Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Everything is looking fine, but when I try to access and send a mail
only "Relaying denied" error return. I never work with TLS-Relay before
and maybe I made any stupid mistake...
Could somebody help me?
Thanks and wishes,
Alex
PS:
There are several quotation from:
1. Script for certificates generation;
Code:
#!/bin/sh
#
# Sendmail STARTTLS certificates (must be started by root)
#
CAPATH="/usr/local/ssl/dmtCA"
OSSL="/usr/local/ssl/bin/openssl"
CDIR="/etc/mail"
# Set up the relevant directories
cd ${CDIR}
mkdir -p certs
chgrp smmsp certs
chmod o-rwx certs
cp ${CAPATH}/certs/cacert.pem certs/cacert.pem
# Create a hashed symbolic link to the CA certificate. During an SSL handshake's certificate exchange,
# sendmail will compute the the hash of the received CA cert's public key, append '.0' to it, then
# compare it to its own copy of the CA cert's public key. (This is probably an over simplification,
# but you get the idea.)
cd certs
ln -s cacert.pem `${OSSL} x509 -noout -hash < cacert.pem`.0
cd ${CAPATH}
# Mail-Server Certificate Generation (CN=FQDN)
echo WARNING: For CN must input a FQDN of the mail server !!!
echo --------------------------------------------------------
${OSSL} req -nodes -new -x509 -keyout ${CDIR}/certs/key.pem -out req.pem -days 365 -config openssl.cnf
chgrp smmsp ${CDIR}/certs/key.pem
chmod o-rwx ${CDIR}/certs/key.pem
# Sign with DMT Certificate Authority
cat ${CDIR}/certs/key.pem req.pem > ${CDIR}/certs/servreq.pem
${OSSL} x509 -x509toreq -in ${CDIR}/certs/servreq.pem -signkey ${CDIR}/certs/servreq.pem -out tmp.pem
${OSSL} ca -config openssl.cnf -policy policy_anything -out ${CDIR}/certs/cert.pem -infiles tmp.pem
rm -f tmp.pem req.pem
#
# cacert.pem - your certificate authority's certificate
#
# cert.pem - your sendmail server's certificate (including its public key)
# key.pem - the sendmail server's private key
#
# servreq.pem - includes two parts: the sendmail server's private key and the original (unsigned) certificate request
# export in PKCS#12 for Windows users
#
# 1-st way
#cd ${CDIR}
#${OSSL} pkcs12 -export -in ./certs/cert.pem -inkey ./certs/servreq.pem \
#-certfile ./certs/cacert.pem -name "DMT's SMTP/TLS CERTIFICATE" -out ./certs/dmt1smtp_tls.p12
# 2-nd way
cd ${CDIR}/certs
cat cacert.pem cert.pem key.pem > p12input.pem
${OSSL} pkcs12 -export -in p12input.pem -name "DMT's SMTP/TLS CERTIFICATE" -out dmt2smtp_tls.p12
4. Exemplary MS Mail Client setting [Mozilla Thunderburd 1.0];
Code:
dmt2smtp_tls.p12 - applied to Windows 2K for any M$ Client - Mozilla Thunderburd 1.0 (MT1.0)
MT1.0 with settings in Tools->Account Settings->Outgoing Server (SMTP):
-------------------------------------------------
Server Name: mail.mydomain.org
Port: 25
[ ] No [ ] TLS, if available [x] TLS [ ] SSL
-------------------------------------------------
5. Sendmail tunning for TLS-Relay in /etc/mail/access;
Code:
...
# Relay certified sender - TLS option
#
# openssl x509 -in cacert.pem -noout -text | grep Issuer
# Issuer: C=BG, ST=capital, L=Sofia, O=Digital Media Technologies Ltd,
# OU=Technical Department, CN=DMT's Certificate Authority/emailAddress=alex@mydomain.org
# Each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by
# their HEX value with a leading '+'.
CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT's+20Certificate+20Authority/Email=alex@mydomain.org RELAY
I.e. they don't match (CN is different, and 'emailAddress' vs 'Email').
--Per Hedeland
per@hedeland.org
TNX to Per Hedeland,
I changed [DMT's+20Certificate+20Authority] with [DMT] in both
(access/certificate) places, but until now I didn't realize that
[/emailAddress] from the certificate and [/Email] from the access file are
different. This is the problem
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
TLS Relay denied
Resolved
