnl
 dnl #
 dnl FEATURE(`relay_based_on_MX')dnl
 dnl # 
 dnl # Also accept email sent to "localhost.localdomain" as local email.
 dnl # 
 LOCAL_DOMAIN(`localhost.localdomain')dnl
+INPUT_MAIL_FILTER(`mimdefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m')
 dnl #
 dnl # The following example makes mail from this host and any additional
 dnl # specified domains appear to be sent from mydomain.com
@@ -173,4 +185,4 @@
 dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
 MAILER(smtp)dnl
 MAILER(procmail)dnl
-dnl MAILER(cyrusv2)dnl
+MAILER(cyrusv2)dnl


Anyone seen anything similar to this?

More information about the fedora-list mailing list