Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


Closed Thread
  Search this Thread
Old 03-12-2005, 04:52 PM   #1
LQ Newbie
Registered: Mar 2005
Location: Montreal
Distribution: Slackware 11
Posts: 10

Rep: Reputation: 0
Unhappy Sendmail TLS relay

Hi friends,

I recently configured my sendmail 8.13.1 to include STARTTLS option.
# sendmail -bt -d0.8 < /dev/null
Version 8.13.1
                USERDB XDEBUG
Everything is looking fine, but when I try to access and send a mail
only "Relaying denied" error return. I never work with TLS-Relay before
and maybe I made any stupid mistake...
Could somebody help me?

Thanks and wishes,


There are several quotation from:
1. Script for certificates generation;
# Sendmail STARTTLS certificates (must be started by root)

# Set up the relevant directories
cd ${CDIR}
mkdir -p certs
chgrp smmsp certs
chmod o-rwx certs
cp ${CAPATH}/certs/cacert.pem certs/cacert.pem
# Create a hashed symbolic link to the CA certificate. During an SSL handshake's certificate exchange,
# sendmail will compute the the hash of the received CA cert's public key, append '.0' to it, then
# compare it to its own copy of the CA cert's public key. (This is probably an over simplification,
# but you get the idea.)
cd certs
ln -s cacert.pem `${OSSL} x509 -noout -hash < cacert.pem`.0

cd ${CAPATH}
# Mail-Server Certificate Generation (CN=FQDN)
echo WARNING: For CN must input a FQDN of the mail server !!!
echo --------------------------------------------------------
${OSSL} req -nodes -new -x509 -keyout ${CDIR}/certs/key.pem -out req.pem -days 365 -config openssl.cnf
chgrp smmsp ${CDIR}/certs/key.pem
chmod o-rwx ${CDIR}/certs/key.pem
# Sign with DMT Certificate Authority
cat ${CDIR}/certs/key.pem req.pem > ${CDIR}/certs/servreq.pem
${OSSL} x509 -x509toreq -in ${CDIR}/certs/servreq.pem -signkey ${CDIR}/certs/servreq.pem -out tmp.pem
${OSSL} ca -config openssl.cnf -policy policy_anything -out ${CDIR}/certs/cert.pem -infiles tmp.pem
rm -f tmp.pem req.pem
# cacert.pem    - your certificate authority's certificate
# cert.pem      - your sendmail server's certificate (including its public key)
# key.pem       - the sendmail server's private key
# servreq.pem   - includes two parts: the sendmail server's private key and the original (unsigned) certificate request

# export in PKCS#12 for Windows users
# 1-st way
#cd ${CDIR}
#${OSSL} pkcs12 -export -in ./certs/cert.pem -inkey ./certs/servreq.pem \
#-certfile ./certs/cacert.pem -name "DMT's SMTP/TLS CERTIFICATE" -out ./certs/dmt1smtp_tls.p12
# 2-nd way
cd ${CDIR}/certs
cat cacert.pem cert.pem key.pem > p12input.pem
${OSSL} pkcs12 -export -in p12input.pem -name "DMT's SMTP/TLS CERTIFICATE" -out dmt2smtp_tls.p12
2. Sendmail configuration [];
VERSIONID(`$Id:,v 8.13.1 Sun Dec 2 16:10:30 EET 2004 Exp $')dnl
dnl start STARTTLS options
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')dnl
dnl end STARTTLS options
3. Contents of /etc/mail/certs;
/etc/mail/certs# ls -Al
total 48
-rw-r--r--  1 root root  1846 2005-03-12 01:31 cacert.pem
-rw-r--r--  1 root root  5360 2005-03-12 01:31 cert.pem
-rw-r--r--  1 root root  4450 2005-03-12 02:55 dmt2smtp_tls.p12
lrwxrwxrwx  1 root root    10 2005-03-12 01:31 faeeb9ec.0 -> cacert.pem
-rw-r-----  1 root smmsp 1679 2005-03-12 01:31 key.pem
-rw-r--r--  1 root root  8885 2005-03-12 02:55 p12input.pem
-rw-r--r--  1 root root  3476 2005-03-12 01:31 servreq.pem
4. Exemplary MS Mail Client setting [Mozilla Thunderburd 1.0];
dmt2smtp_tls.p12 - applied to Windows 2K for any M$ Client - Mozilla Thunderburd 1.0 (MT1.0)
MT1.0 with settings in Tools->Account Settings->Outgoing Server (SMTP):
Server Name:
Port: 25
[ ] No  [ ] TLS, if available  [x] TLS  [ ] SSL
5. Sendmail tunning for TLS-Relay in /etc/mail/access;
# Relay certified sender - TLS option
# openssl x509 -in cacert.pem -noout -text | grep Issuer
# Issuer: C=BG, ST=capital, L=Sofia, O=Digital Media Technologies Ltd,
#         OU=Technical Department, CN=DMT's Certificate Authority/
# Each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by
# their HEX value with a leading '+'.
CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT's+20Certificate+20Authority/     RELAY
6. Initiation log for sm-mta daemon;
sm-mta[6208]: gethostbyaddr( failed: 1
sm-mta[6209]: starting daemon (8.13.1): SMTP+queueing@00:25:00
sm-mta[6209]: STARTTLS: CRLFile missing
sm-mta[6209]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
sm-mta[6209]: STARTTLS=server, init=1
sm-mta[6209]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
sm-mta[6210]: j2AH0V5f030999: SMTP outgoing connect on
sm-msp-queue[6212]: starting daemon (8.13.1): queueing@00:25:00
7. Part from /var/log/maillog for "Relaying denied" problem presentation.
sm-mta[6578]: NOQUEUE: connect from []
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): init success to negotiate
sm-mta[6578]: j2CIP82O006578: Milter: connect to filters
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=connect, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (C), 0
sm-mta[6578]: j2CIP82O006578: --- 220 DMT ESMTP Mailserver; Sat, 12 Mar 2005 20:25:08 +0200
sm-mta[6578]: j2CIP82O006578: <-- EHLO []
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82O006578: --- Hello [], pleased to meet you
sm-mta[6578]: j2CIP82O006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82O006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82O006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82O006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82O006578: --- 250-DSN
sm-mta[6578]: j2CIP82O006578: --- 250-ETRN
sm-mta[6578]: j2CIP82O006578: --- 250-STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82O006578: --- 250 HELP
sm-mta[6578]: j2CIP82O006578: <-- STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 220 2.0.0 Ready to start TLS
sm-mta[6578]: STARTTLS=server, get_verify: 0 get_peer: 0x0
sm-mta[6578]: STARTTLS=server, [], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[6578]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
sm-mta[6578]: j2CIP82O006578: <-- EHLO []
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82P006578: --- Hello [], pleased to meet you
sm-mta[6578]: j2CIP82P006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82P006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82P006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82P006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82P006578: --- 250-DSN
sm-mta[6578]: j2CIP82P006578: --- 250-ETRN
sm-mta[6578]: j2CIP82P006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82P006578: --- 250 HELP
sm-mta[6578]: j2CIP82P006578: <-- MAIL FROM:<> SIZE=448
sm-mta[6578]: j2CIP82P006578: Milter: senders: <>
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=mail, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (M), 0
sm-mta[6578]: j2CIP82P006578: --- 250 2.1.0 <>... Sender ok
sm-mta[6578]: j2CIP82P006578: <-- RCPT TO:<al_al_alexiev<at>>
sm-mta[6578]: j2CIP82P006578: --- 550 5.7.1 <al_al_alexiev<at>>... Relaying denied 
sm-mta[6578]: j2CIP82P006578: ruleset=check_rcpt, arg1=<al_al_alexiev<at>>, [], reject=550 5.7.1 <al_al_alexiev<at>>... Relaying denied
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: --- 421 4.4.1 Lost input channel from []
sm-mta[6578]: j2CIP82P006578: lost input channel from [] to MTA after rcpt
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: from=<>, size=448, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, []
amavis-milter[6588]: j2CIP82P006578: (mlfi_abort)
Old 03-12-2005, 05:09 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982
Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
TLS Relay denied freealx Linux - Software 2 03-15-2005 11:41 AM
Sendmail (with TLS) relay denied freealx Linux - General 1 03-12-2005 05:10 PM
Sendmail Relay Help midmichmark Linux - Networking 1 12-29-2004 07:20 AM
relay mail to sendmail relay server??? lemay_jeff Linux - Newbie 0 07-06-2004 05:54 PM
Sendmail relay kurgan70 Linux - Newbie 1 03-21-2002 12:33 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:09 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration