LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 05-13-2013, 07:24 AM   #1
chingupt
LQ Newbie
 
Registered: Apr 2013
Posts: 8

Rep: Reputation: Disabled
Sendmail Server Authentication: Certificate based: Error


I have configured my setup for a server certificate based authentication. Both Server and Client are sendmail systems and both have the same set of certificates.

However when client communicated with the server, i get the following error:
403 4.7.0 authentication failed

Access file contents:
TLS_Srv:mx3.domaintest.com VERIFY TLS_Rcpt: VERIFY:CI:/O=Sendmail/OU=Sendmail+20Server/CN=debian/Email=admin@debian

db file created using following command:
makemap hash access.db < access

Client sendmail Logs:

May 13 03:38:26 sendmail[5052]: STARTTLS: CRLFile missing
May 13 03:38:26 sendmail[5052]: STARTTLS=client, init=1
May 13 03:38:26 sendmail[5052]: STARTTLS=client, start=ok
May 13 03:38:26 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS: TLS cert verify: depth=0 /O=Sendmail/OU=Sendmail Server/CN=debian/emailAddress=admin@debian, state=0, reason=self signed certificate
May 13 03:38:27 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS=client, get_verify: 18 get_peer: 0x81e7a60
May 13 03:38:27 sendmail[5052]: STARTTLS=client, relay=mx3.domaintest.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 13 03:38:27 sendmail[5052]: STARTTLS=client, cert-subject=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, cert-issuer=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, verifymsg=self signed certificate
May 13 03:38:27 sendmail[5052]: ruleset=tls_server, arg1=FAIL, relay=mx3.domaintest.com, reject=403 4.7.0 authentication failed

Server Logs:

May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: from=, size=706, class=0, nrcpts=1, msgid=<1368405535.7035.26.camel@client1.com>, proto=ESMTP, daemon=MTA-v4, relay=domain.com [client_ip]
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: --- 250 2.0.0 r4D73R1p003966 Message accepted for delivery
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: <-- QUIT
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: --- 221 2.0.0 domaintest.com closing connection
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=server, SSL_shutdown not done
May 13 02:03:41 domaintest sm-mta[3966]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30999, dsn=2.0.0, stat=Sent
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: done; delay=00:00:00, ntries=1
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory

Where am i going wrong here??

In the client sendmail.cf file, i can see that the following rule is getting hit:
STLS_connection

authentication required: give appropriate error
other side did authenticate (via STARTTLS)
R <> OK $@ OK
R OK $:
R OK $:
R $* $:
R $#error $@ $2 $: $1 " authentication required"
R FAIL $#error $@ $2 $: $1 " authentication failed"
R NO $#error $@ $2 $: $1 " not authenticated"
R NOT $#error $@ $2 $: $1 " no authentication requested"
R NONE $#error $@ $2 $: $1 " other side does not support STARTTLS" R $+ $#error $@ $2 $: $1 " authentication failure " $4
R $: $>max $&{cipher_bits} : $&{auth_ssf}
R $- $: $(arith l $@ $4 $@ $2 $)
R TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
R $* $:
R $@ OK
R $:
R < $+ ++ $+ >
R $+ $@ $>"TLS_req" $3 $|

Please guide!

Regards
 
Old 05-14-2013, 01:03 AM   #2
chingupt
LQ Newbie
 
Registered: Apr 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
I think there was some issue in the certificates. I generated a new set. However, when i use this new set, i am getting verify=ok Now i tried to make this fail. So in access file, i changed the string (Certificate Issuer) so that it wont match with the one provided by the server. As per my understanding, it should have failed. yet it went through. How do i configure client so that if the Cert Issuer/Subject string does not match with that provided by server, then should not send across to sender?
 
  


Reply

Tags
mailserver, security, sendmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sendmail (Smart Host) authentication with server using certificates chingupt Debian 1 05-07-2013 01:07 AM
[error] Certificate not found: 'Server-Cert' (but it is there) MikeyCarter Linux - Software 2 10-25-2012 06:03 PM
host based authentication using ssh with different users on the server powah Linux - Security 5 06-21-2007 02:54 AM
How to modify sendmail.mc for using authentication via OpenLDAP Server? nui Linux - Enterprise 0 03-07-2006 01:40 PM
certificate authentication for ssh cuss Linux - Security 1 12-16-2002 10:48 AM


All times are GMT -5. The time now is 07:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration