Sendmail - SSL/TLS - smtp.hosts.co.uk
 

I managed a while back to get sendmail working with my mail provider using authenticated access (from my laptop). That all worked fine, and I set up the system to send cron logs etc via EMail to my external mail address. Fine.

Over the past few days, the provider has moved to SSL/TLS and I am no longer getting the alerts sent from my laptop. The mail queue shows the messages as failing on auth.

As an aside, I also use Evolution to send/receive mail from the same laptop - and I have changed that config to use SSL for the smtp side ok - and mail is working fine through that client.

Now looking at sendmail config, it looks like I can build SSL into the product by either creating openssl certificates and then altering the sendmail.mc, rebuilding the .cf and restarting - or another solution seemed to be setting up an 'stunnel' connection.

Has anyone had a similar issue - and which option was 'simplest' (I'm just a dabbler rather than an expert!)?


PS the reason for mentioning Evo, was if Evo connects and sends ok, what certs does it use then to make the connection - and can I piggyback on one set of certs from sendmail?

Well, 'simplest' with SSL is a broad term. :) However, this document isn't too hard to follow, and should at least get you going:
http://aput.net/~jheiss/sendmail/tlsandrelay.shtml

I don't think so, since (I believe), that Evolution keeps certificates in one of it's own .db files. You may want to contact your upstream relay provider, and just ask them for the certificate. Since you're authorized to have access, it shouldn't be an issue.

TBOne,
I have been trying various things in the sendmail.mc based on a variety of suggestions from the web, but so far I have either failed to connect to the relay or got a 5.1.1 DSN (User Unknown). The authinfo file I have is basically the same - so I know that the user and password were fine, so the User Unknown appears to be related to the SSL settings.

I now have in the .mc:
.....
define(`SMART_HOST', `smtp.hosts.co.uk')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
FEATURE(`genericstable')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/generics-domains')dnl

....
define(`confAUTH_OPTIONS', `A p')dnl
.....
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
....
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confCRL', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl


I have created a sendmail.pem in the /etc/pki/tls/certs directory as another site said to create it by issuing a 'make sendmail.pem' in that directory - that seemed to work fine. I am not after using may laptop to relay 'other' users messages - just to send the CRON entries etc to my external EMail address.

So I seem to have the certs, the Auth'd login was already working - but still no joy - the latest changes - using the above settings and an 'AuthInfo' file of:
AuthInfo:smtp.hosts.co.uk "U:mail-user" "P:password" "M:LOGIN"

give me log entries of:
Mar 29 14:38:44 retsol610 sendmail[10672]: r2TEci4E010672: from=username, size=246, class=0, nrcpts=1, msgid=<201303291438.r2TEci4E010672@localhost.localdomain>, relay=username@localhost
Mar 29 14:38:44 retsol610 sendmail[10673]: STARTTLS=server, relay=retsol610 [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Mar 29 14:38:44 retsol610 sendmail[10672]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Mar 29 14:38:44 retsol610 sendmail[10673]: r2TEciMv010673: from=<username@localhost.localdomain>, size=521, class=0, nrcpts=1, msgid=<201303291438.r2TEci4E010672@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=retsol610 [127.0.0.1]
Mar 29 14:38:45 retsol610 sendmail[10672]: r2TEci4E010672: to=username@aaa.bbb.ccc, ctladdr=username (500/500), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30246, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r2TEciMv010673 Message accepted for delivery)
Mar 29 14:38:45 retsol610 sendmail[10675]: STARTTLS=client, relay=smtp.hosts.co.uk., version=TLSv1/SSLv3, verify=OK, cipher=AES256-SHA, bits=256/256
Mar 29 14:38:45 retsol610 sendmail[10675]: r2TEciMv010673: to=<username@aaa.bbb.ccc>, ctladdr=<username@localhost.localdomain> (500/500), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=120521, relay=smtp.hosts.co.uk. [85.233.160.19], dsn=5.1.1, stat=User unknown
Mar 29 14:38:45 retsol610 sendmail[10675]: r2TEciMv010673: r2TEcjMu010675: DSN: User unknown
Mar 29 14:38:45 retsol610 sendmail[10675]: r2TEcjMu010675: to=username@xxx.yyy.zzz, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31837, relay=smtp.hosts.co.uk., dsn=4.0.0, stat=Deferred: Connection reset by smtp.hosts.co.uk.



I think I may need to start again, and reset the mc file. The problem is that I'm not sure what each part plays (ie whether I need to create my own certs via openssl - or whether the 'make sendmail.pem' was ok; whether I need to point the relay to port 465 (and alo then modify the authinfo accordingly); whether I need saslauthd running). I'm not sure either which of the settings in the mc file are to cater for sendmail being an SSL server rather than what I trying to achieve ie connect as an SSL client.

From what I've found, a few other people have had similar issues - but I haven't found one set of settings that agree with each other, and none so far have worked for me.


I'll try from the start again tomorrow.