LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Sendmail SMTP send doesn't work with OS X 10.6 mail.app clients (http://www.linuxquestions.org/questions/linux-server-73/sendmail-smtp-send-doesnt-work-with-os-x-10-6-mail-app-clients-824019/)

tedcox 08-03-2010 11:59 PM

Sendmail SMTP send doesn't work with OS X 10.6 mail.app clients
 
Hey there,

I've been having this problem since 10.6 released, but have until now been successful with the "just use Thunderbird" response. My sendmail server hasn't been changed, but as clients upgrade from OSX 10.5 to 10.6 suddenly mail.app will no longer connects to send SMTP messages through the server. (IMAP connections to the same server using the same user/pass combinations work perfectly) When I look at the logs, things basically stop right after the STARTTLS command.

Google indicates alot of people are having similar problems, but I'm not seeing any solutions. Do any of you administrate sendmail servers where some of your clients are using Apple's Mail.app on Snow Leopard, and if so what settings are you using?

At this point, I'm happy to make changes to the server to accommodate Apple's issue, I have too many Mac users connecting to my server. I just can't figure out what to change. I've enabled virtually every possible login authentication combination, and none of them work.

Thanks,
Ted Cox

tedcox 09-23-2010 04:08 AM

I've just discovered that this problem also plagues iphones and ipod touch devices. They can connect to dovecot IMAP just fine, but can't send via sendmail.

Here's my sendmail.mc:

Code:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
define(`confLOG_LEVEL', `9')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/heroesincCA.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/jeremiah-sendmail-07.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/private/jeremiah-sendmail-07.key')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
define(`confMAX_DAEMON_CHILDREN', `20')dnl
define(`confCONNECTION_RATE_THROTTLE', `3')dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
LOCAL_DOMAIN(`XXXXX.XX')dnl
FEATURE(`delay_checks')dnl
define(`MILTER', 1)
INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')

MAILER(smtp)dnl
MAILER(procmail)dnl

And here's the output log from the client (mail.app):

Code:

CONNECTED Sep 23 11:03:46.556 [kCFStreamSocketSecurityLevelNone]  -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0

CONNECTED Sep 23 11:03:46.556 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x1156ed500

READ Sep 23 11:03:47.013 [kCFStreamSocketSecurityLevelNone]  -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0
220 xxx.xxx.xx ESMTP Sendmail 8.13.8/8.13.8; Thu, 23 Sep 2010 03:01:39 -0600

WROTE Sep 23 11:03:47.018 [kCFStreamSocketSecurityLevelNone]  -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0
EHLO [192.168.0.101]

READ Sep 23 11:03:47.216 [kCFStreamSocketSecurityLevelNone]  -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0
250-xxx.xxx.xx Hello mrclient.dslprovider.net [12.345.67.89], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP

WROTE Sep 23 11:03:47.219 [kCFStreamSocketSecurityLevelNone]  -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0
STARTTLS

READ Sep 23 11:03:47.430 [kCFStreamSocketSecurityLevelNone]  -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0
220 2.0.0 Ready to start TLS

READ Sep 23 11:03:47.648 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x1156ed500
* OK Dovecot ready.

WROTE Sep 23 11:03:47.652 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x1156f1710
1.12 CAPABILITY

READ Sep 23 11:03:47.853 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x1156f1710
* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN
1.12 OK Capability completed.

WROTE Sep 23 11:03:47.857 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x1156f1710
2.12 LOGIN ted ******

READ Sep 23 11:03:48.060 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x1156f1710
2.12 OK Logged in.

WROTE Sep 23 11:03:48.065 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x11cc02b80
3.12 CAPABILITY

READ Sep 23 11:03:48.265 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x11cc02b80
* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS
3.12 OK Capability completed.

WROTE Sep 23 11:03:48.270 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x101c64980
4.12 LIST "" ""

READ Sep 23 11:03:48.535 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x101c64980
* LIST (\Noselect) "." ""
4.12 OK List completed.

WROTE Sep 23 11:03:48.540 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host:xxx.xxx.xx -- port:993 -- socket:0x11a64c200 -- thread:0x101c64980
5.12 LOGOUT

If anyone has any thoughts, I'd really appreciate a push in the right direction. Thanks!

VaughanR 09-18-2011 08:09 PM

I ran into the same problem the other day and still could not find any authoritative answer to this question, so I thought I would post my findings.

The issue seems to be the response that Mac Mail has when it looks at the certificate provided by sendmail. By looking at the log window in the Mac's Connection Doctor I noticed that the linux sendmail server was waiting for the Mac to respond to its "Ready to start TLS" handshake.

You can test whether TLS is working between the sendmail server and the Mac by using openssl on the Mac. In a terminal on the Mac I did:
# openssl s_client -connect your_sendmail_server_ip:your_smtp_port -starttls smtp

This told me that my certificate was expired. I updated the sendmail certificate on the server by running:
% /etc/pki/tls/certs/make sendmail

After running the same openssl command again, it confirmed I had a self-signed certificate as expected.
Using the ehlo ... command and then AUTH PLAIN ... command in openssl, I confirmed that I could login using credentials from the mac. To do this, you have to get the "user password" key to pass to the AUTH PLAIN command, I did this by (substitute username and password for your mail user and its password):
# echo -ne '\000username\000password' | openssl base64
and copying the output at the end of the AUTH PLAIN line.
The response I got was "OK Authenticated" so now I knew that I could login using TLS from the Mac. So why wasn't mail logging in?

Well my guess was that Mac mail checks the certificate and if it is not current or if it is self-signed it refuses to use it. Hence not responding to the server's "Ready to start TLS" response.

The fix was to setup the Mac mail account again, I followed the steps outlined in https://www2.suresupport.com/faq.php/80/483. This time when it came to answering the question about using the certificate (Step 4). I clicked 'View Certificate' and checked the box which said 'Always trust certificates from ...'. That was all it took and Mac mail was happy to send again.:D

tedcox 09-19-2011 01:58 AM

VaughanR,

Thanks. I bet that was exactly my problem. I switched to Zimbra a year ago, since I couldn't solve this. But I've been thinking about coming back to sendmail/dovecot as the maintenance is substantially easier.

Thanks for posting your solution.

hua 09-19-2011 02:13 AM

Maybe your authentication mechanism does not work. STRTTLS is successful but after this it is not able to authenticate.
Doevcot uses its own authentication mechanism so if it works with Doevcot it doesn't mean it should work with sendmail too.

To test it try to configure the sendmail temporarily to accept plain or login authentication without encryption. This should do it:
Quote:

define(`confAUTH_OPTIONS', `A')dnl
After you find out that its ok, you can return to encrypted communication. You should see the plain and login in the SMTP response like this:
Quote:

READ Sep 23 11:03:47.216 [kCFStreamSocketSecurityLevelNone] -- host:xxx.xxx.xx -- port:25 -- socket:0x1174d3500 -- thread:0x1174b7de0
250-xxx.xxx.xx Hello mrclient.dslprovider.net [12.345.67.89], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
What about the maillog of the sendmail? Does it contain some information about the error?


All times are GMT -5. The time now is 04:14 AM.