can't relay mail: did not issue MAIL/EXPN/VRFY/ETRN

JimmyTheSaint · 02-28-2011, 08:34 AM

I've seen lots of threads on this, but still cannot track down the problem in my case.

To enable relaying, I've uncommented the lines in sendmail.mc that allow:

1) relaying for authenticated users
2) LOGIN and PLAIN authentication
3) listening on port 587

saslauthd is running.

The firewall allows ports 587 and 143, but I've also tried with iptables down.

Yes, I did make in /etc/mail and restarted sendmail.

With my iPhone, I can fetch mail fine. But when sending mail from my iPhone, it fails and the maillog's error is "did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA"

The Squirrelmail web interface works fine for sending and receiving.

Any suggestions what to try next?

gilead · 03-01-2011, 05:45 PM

After you make changes to sendmail.mc you need to re-generate the sendmail.cf file - have you done that?

JimmyTheSaint · 03-01-2011, 06:17 PM

Quote:

Originally Posted by gilead

After you make changes to sendmail.mc you need to re-generate the sendmail.cf file - have you done that?

Yes, I did make in /etc/mail and restarted sendmail.

In addition, I have now discovered that sending and receiving mail has been disabled entirely by the changes I made above. The error logged is:

dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<root>, method=\
PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

EDIT:
To be more specific, the lines in sendmail.mc I uncommented are:

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

gilead · 03-01-2011, 07:42 PM

I'm not able to check at the moment, but if you've uncommented the submission port, you may also need the smtp port. Something like this:

Code:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

JimmyTheSaint · 03-01-2011, 08:17 PM

The portion of my sendmail.mc that looks relevant says:

Code:

dnl # The following causes sendmail to only listen on the IPv4 loopback address                        
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback                              
dnl # address restriction to accept email from the internet or intranet.                               
dnl #                                                                                                  
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

So how do I "remove the loopback address restriction" as suggested? Simply delete the parameter so that it looks like this?:

Code:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

gilead · 03-01-2011, 09:49 PM

IIRC, you can use 0.0.0.0 instead of 127.0.0.1 for that.

JimmyTheSaint · 03-02-2011, 05:34 AM

Quote:

Originally Posted by gilead

IIRC, you can use 0.0.0.0 instead of 127.0.0.1 for that.

OK, thanks. Mail now seems to work normally, but I'm back to my original iPhone problem. I can fetch mail via my iPhone, but I can't send. When I try to send send, the iPhone reports failure and my server's maillog says:

Code:

sendmail[949]: p22BUZWe000949: <ip deleted> [<ip deleted>] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Any more clues?

hua · 03-02-2011, 06:32 AM

Did you configure your outgoing mail account correctly? (SMTP, authentication, SSL/TLS)
This message usually appears when the mail user agent software do not initialize the supported type of SMTP mechanism (for example authentication). A general issue with mail software configuration (in default) is that it expects SMTP to be an open relay (without authentication).

JimmyTheSaint · 03-02-2011, 08:21 AM

Quote:

Originally Posted by hua

Did you configure your outgoing mail account correctly? (SMTP, authentication, SSL/TLS)
This message usually appears when the mail user agent software do not initialize the supported type of SMTP mechanism (for example authentication). A general issue with mail software configuration (in default) is that it expects SMTP to be an open relay (without authentication).

OK, here's where I get ignorant. On the iPhone, for the outgoing mail server, when I try to turn on "Use SSL," I eventually get this error:

"The SMTP server <my server's ip> is not responding. Check your network connection and that you entered the correct information in the 'Outgoing Mail Server' field."

The iPhone's authentication is set to "Password" and the only other options are "MD5 Challeng-Response," "NTLM," and "HTTP MD5 Digest." What am I doing wrong?

hua · 03-02-2011, 09:01 AM

It looks like that there is something wrong with the basic connection process by SMTP.

In first place you should make clear what type of connection for SMTP you want to use. For example if you decide to use SSL you should check if your SMTP server supports it.
But I recommend you to first try SMTP with no encryption. So no SSL no TLS just SMTP on port 25. Best way is to try that with telnet.

Code:

telnet your.smtpserver.com 25
220 your.smtpserver.com ESMTP Sendmail .... 
EHLO your.hostname.com
response ....

I don't know if you know this telnet commands, but just for sure - blue are commands typed by you, red the server response.
In last response you should get something like this:

Quote:

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-STARTTLS

This tells you what you can use on your iPhone. After this you can try to set up different types of SMTP.
The big question is what supports your iPhone. If it supports SMTP without encryption try this. After this you can try it with SSL.
SSL and TLS requires some additional server configuration (certificates).

JimmyTheSaint · 03-02-2011, 10:38 AM

telnet'ing from my iPhone, I get:

250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250-HELP

Pardon any spelling errors on the output, but it's really small on my iPhone screen.

This mail-related stuff is new to me, so I don't know how to set up different modes of SMTP,

hua · 03-02-2011, 11:39 AM

As you can see although you defined it PLAIN and LOGIN authentication mechanisms are not there.

Code:

250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5

From default sendmail disallows this authentication mechanisms (weak authentication). I could not find exactly the link where it was described but I know this is controlled in the confAUTH_OPTIONS.

Code:

define(`confAUTH_OPTIONS', `A')dnl

There should be an extra p option.

Quote:

p
don't permit mechanisms susceptible to simple passive attack (e.g., PLAIN, LOGIN), unless a security layer is active.

When it works you should see in the response of the server the AUTH LOGIN PLAIN.

JimmyTheSaint · 03-02-2011, 06:15 PM

DING DING DING DING DING DING--IT WORKS!

In my first post, I said I enabled relaying in sendmail.mc, but I failed to describe exactly how. I had uncommented these lines:

Code:

dnl define(`confAUTH_OPTIONS', `A p')dnl

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

That first one's the mistake, and when I re-commented it out, it worked. I still find that line's documentation ambiguous. It says "The following allows relaying if the user authenticates, and disallows plaintext authentication (PLAIN/LOGIN) on non-TLS links." It may seem obvious to experts, but since it says relaying is allowed if you authenticate (and I do authenticate), then I misunderstood the conditional disallowance of plaintext authentication because I made the wrong assumption about what "TLS" means. Oops.

Thanks to this thread's responders so much. I've been putting off learning this for years. It's glorious to finally get control of my servers' relaying capabilities.

The one thing I don't understand is why my iPhone requires "Use SSL" to be turned off. Isn't that something I want? Does that require the firewall to allow some other port?

hua · 03-03-2011, 02:02 AM

Using SSL is recommended and you should use it if it is possible. But this requires some additional configuration.
This is about the second thing what you miss in your server response.

Quote:

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-STARTTLS

For this you need to configure your sendmail for using certificates. This link can give you some useful informations.
http://www.slackwiki.org/Sendmail_TLS_SASL_SMTP-AUTH
1. You need to create certificates
2. You need to configure your sendmail.cf for using certificates.
3. And of course there is a different port for this SSL - 465.

There are two types of securing SMTP -
1. first is configured inside of sendmail.cf (TLS)
2. second one is by using stunnel (SSL).(I never used that for SMTP) stunnel makes SSL for your IMAP and POP3 too.

But go back to the first thing. Lets try instead of comment out define(`confAUTH_OPTIONS', `A p')dnl use only the A parameter.

JimmyTheSaint · 03-03-2011, 08:33 AM

Yes, I see I need to secure SMTP. I'm am about to move to a new place, so my server will be down for a few days. I'll have to come back to this next week.