LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 04-05-2011, 02:19 AM   #16
JimmyTheSaint
LQ Newbie
 
Registered: Mar 2007
Distribution: Fedora Core 13
Posts: 23

Original Poster
Rep: Reputation: 0

Following the instructions at http://www.madboa.com/geek/sendmail-auth/, I generated the self-signed certificate sendmail.cert and edited sendmail.mc like this:

Code:
define(`confAUTH_OPTIONS', `A p y')dnl
dnl
dnl  Accept PLAIN and LOGIN authentications.
dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
dnl
dnl  Define paths to directory hosting certs of trusted certificate
dnl  authorities (like VeriSign) and path to local certificate.
dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
I re-made sendmail.cf and access.db as specified and restarted saslauthd and sendmail. Sendmail reports

Code:
250-STARTTLS
So I finished the recipe, but how can I tell for sure whether I'm now secure or not?

Last edited by JimmyTheSaint; 04-05-2011 at 02:50 AM.
 
Old 04-05-2011, 02:58 AM   #17
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 396

Rep: Reputation: 49
First of all you should check the logs. Maillog, messages, syslog. Almost all the time I set sendmail for secure SMTP there was something missing. Wrong permissions on certs or keys, wrong path to the cert directory ...
After you restart the sendmail you should check if the start of sendmail was clean or there were some warnings, errors.
Look for something like this in your maillog.
Quote:
Apr 5 09:01:13 stardust sm-mta[26040]: starting daemon (8.14.4): SMTP+queueing@00:25:00
Apr 5 09:01:13 stardust sm-mta[26040]: STARTTLS=server: file /etc/mail/certs/smtp.cert.pem unsafe: No such file or directory
Apr 5 09:01:33 stardust sm-msp-queue[26070]: starting daemon (8.14.4): queueing@00:25:00
Hope it helps.

Edit:
Sorry I didn't see that STARTTLS actually worked for you.
Quote:
Originally Posted by JimmyTheSaint View Post
I re-made sendmail.cf and access.db as specified and restarted saslauthd and sendmail. Sendmail reports

Code:
250-STARTTLS
So I finished the recipe, but how can I tell for sure whether I'm now secure or not?
Just set up your mail user agent (thunderbird, otlook express ... or anything else that supports SMTPS). What MUA you use?
After this you can use some tool like wireshark to cache the traffic of SMTP session where you will see encrypted data. Otherwise you will see clear text data - what is insecure.

Last edited by hua; 04-05-2011 at 03:22 AM.
 
1 members found this post helpful.
Old 04-05-2011, 03:41 AM   #18
JimmyTheSaint
LQ Newbie
 
Registered: Mar 2007
Distribution: Fedora Core 13
Posts: 23

Original Poster
Rep: Reputation: 0
Yes, I think it's working. maillog is clear (I caught the permissions error on the cert file earlier). I had configured my firewall, but the instructions didn't specify to enable sendmail to listen on port 465, so I found that mistake when my iPhone timed out trying to configure its new SMTP server. As you suggested earlier, I now have
Code:
define(`confAUTH_OPTIONS', `A')dnl
and not the other web site's recipe's
Code:
define(`confAUTH_OPTIONS', `A p y')dnl
I used my iPhone to send mail using SSL, so it looks like everything works. Other than that, I use browsers to do email via my server's SquirrelMail.

Will try out Wireshark just for fun. Thanks again for the help.
 
Old 04-05-2011, 04:54 AM   #19
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 396

Rep: Reputation: 49
I am glad you worked this out.

Just to note:

1. For SMTP and SMTPS (sendmail) you use a client application like thunderbird or kmail.
2. These applications (thunderbird ...) has their part for incoming mail (IMAP2, POP3). This makes you able to read the emails that are already in your mailboxes. Securing the sendmail doesn't deal with this part.
3. The outgoing mail (SMTP, sendmail) deals with your outgoing mail. Mailserver sends mail to another mailserver or puts it into a localusers mailbox.

4. If you use squirrel mail then securing the SMTP and IMAP2,POP3 won't do its part. The squirrel mail is a http based mail client which is in most cases located on the local server. This means it connects to your mail server on localhost.

To be secured means that the client who connects to your server remotely secures the data sent to the server by encryption.
In your case the data are transferred by HTTP protocol (not SMTP, not IMAP2,POP3) and this is what can be secured (HTTPS).

Argh , Wrong. I see now - you use your iPhone app to send mail and squirrel to browse your mailboxes.

Last edited by hua; 04-05-2011 at 05:21 AM.
 
Old 04-05-2011, 08:21 AM   #20
JimmyTheSaint
LQ Newbie
 
Registered: Mar 2007
Distribution: Fedora Core 13
Posts: 23

Original Poster
Rep: Reputation: 0
Thanks for explaining. My problem is that I rarely have to remember how this stuff works, so after I learn how to set something up, I just follow my recipe and forget how it works exactly. In this case, I just started wanting to use my iPhone to read/send mail on a very limited basis. I've been using SquirrelMail's web interface for years, but now that I've made all these notes about what to do to make the iPhone work, I'm sure that will be very useful in future situations, especially when configuring other smartphones. Years ago, I did used to use Outlook and other email clients, so this is a return to a forgotten past for me.
 
Old 12-18-2012, 12:00 AM   #21
rururudy
LQ Newbie
 
Registered: Feb 2007
Posts: 5

Rep: Reputation: 0
Another reason for MAIL/EXPN/VRFY/ETRN errors

My iphone wasn't able to send a large PDF, and I had the 'MAIL/EXPN/VRFY/ETRN' error in my maillog... turns out I had to bump up the max message size in my mc file, and that fixed it.

This set the limit to 30 million bytes.
Code:
define(`confMAX_MESSAGE_SIZE', `30000000')dnl
And here is the message successfully going through:
Code:
Dec 17 20:52:09 lavash sm-mta[75358]: qBI4owNY075358: from=<test@linuxquestions.org>, size=20797352, class=0, nrcpts=1, msgid=<5C6D2261-DD59-4094-824C-B151425301EF@linuxquestions.org>, proto=ESMTP, daemon=MTAmail-1000, relay=10-10-74-159.example.org [10.10.74.159]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mail loops back to me (MX problem?) OR did not issue MAIL/EXPN/VRFY/ETRN skc Linux - Server 6 07-09-2011 10:18 PM
sendmail: did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA tonj Linux - Server 3 02-17-2010 11:56 AM
Sendmail did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-SSL DragonM15 Linux - Server 2 09-24-2008 01:29 AM
Sendmail did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA paleogryph Linux - Software 3 08-31-2007 05:28 AM
Sendmail: did not issue MAIL/EXPN/VRFY/ETRN nenad Fedora 1 03-31-2005 02:12 PM


All times are GMT -5. The time now is 08:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration