LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Sendmail Server Authentication: Certificate based: Error (http://www.linuxquestions.org/questions/linux-newbie-8/sendmail-server-authentication-certificate-based-error-4175461736/)

chingupt 05-13-2013 07:24 AM

Sendmail Server Authentication: Certificate based: Error
 
I have configured my setup for a server certificate based authentication. Both Server and Client are sendmail systems and both have the same set of certificates.

However when client communicated with the server, i get the following error:
403 4.7.0 authentication failed

Access file contents:
TLS_Srv:mx3.domaintest.com VERIFY TLS_Rcpt: VERIFY:CI:/O=Sendmail/OU=Sendmail+20Server/CN=debian/Email=admin@debian

db file created using following command:
makemap hash access.db < access

Client sendmail Logs:

May 13 03:38:26 sendmail[5052]: STARTTLS: CRLFile missing
May 13 03:38:26 sendmail[5052]: STARTTLS=client, init=1
May 13 03:38:26 sendmail[5052]: STARTTLS=client, start=ok
May 13 03:38:26 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS: TLS cert verify: depth=0 /O=Sendmail/OU=Sendmail Server/CN=debian/emailAddress=admin@debian, state=0, reason=self signed certificate
May 13 03:38:27 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS=client, get_verify: 18 get_peer: 0x81e7a60
May 13 03:38:27 sendmail[5052]: STARTTLS=client, relay=mx3.domaintest.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 13 03:38:27 sendmail[5052]: STARTTLS=client, cert-subject=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, cert-issuer=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, verifymsg=self signed certificate
May 13 03:38:27 sendmail[5052]: ruleset=tls_server, arg1=FAIL, relay=mx3.domaintest.com, reject=403 4.7.0 authentication failed

Server Logs:

May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: from=, size=706, class=0, nrcpts=1, msgid=<1368405535.7035.26.camel@client1.com>, proto=ESMTP, daemon=MTA-v4, relay=domain.com [client_ip]
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: --- 250 2.0.0 r4D73R1p003966 Message accepted for delivery
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: <-- QUIT
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: --- 221 2.0.0 domaintest.com closing connection
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=server, SSL_shutdown not done
May 13 02:03:41 domaintest sm-mta[3966]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30999, dsn=2.0.0, stat=Sent
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: done; delay=00:00:00, ntries=1
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory

Where am i going wrong here??

In the client sendmail.cf file, i can see that the following rule is getting hit:
STLS_connection

authentication required: give appropriate error
other side did authenticate (via STARTTLS)
R <> OK $@ OK
R OK $:
R OK $:
R $* $:
R $#error $@ $2 $: $1 " authentication required"
R FAIL $#error $@ $2 $: $1 " authentication failed"
R NO $#error $@ $2 $: $1 " not authenticated"
R NOT $#error $@ $2 $: $1 " no authentication requested"
R NONE $#error $@ $2 $: $1 " other side does not support STARTTLS" R $+ $#error $@ $2 $: $1 " authentication failure " $4
R $: $>max $&{cipher_bits} : $&{auth_ssf}
R $- $: $(arith l $@ $4 $@ $2 $)
R TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
R $* $:
R $@ OK
R $:
R < $+ ++ $+ >
R $+ $@ $>"TLS_req" $3 $|

Please guide!

Regards

chingupt 05-14-2013 01:03 AM

I think there was some issue in the certificates. I generated a new set. However, when i use this new set, i am getting verify=ok Now i tried to make this fail. So in access file, i changed the string (Certificate Issuer) so that it wont match with the one provided by the server. As per my understanding, it should have failed. yet it went through. How do i configure client so that if the Cert Issuer/Subject string does not match with that provided by server, then should not send across to sender?


All times are GMT -5. The time now is 11:26 AM.