freealx |
03-12-2005 03:54 PM |
Sendmail (with TLS) relay denied
Hi friends,
I recently configured my sendmail 8.13.1 to include STARTTLS option.
Code:
# sendmail -bt -d0.8 < /dev/null
Version 8.13.1
Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SCANF STARTTLS
USERDB XDEBUG
...
Everything is looking fine, but when I try to access and send a mail
only "Relaying denied" error return. I never work with TLS-Relay before
and maybe I made any stupid mistake...
Could somebody help me?
Thanks and wishes,
Alex
PS:
There are several quotation from:
1. Script for certificates generation;
Code:
#!/bin/sh
#
# Sendmail STARTTLS certificates (must be started by root)
#
CAPATH="/usr/local/ssl/dmtCA"
OSSL="/usr/local/ssl/bin/openssl"
CDIR="/etc/mail"
# Set up the relevant directories
cd ${CDIR}
mkdir -p certs
chgrp smmsp certs
chmod o-rwx certs
cp ${CAPATH}/certs/cacert.pem certs/cacert.pem
# Create a hashed symbolic link to the CA certificate. During an SSL handshake's certificate exchange,
# sendmail will compute the the hash of the received CA cert's public key, append '.0' to it, then
# compare it to its own copy of the CA cert's public key. (This is probably an over simplification,
# but you get the idea.)
cd certs
ln -s cacert.pem `${OSSL} x509 -noout -hash < cacert.pem`.0
cd ${CAPATH}
# Mail-Server Certificate Generation (CN=FQDN)
echo WARNING: For CN must input a FQDN of the mail server !!!
echo --------------------------------------------------------
${OSSL} req -nodes -new -x509 -keyout ${CDIR}/certs/key.pem -out req.pem -days 365 -config openssl.cnf
chgrp smmsp ${CDIR}/certs/key.pem
chmod o-rwx ${CDIR}/certs/key.pem
# Sign with DMT Certificate Authority
cat ${CDIR}/certs/key.pem req.pem > ${CDIR}/certs/servreq.pem
${OSSL} x509 -x509toreq -in ${CDIR}/certs/servreq.pem -signkey ${CDIR}/certs/servreq.pem -out tmp.pem
${OSSL} ca -config openssl.cnf -policy policy_anything -out ${CDIR}/certs/cert.pem -infiles tmp.pem
rm -f tmp.pem req.pem
#
# cacert.pem - your certificate authority's certificate
#
# cert.pem - your sendmail server's certificate (including its public key)
# key.pem - the sendmail server's private key
#
# servreq.pem - includes two parts: the sendmail server's private key and the original (unsigned) certificate request
# export in PKCS#12 for Windows users
#
# 1-st way
#cd ${CDIR}
#${OSSL} pkcs12 -export -in ./certs/cert.pem -inkey ./certs/servreq.pem \
#-certfile ./certs/cacert.pem -name "DMT's SMTP/TLS CERTIFICATE" -out ./certs/dmt1smtp_tls.p12
# 2-nd way
cd ${CDIR}/certs
cat cacert.pem cert.pem key.pem > p12input.pem
${OSSL} pkcs12 -export -in p12input.pem -name "DMT's SMTP/TLS CERTIFICATE" -out dmt2smtp_tls.p12
2. Sendmail configuration [sendmail.mc];
Code:
divert(0)dnl
VERSIONID(`$Id: sendmail.mc,v 8.13.1 Sun Dec 2 16:10:30 EET 2004 Exp $')dnl
...
FEATURE(`access_db')dnl
...
dnl start STARTTLS options
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')dnl
dnl end STARTTLS options
...
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(`procmail')dnl
3. Contents of /etc/mail/certs;
Code:
/etc/mail/certs# ls -Al
total 48
-rw-r--r-- 1 root root 1846 2005-03-12 01:31 cacert.pem
-rw-r--r-- 1 root root 5360 2005-03-12 01:31 cert.pem
-rw-r--r-- 1 root root 4450 2005-03-12 02:55 dmt2smtp_tls.p12
lrwxrwxrwx 1 root root 10 2005-03-12 01:31 faeeb9ec.0 -> cacert.pem
-rw-r----- 1 root smmsp 1679 2005-03-12 01:31 key.pem
-rw-r--r-- 1 root root 8885 2005-03-12 02:55 p12input.pem
-rw-r--r-- 1 root root 3476 2005-03-12 01:31 servreq.pem
4. Exemplary MS Mail Client setting [Mozilla Thunderburd 1.0];
Code:
dmt2smtp_tls.p12 - applied to Windows 2K for any M$ Client - Mozilla Thunderburd 1.0 (MT1.0)
MT1.0 with settings in Tools->Account Settings->Outgoing Server (SMTP):
-------------------------------------------------
Server Name: mail.mydomain.org
Port: 25
[ ] No [ ] TLS, if available [x] TLS [ ] SSL
-------------------------------------------------
5. Sendmail tunning for TLS-Relay in /etc/mail/access;
Code:
...
# Relay certified sender - TLS option
#
# openssl x509 -in cacert.pem -noout -text | grep Issuer
# Issuer: C=BG, ST=capital, L=Sofia, O=Digital Media Technologies Ltd,
# OU=Technical Department, CN=DMT's Certificate Authority/emailAddress=alex@mydomain.org
# Each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by
# their HEX value with a leading '+'.
CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT's+20Certificate+20Authority/Email=alex@mydomain.org RELAY
6. Initiation log for sm-mta daemon;
Code:
...
sm-mta[6208]: gethostbyaddr(192.168.10.1) failed: 1
sm-mta[6209]: starting daemon (8.13.1): SMTP+queueing@00:25:00
sm-mta[6209]: STARTTLS: CRLFile missing
sm-mta[6209]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
sm-mta[6209]: STARTTLS=server, init=1
sm-mta[6209]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
sm-mta[6210]: j2AH0V5f030999: SMTP outgoing connect on ns.mydomain.org
sm-msp-queue[6212]: starting daemon (8.13.1): queueing@00:25:00
7. Part from /var/log/maillog for "Relaying denied" problem presentation.
Code:
...
sm-mta[6578]: NOQUEUE: connect from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): init success to negotiate
sm-mta[6578]: j2CIP82O006578: Milter: connect to filters
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=connect, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (C), 0
sm-mta[6578]: j2CIP82O006578: --- 220 DMT ESMTP Mailserver; Sat, 12 Mar 2005 20:25:08 +0200
sm-mta[6578]: j2CIP82O006578: <-- EHLO [192.168.0.2]
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82O006578: --- 250-gatei.dmt.my_lan_domain.org Hello Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], pleased to meet you
sm-mta[6578]: j2CIP82O006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82O006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82O006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82O006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82O006578: --- 250-DSN
sm-mta[6578]: j2CIP82O006578: --- 250-ETRN
sm-mta[6578]: j2CIP82O006578: --- 250-STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82O006578: --- 250 HELP
sm-mta[6578]: j2CIP82O006578: <-- STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 220 2.0.0 Ready to start TLS
sm-mta[6578]: STARTTLS=server, get_verify: 0 get_peer: 0x0
sm-mta[6578]: STARTTLS=server, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[6578]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
sm-mta[6578]: j2CIP82O006578: <-- EHLO [192.168.0.2]
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82P006578: --- 250-gatei.dmt.my_lan_domain.org Hello Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], pleased to meet you
sm-mta[6578]: j2CIP82P006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82P006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82P006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82P006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82P006578: --- 250-DSN
sm-mta[6578]: j2CIP82P006578: --- 250-ETRN
sm-mta[6578]: j2CIP82P006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82P006578: --- 250 HELP
sm-mta[6578]: j2CIP82P006578: <-- MAIL FROM:<alex@mydomain.org> SIZE=448
sm-mta[6578]: j2CIP82P006578: Milter: senders: <alex@mydomain.org>
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=mail, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (M), 0
sm-mta[6578]: j2CIP82P006578: --- 250 2.1.0 <alex@mydomain.org>... Sender ok
sm-mta[6578]: j2CIP82P006578: <-- RCPT TO:<al_al_alexiev<at>sympatico.ca>
sm-mta[6578]: j2CIP82P006578: --- 550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied
sm-mta[6578]: j2CIP82P006578: ruleset=check_rcpt, arg1=<al_al_alexiev<at>sympatico.ca>, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], reject=550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: --- 421 4.4.1 gatei.dmt.my_lan_domain.org Lost input channel from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
sm-mta[6578]: j2CIP82P006578: lost input channel from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175] to MTA after rcpt
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: from=<alex@mydomain.org>, size=448, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
amavis-milter[6588]: j2CIP82P006578: (mlfi_abort)
...
|