LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 05-13-2013, 06:24 AM   #1
chingupt
LQ Newbie
 
Registered: Apr 2013
Posts: 8

Rep: Reputation: Disabled
Sendmail Server Authentication: Certificate based: Error


I have configured my setup for a server certificate based authentication. Both Server and Client are sendmail systems and both have the same set of certificates.

However when client communicated with the server, i get the following error:
403 4.7.0 authentication failed

Access file contents:
TLS_Srv:mx3.domaintest.com VERIFY TLS_Rcpt: VERIFY:CI:/O=Sendmail/OU=Sendmail+20Server/CN=debian/Email=admin@debian

db file created using following command:
makemap hash access.db < access

Client sendmail Logs:

May 13 03:38:26 sendmail[5052]: STARTTLS: CRLFile missing
May 13 03:38:26 sendmail[5052]: STARTTLS=client, init=1
May 13 03:38:26 sendmail[5052]: STARTTLS=client, start=ok
May 13 03:38:26 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS: TLS cert verify: depth=0 /O=Sendmail/OU=Sendmail Server/CN=debian/emailAddress=admin@debian, state=0, reason=self signed certificate
May 13 03:38:27 sendmail[5052]: STARTTLS=client, info: fds=7/6, err=2
May 13 03:38:27 sendmail[5052]: STARTTLS=client, get_verify: 18 get_peer: 0x81e7a60
May 13 03:38:27 sendmail[5052]: STARTTLS=client, relay=mx3.domaintest.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 13 03:38:27 sendmail[5052]: STARTTLS=client, cert-subject=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, cert-issuer=/O=Sendmail/OU=Sendmail+20Server/CN=debian/emailAddress=admin@debian, verifymsg=self signed certificate
May 13 03:38:27 sendmail[5052]: ruleset=tls_server, arg1=FAIL, relay=mx3.domaintest.com, reject=403 4.7.0 authentication failed

Server Logs:

May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: from=, size=706, class=0, nrcpts=1, msgid=<1368405535.7035.26.camel@client1.com>, proto=ESMTP, daemon=MTA-v4, relay=domain.com [client_ip]
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1p003966: --- 250 2.0.0 r4D73R1p003966 Message accepted for delivery
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=read, info: fds=8/4, err=2
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: <-- QUIT
May 13 02:03:41 domaintest sm-mta[3966]: r4D73R1q003966: --- 221 2.0.0 domaintest.com closing connection
May 13 02:03:41 domaintest sm-mta[3966]: STARTTLS=server, SSL_shutdown not done
May 13 02:03:41 domaintest sm-mta[3966]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30999, dsn=2.0.0, stat=Sent
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
May 13 02:03:41 domaintest sm-mta[3970]: r4D73R1p003966: done; delay=00:00:00, ntries=1
May 13 02:03:41 domaintest sm-mta[3970]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory

Where am i going wrong here??

In the client sendmail.cf file, i can see that the following rule is getting hit:
STLS_connection

authentication required: give appropriate error
other side did authenticate (via STARTTLS)
R <> OK $@ OK
R OK $:
R OK $:
R $* $:
R $#error $@ $2 $: $1 " authentication required"
R FAIL $#error $@ $2 $: $1 " authentication failed"
R NO $#error $@ $2 $: $1 " not authenticated"
R NOT $#error $@ $2 $: $1 " no authentication requested"
R NONE $#error $@ $2 $: $1 " other side does not support STARTTLS" R $+ $#error $@ $2 $: $1 " authentication failure " $4
R $: $>max $&{cipher_bits} : $&{auth_ssf}
R $- $: $(arith l $@ $4 $@ $2 $)
R TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
R $* $:
R $@ OK
R $:
R < $+ ++ $+ >
R $+ $@ $>"TLS_req" $3 $|

Please guide!

Regards
 
Old 05-13-2013, 06:32 AM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Cross-posting is against the LQ rules. Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place.

Continue in the other/original thread: https://www.linuxquestions.org/quest...or-4175461736/

Reported for closure.
 
  


Closed Thread

Tags
security, sendmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail Server Authentication: Certificate based: Error chingupt Linux - Newbie 1 05-14-2013 12:03 AM
sendmail (Smart Host) authentication with server using certificates chingupt Debian 1 05-07-2013 12:07 AM
[error] Certificate not found: 'Server-Cert' (but it is there) MikeyCarter Linux - Software 2 10-25-2012 05:03 PM
host based authentication using ssh with different users on the server powah Linux - Security 5 06-21-2007 01:54 AM
How to modify sendmail.mc for using authentication via OpenLDAP Server? nui Linux - Enterprise 0 03-07-2006 12:40 PM


All times are GMT -5. The time now is 02:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration