LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Closed Thread
 
Search this Thread
Old 03-12-2005, 03:54 PM   #1
freealx
LQ Newbie
 
Registered: Mar 2005
Location: Montreal
Distribution: Slackware 11
Posts: 9

Rep: Reputation: 0
Unhappy Sendmail (with TLS) relay denied


Hi friends,

I recently configured my sendmail 8.13.1 to include STARTTLS option.
Code:
# sendmail -bt -d0.8 < /dev/null
Version 8.13.1
 Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SCANF STARTTLS
                USERDB XDEBUG
...
Everything is looking fine, but when I try to access and send a mail
only "Relaying denied" error return. I never work with TLS-Relay before
and maybe I made any stupid mistake...
Could somebody help me?

Thanks and wishes,

Alex

PS:
There are several quotation from:
1. Script for certificates generation;
Code:
#!/bin/sh
#
# Sendmail STARTTLS certificates (must be started by root)
#
CAPATH="/usr/local/ssl/dmtCA"
OSSL="/usr/local/ssl/bin/openssl"
CDIR="/etc/mail"

# Set up the relevant directories
cd ${CDIR}
mkdir -p certs
chgrp smmsp certs
chmod o-rwx certs
cp ${CAPATH}/certs/cacert.pem certs/cacert.pem
# Create a hashed symbolic link to the CA certificate. During an SSL handshake's certificate exchange,
# sendmail will compute the the hash of the received CA cert's public key, append '.0' to it, then
# compare it to its own copy of the CA cert's public key. (This is probably an over simplification,
# but you get the idea.)
cd certs
ln -s cacert.pem `${OSSL} x509 -noout -hash < cacert.pem`.0

cd ${CAPATH}
# Mail-Server Certificate Generation (CN=FQDN)
echo WARNING: For CN must input a FQDN of the mail server !!!
echo --------------------------------------------------------
${OSSL} req -nodes -new -x509 -keyout ${CDIR}/certs/key.pem -out req.pem -days 365 -config openssl.cnf
chgrp smmsp ${CDIR}/certs/key.pem
chmod o-rwx ${CDIR}/certs/key.pem
# Sign with DMT Certificate Authority
cat ${CDIR}/certs/key.pem req.pem > ${CDIR}/certs/servreq.pem
${OSSL} x509 -x509toreq -in ${CDIR}/certs/servreq.pem -signkey ${CDIR}/certs/servreq.pem -out tmp.pem
${OSSL} ca -config openssl.cnf -policy policy_anything -out ${CDIR}/certs/cert.pem -infiles tmp.pem
rm -f tmp.pem req.pem
#
# cacert.pem    - your certificate authority's certificate
#
# cert.pem      - your sendmail server's certificate (including its public key)
# key.pem       - the sendmail server's private key
#
# servreq.pem   - includes two parts: the sendmail server's private key and the original (unsigned) certificate request

# export in PKCS#12 for Windows users
#
# 1-st way
#cd ${CDIR}
#${OSSL} pkcs12 -export -in ./certs/cert.pem -inkey ./certs/servreq.pem \
#-certfile ./certs/cacert.pem -name "DMT's SMTP/TLS CERTIFICATE" -out ./certs/dmt1smtp_tls.p12
# 2-nd way
cd ${CDIR}/certs
cat cacert.pem cert.pem key.pem > p12input.pem
${OSSL} pkcs12 -export -in p12input.pem -name "DMT's SMTP/TLS CERTIFICATE" -out dmt2smtp_tls.p12
2. Sendmail configuration [sendmail.mc];
Code:
divert(0)dnl
VERSIONID(`$Id: sendmail.mc,v 8.13.1 Sun Dec 2 16:10:30 EET 2004 Exp $')dnl
...
FEATURE(`access_db')dnl
...
dnl start STARTTLS options
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')dnl
dnl end STARTTLS options
...
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(`procmail')dnl
3. Contents of /etc/mail/certs;
Code:
/etc/mail/certs# ls -Al
total 48
-rw-r--r--  1 root root  1846 2005-03-12 01:31 cacert.pem
-rw-r--r--  1 root root  5360 2005-03-12 01:31 cert.pem
-rw-r--r--  1 root root  4450 2005-03-12 02:55 dmt2smtp_tls.p12
lrwxrwxrwx  1 root root    10 2005-03-12 01:31 faeeb9ec.0 -> cacert.pem
-rw-r-----  1 root smmsp 1679 2005-03-12 01:31 key.pem
-rw-r--r--  1 root root  8885 2005-03-12 02:55 p12input.pem
-rw-r--r--  1 root root  3476 2005-03-12 01:31 servreq.pem
4. Exemplary MS Mail Client setting [Mozilla Thunderburd 1.0];
Code:
dmt2smtp_tls.p12 - applied to Windows 2K for any M$ Client - Mozilla Thunderburd 1.0 (MT1.0)
MT1.0 with settings in Tools->Account Settings->Outgoing Server (SMTP):
-------------------------------------------------
Server Name: mail.mydomain.org
Port: 25
[ ] No  [ ] TLS, if available  [x] TLS  [ ] SSL
-------------------------------------------------
5. Sendmail tunning for TLS-Relay in /etc/mail/access;
Code:
...
# Relay certified sender - TLS option
#
# openssl x509 -in cacert.pem -noout -text | grep Issuer
# Issuer: C=BG, ST=capital, L=Sofia, O=Digital Media Technologies Ltd,
#         OU=Technical Department, CN=DMT's Certificate Authority/emailAddress=alex@mydomain.org
# Each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by
# their HEX value with a leading '+'.
CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT's+20Certificate+20Authority/Email=alex@mydomain.org     RELAY
6. Initiation log for sm-mta daemon;
Code:
...
sm-mta[6208]: gethostbyaddr(192.168.10.1) failed: 1
sm-mta[6209]: starting daemon (8.13.1): SMTP+queueing@00:25:00
sm-mta[6209]: STARTTLS: CRLFile missing
sm-mta[6209]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
sm-mta[6209]: STARTTLS=server, init=1
sm-mta[6209]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
sm-mta[6210]: j2AH0V5f030999: SMTP outgoing connect on ns.mydomain.org
sm-msp-queue[6212]: starting daemon (8.13.1): queueing@00:25:00
7. Part from /var/log/maillog for "Relaying denied" problem presentation.
Code:
...
sm-mta[6578]: NOQUEUE: connect from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): init success to negotiate
sm-mta[6578]: j2CIP82O006578: Milter: connect to filters
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=connect, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (C), 0
sm-mta[6578]: j2CIP82O006578: --- 220 DMT ESMTP Mailserver; Sat, 12 Mar 2005 20:25:08 +0200
sm-mta[6578]: j2CIP82O006578: <-- EHLO [192.168.0.2]
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82O006578: --- 250-gatei.dmt.my_lan_domain.org Hello Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], pleased to meet you
sm-mta[6578]: j2CIP82O006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82O006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82O006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82O006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82O006578: --- 250-DSN
sm-mta[6578]: j2CIP82O006578: --- 250-ETRN
sm-mta[6578]: j2CIP82O006578: --- 250-STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82O006578: --- 250 HELP
sm-mta[6578]: j2CIP82O006578: <-- STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 220 2.0.0 Ready to start TLS
sm-mta[6578]: STARTTLS=server, get_verify: 0 get_peer: 0x0
sm-mta[6578]: STARTTLS=server, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[6578]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
sm-mta[6578]: j2CIP82O006578: <-- EHLO [192.168.0.2]
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82P006578: --- 250-gatei.dmt.my_lan_domain.org Hello Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], pleased to meet you
sm-mta[6578]: j2CIP82P006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82P006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82P006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82P006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82P006578: --- 250-DSN
sm-mta[6578]: j2CIP82P006578: --- 250-ETRN
sm-mta[6578]: j2CIP82P006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82P006578: --- 250 HELP
sm-mta[6578]: j2CIP82P006578: <-- MAIL FROM:<alex@mydomain.org> SIZE=448
sm-mta[6578]: j2CIP82P006578: Milter: senders: <alex@mydomain.org>
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=mail, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (M), 0
sm-mta[6578]: j2CIP82P006578: --- 250 2.1.0 <alex@mydomain.org>... Sender ok
sm-mta[6578]: j2CIP82P006578: <-- RCPT TO:<al_al_alexiev<at>sympatico.ca>
sm-mta[6578]: j2CIP82P006578: --- 550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied 
sm-mta[6578]: j2CIP82P006578: ruleset=check_rcpt, arg1=<al_al_alexiev<at>sympatico.ca>, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], reject=550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: --- 421 4.4.1 gatei.dmt.my_lan_domain.org Lost input channel from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
sm-mta[6578]: j2CIP82P006578: lost input channel from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175] to MTA after rcpt
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: from=<alex@mydomain.org>, size=448, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
amavis-milter[6588]: j2CIP82P006578: (mlfi_abort)
...
 
Old 03-12-2005, 04:10 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
i take it you were just too darn busy to read the rules you agreed to?

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 07:15 PM
sendmail relay access denied techrolla Linux - Networking 5 06-11-2005 01:59 PM
TLS Relay denied freealx Linux - Software 2 03-15-2005 10:41 AM
Sendmail TLS relay freealx Linux - Networking 1 03-12-2005 04:09 PM
Sendmail relay denied. PTR or IP lookup failure. Bjorkli Linux - Networking 1 06-09-2004 01:59 PM


All times are GMT -5. The time now is 10:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration