Visit the LQ Articles and Editorials section
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


Closed Thread
Search this Thread
Old 03-12-2005, 04:54 PM   #1
LQ Newbie
Registered: Mar 2005
Location: Montreal
Distribution: Slackware 11
Posts: 9

Rep: Reputation: 0
Unhappy Sendmail (with TLS) relay denied

Hi friends,

I recently configured my sendmail 8.13.1 to include STARTTLS option.
# sendmail -bt -d0.8 < /dev/null
Version 8.13.1
                USERDB XDEBUG
Everything is looking fine, but when I try to access and send a mail
only "Relaying denied" error return. I never work with TLS-Relay before
and maybe I made any stupid mistake...
Could somebody help me?

Thanks and wishes,


There are several quotation from:
1. Script for certificates generation;
# Sendmail STARTTLS certificates (must be started by root)

# Set up the relevant directories
cd ${CDIR}
mkdir -p certs
chgrp smmsp certs
chmod o-rwx certs
cp ${CAPATH}/certs/cacert.pem certs/cacert.pem
# Create a hashed symbolic link to the CA certificate. During an SSL handshake's certificate exchange,
# sendmail will compute the the hash of the received CA cert's public key, append '.0' to it, then
# compare it to its own copy of the CA cert's public key. (This is probably an over simplification,
# but you get the idea.)
cd certs
ln -s cacert.pem `${OSSL} x509 -noout -hash < cacert.pem`.0

cd ${CAPATH}
# Mail-Server Certificate Generation (CN=FQDN)
echo WARNING: For CN must input a FQDN of the mail server !!!
echo --------------------------------------------------------
${OSSL} req -nodes -new -x509 -keyout ${CDIR}/certs/key.pem -out req.pem -days 365 -config openssl.cnf
chgrp smmsp ${CDIR}/certs/key.pem
chmod o-rwx ${CDIR}/certs/key.pem
# Sign with DMT Certificate Authority
cat ${CDIR}/certs/key.pem req.pem > ${CDIR}/certs/servreq.pem
${OSSL} x509 -x509toreq -in ${CDIR}/certs/servreq.pem -signkey ${CDIR}/certs/servreq.pem -out tmp.pem
${OSSL} ca -config openssl.cnf -policy policy_anything -out ${CDIR}/certs/cert.pem -infiles tmp.pem
rm -f tmp.pem req.pem
# cacert.pem    - your certificate authority's certificate
# cert.pem      - your sendmail server's certificate (including its public key)
# key.pem       - the sendmail server's private key
# servreq.pem   - includes two parts: the sendmail server's private key and the original (unsigned) certificate request

# export in PKCS#12 for Windows users
# 1-st way
#cd ${CDIR}
#${OSSL} pkcs12 -export -in ./certs/cert.pem -inkey ./certs/servreq.pem \
#-certfile ./certs/cacert.pem -name "DMT's SMTP/TLS CERTIFICATE" -out ./certs/dmt1smtp_tls.p12
# 2-nd way
cd ${CDIR}/certs
cat cacert.pem cert.pem key.pem > p12input.pem
${OSSL} pkcs12 -export -in p12input.pem -name "DMT's SMTP/TLS CERTIFICATE" -out dmt2smtp_tls.p12
2. Sendmail configuration [];
VERSIONID(`$Id:,v 8.13.1 Sun Dec 2 16:10:30 EET 2004 Exp $')dnl
dnl start STARTTLS options
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')dnl
dnl end STARTTLS options
3. Contents of /etc/mail/certs;
/etc/mail/certs# ls -Al
total 48
-rw-r--r--  1 root root  1846 2005-03-12 01:31 cacert.pem
-rw-r--r--  1 root root  5360 2005-03-12 01:31 cert.pem
-rw-r--r--  1 root root  4450 2005-03-12 02:55 dmt2smtp_tls.p12
lrwxrwxrwx  1 root root    10 2005-03-12 01:31 faeeb9ec.0 -> cacert.pem
-rw-r-----  1 root smmsp 1679 2005-03-12 01:31 key.pem
-rw-r--r--  1 root root  8885 2005-03-12 02:55 p12input.pem
-rw-r--r--  1 root root  3476 2005-03-12 01:31 servreq.pem
4. Exemplary MS Mail Client setting [Mozilla Thunderburd 1.0];
dmt2smtp_tls.p12 - applied to Windows 2K for any M$ Client - Mozilla Thunderburd 1.0 (MT1.0)
MT1.0 with settings in Tools->Account Settings->Outgoing Server (SMTP):
Server Name:
Port: 25
[ ] No  [ ] TLS, if available  [x] TLS  [ ] SSL
5. Sendmail tunning for TLS-Relay in /etc/mail/access;
# Relay certified sender - TLS option
# openssl x509 -in cacert.pem -noout -text | grep Issuer
# Issuer: C=BG, ST=capital, L=Sofia, O=Digital Media Technologies Ltd,
#         OU=Technical Department, CN=DMT's Certificate Authority/
# Each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by
# their HEX value with a leading '+'.
CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT's+20Certificate+20Authority/     RELAY
6. Initiation log for sm-mta daemon;
sm-mta[6208]: gethostbyaddr( failed: 1
sm-mta[6209]: starting daemon (8.13.1): SMTP+queueing@00:25:00
sm-mta[6209]: STARTTLS: CRLFile missing
sm-mta[6209]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
sm-mta[6209]: STARTTLS=server, init=1
sm-mta[6209]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
sm-mta[6210]: j2AH0V5f030999: SMTP outgoing connect on
sm-msp-queue[6212]: starting daemon (8.13.1): queueing@00:25:00
7. Part from /var/log/maillog for "Relaying denied" problem presentation.
sm-mta[6578]: NOQUEUE: connect from []
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): init success to negotiate
sm-mta[6578]: j2CIP82O006578: Milter: connect to filters
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=connect, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (C), 0
sm-mta[6578]: j2CIP82O006578: --- 220 DMT ESMTP Mailserver; Sat, 12 Mar 2005 20:25:08 +0200
sm-mta[6578]: j2CIP82O006578: <-- EHLO []
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82O006578: --- Hello [], pleased to meet you
sm-mta[6578]: j2CIP82O006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82O006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82O006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82O006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82O006578: --- 250-DSN
sm-mta[6578]: j2CIP82O006578: --- 250-ETRN
sm-mta[6578]: j2CIP82O006578: --- 250-STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82O006578: --- 250 HELP
sm-mta[6578]: j2CIP82O006578: <-- STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 220 2.0.0 Ready to start TLS
sm-mta[6578]: STARTTLS=server, get_verify: 0 get_peer: 0x0
sm-mta[6578]: STARTTLS=server, [], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[6578]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
sm-mta[6578]: j2CIP82O006578: <-- EHLO []
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82P006578: --- Hello [], pleased to meet you
sm-mta[6578]: j2CIP82P006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82P006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82P006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82P006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82P006578: --- 250-DSN
sm-mta[6578]: j2CIP82P006578: --- 250-ETRN
sm-mta[6578]: j2CIP82P006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82P006578: --- 250 HELP
sm-mta[6578]: j2CIP82P006578: <-- MAIL FROM:<> SIZE=448
sm-mta[6578]: j2CIP82P006578: Milter: senders: <>
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=mail, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (M), 0
sm-mta[6578]: j2CIP82P006578: --- 250 2.1.0 <>... Sender ok
sm-mta[6578]: j2CIP82P006578: <-- RCPT TO:<al_al_alexiev<at>>
sm-mta[6578]: j2CIP82P006578: --- 550 5.7.1 <al_al_alexiev<at>>... Relaying denied 
sm-mta[6578]: j2CIP82P006578: ruleset=check_rcpt, arg1=<al_al_alexiev<at>>, [], reject=550 5.7.1 <al_al_alexiev<at>>... Relaying denied
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: --- 421 4.4.1 Lost input channel from []
sm-mta[6578]: j2CIP82P006578: lost input channel from [] to MTA after rcpt
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: from=<>, size=448, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, []
amavis-milter[6588]: j2CIP82P006578: (mlfi_abort)
Old 03-12-2005, 05:10 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
i take it you were just too darn busy to read the rules you agreed to?

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 08:15 PM
sendmail relay access denied techrolla Linux - Networking 5 06-11-2005 02:59 PM
TLS Relay denied freealx Linux - Software 2 03-15-2005 11:41 AM
Sendmail TLS relay freealx Linux - Networking 1 03-12-2005 05:09 PM
Sendmail relay denied. PTR or IP lookup failure. Bjorkli Linux - Networking 1 06-09-2004 02:59 PM

All times are GMT -5. The time now is 11:35 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration