-   Linux - Server (
-   - entry for Smart Host on different port (

hebblethwaite 12-15-2008 10:41 PM entry for Smart Host on different port
Hi all, I use Scalix for email and point outbound SMTP connections to that of my ISP. The ISP recently started blocking 25, annoying lots of people of course.

Can anyone tell me how to modify the entry for the smart host server so that I can point to port 587 and also authenticate appropriately?



mackdav 12-20-2008 11:40 PM

In your /etc/mail/, try:


define(`RELAY_MAILER_ARGS', `TPC $h 587')dnl

This ensures that you use the relay mailer when talking to your smarthost (which for some reason isn't the default with Fedora Core 3), that you use esmtp when talking to your smarthost (possibly unneccessary), and overrides the 'RELAY' mailer defaults to connect on port 587.

(Note for googlers: if you ARE trying to relay through port 587, you probably want to use SMTP AUTH with it, here's how you do that:

hebblethwaite 12-22-2008 11:01 PM


well, I'm very close. Here's the log from the relay:

Dec 22 23:52:40 lenny sendmail[30226]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Dec 22 23:52:40 lenny sendmail[30226]: mBN4qdfG030223: to=<"recipient">, delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=122750, [xx.xx.xx.xx], dsn=5.0.0, stat=Service unavailable

I'm guessing the "verify=FAIL" is the problem. ISP seems to want to use TLS/SSL. Need a little help turning that on in sendmail.


mackdav 12-23-2008 07:55 AM

Nope, the way I read that the TLS session got set up -- verify=FAIL means something else. (Don't know what, though -- I think it means that the certs used to set up TLS were not externally verified.)

Usually "Service Unavailable" means that the receiving system won't relay for "<recipient>". Are you trying to relay through this system, or is it the destination?

Are you doing the SMTP-AUTH bit as well?

hebblethwaite 12-23-2008 10:21 PM

I'm trying to relay through this system (my ISP) from my email server, which worked previously on standard port 25 with the simple line in .mc:


Of course now they've blocked 25; here is the current AUTH section:

dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')
dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
1. Is the first section talking about AUTH for mail client connections?
2. Are the FEATURE lines setup right?

Here is my current authinfo.db: "U:<username>" "P:<password>" "M:PLAIN"

1. Pretty sure I need to change the M parameter.

Thanks again!


mackdav 12-24-2008 11:07 AM

Mine is DIGEST-MD5.

I think there is a way to ask the remote server what it will do.

rgheck 06-10-2010 09:37 AM

Had this same problem. The "M:PLAIN" was what worked for me, on They stopped using encryped authentication a bit ago, which caused problems on all my machines.

All times are GMT -5. The time now is 12:04 AM.