need help in getting sendmail to relay using smtp-auth

coolamit78 · 04-06-2006, 01:03 PM

Hi,

I have a web server and am trying to relay a mail from my web server www.example.com running sendmail through my mail server mail.example.com running qmail-ldap.

I have enabled the SMART_HOST option, but i dont know, due to some misconfiguration in sendmail.mc or the sendmail auth file (/etc/mail/authinfo), I am unable to relay mails through my mail server to domains other than example.com.

Can anyone guide me in how I can send mails to the domain example.com as well as outside domains through qmail using sendmail. any help will be appreciated.

My Sendmail.mc is as follows:

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
define(`SMART_HOST',`mail.example.com')
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')
dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl # FEATURE(masquerade_entire_domain)dnl
dnl #
dnl # FEATURE(always_add_domain)dnl
dnl # FEATURE(masquerade_entire_domain)dnl
dnl # FEATURE(masquerade_envelope)dnl
dnl # FEATURE(`allmasquerade')dnl
dnl # MASQUERADE_AS(`example.com')dnl
dnl #
dnl # MASQUERADE_DOMAIN(`example.com')dnl
dnl # MASQUERADE_DOMAIN(localhost)dnl
dnl # MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl # MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

My /etc/mail/authinfo is as follows:

AuthInfo:mail.example.com "U:userid@example.com" "I:userid@example.com" "R:example.com" "P

assword" "M:LOGIN PLAIN"

Regards,

Amit

mackdav · 04-19-2006, 12:59 PM

Your setup looks to be that of www.example.com, and usually the problem you describe indicates that there is a configuration issue on the server (mail.example.com). What I have found happening is that (in your case) mail.example.com accepts the mail to example.com because that is it's local domain; ie the mail is being accepted because of the recipient, not the sender.

Check the logs on both sides; the logs on www.example.com should indicate why the relay attempt is failing.

I would confirm that you can send email to a third domain through mail.example.com using a user mail client that is configured to use these credentials; once that works, try the sendmail on www.example.com again.

The only two differences I have with your configuration for www.example.com are:

- I would declare the authinfo as
FEATURE(authinfo)dnl;

- sometimes you have to put the IP address in your authinfo file in order for sendmail to find it ie

AuthInfo:[99.99.99.1] "U:userid@example.com" "I:userid@example.com" "R:example.com" "Password" "M:LOGIN PLAIN"

Of course I need not say things like "restart sendmail after regenerating the .cf file" and such.

coolamit78 · 04-20-2006, 12:24 PM

Thanx mackdav for those suggestions. I tried them out, but still no success. It seems smtp-authentication is not working when sendmail tries to connect to the qmail-ldap running on the mail server. I have the correct user ID and password combination in the authinfo file. I tried both the default way and also ur way, but its not working.

Unless smtp-authentication succeeds, my mail server will not allow anyone to relay mails through it. So, i think the only thing that we can try is to make smtp-auth work. Any ideas on how to resolve this ?

Amit

mackdav · 04-24-2006, 08:25 AM

So the relay attempt worked from a user mail client?

Do you have control over mail.example.com? What appears in the logs on mail.example.com when an attempt fails?

What bounce message do you get when you try to relay messages out? What appears in the logs on www.example.com?

Of course it still might not be that simple -- I have seen situations where smtp-auth sessions are still not permitted to relay from arbitrary domains (ie my ISP requires smpt-auth, but I cannot relay messages to the internet from my private domain through them).

mackdav · 01-17-2007, 11:20 AM

Another thing you might check is to see if www.example.com is expecting you to connect on port 587 instead of port 25. Our mail servers require relaying-out users to use port 587 and inbound mail for "example.com" comes in on port 25. This would be consistent with the errors you are describing.

In your sendmail.mc file, add the following:

define(`SMART_HOST',`relay:www.example.com')dnl
define(`RELAY_MAILER',`esmtp')dnl
define(`RELAY_MAILER_ARGS',`TPC $h 587')dnl

...plus the authinfo stuff we talked about above.

This will force the outbound mail to get relayed via port 587 on www.example.com.