LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   TLS Relay denied (https://www.linuxquestions.org/questions/linux-software-2/tls-relay-denied-300862/)

freealx 03-12-2005 04:48 PM

TLS Relay denied
 
Hi friends,

I recently configured my sendmail 8.13.1 to include STARTTLS option.
Code:

# sendmail -bt -d0.8 < /dev/null
Version 8.13.1
 Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SCANF STARTTLS
                USERDB XDEBUG
...

Everything is looking fine, but when I try to access and send a mail
only "Relaying denied" error return. I never work with TLS-Relay before
and maybe I made any stupid mistake...
Could somebody help me?

Thanks and wishes,

Alex

PS:
There are several quotation from:
1. Script for certificates generation;
Code:

#!/bin/sh
#
# Sendmail STARTTLS certificates (must be started by root)
#
CAPATH="/usr/local/ssl/dmtCA"
OSSL="/usr/local/ssl/bin/openssl"
CDIR="/etc/mail"

# Set up the relevant directories
cd ${CDIR}
mkdir -p certs
chgrp smmsp certs
chmod o-rwx certs
cp ${CAPATH}/certs/cacert.pem certs/cacert.pem
# Create a hashed symbolic link to the CA certificate. During an SSL handshake's certificate exchange,
# sendmail will compute the the hash of the received CA cert's public key, append '.0' to it, then
# compare it to its own copy of the CA cert's public key. (This is probably an over simplification,
# but you get the idea.)
cd certs
ln -s cacert.pem `${OSSL} x509 -noout -hash < cacert.pem`.0

cd ${CAPATH}
# Mail-Server Certificate Generation (CN=FQDN)
echo WARNING: For CN must input a FQDN of the mail server !!!
echo --------------------------------------------------------
${OSSL} req -nodes -new -x509 -keyout ${CDIR}/certs/key.pem -out req.pem -days 365 -config openssl.cnf
chgrp smmsp ${CDIR}/certs/key.pem
chmod o-rwx ${CDIR}/certs/key.pem
# Sign with DMT Certificate Authority
cat ${CDIR}/certs/key.pem req.pem > ${CDIR}/certs/servreq.pem
${OSSL} x509 -x509toreq -in ${CDIR}/certs/servreq.pem -signkey ${CDIR}/certs/servreq.pem -out tmp.pem
${OSSL} ca -config openssl.cnf -policy policy_anything -out ${CDIR}/certs/cert.pem -infiles tmp.pem
rm -f tmp.pem req.pem
#
# cacert.pem    - your certificate authority's certificate
#
# cert.pem      - your sendmail server's certificate (including its public key)
# key.pem      - the sendmail server's private key
#
# servreq.pem  - includes two parts: the sendmail server's private key and the original (unsigned) certificate request

# export in PKCS#12 for Windows users
#
# 1-st way
#cd ${CDIR}
#${OSSL} pkcs12 -export -in ./certs/cert.pem -inkey ./certs/servreq.pem \
#-certfile ./certs/cacert.pem -name "DMT's SMTP/TLS CERTIFICATE" -out ./certs/dmt1smtp_tls.p12
# 2-nd way
cd ${CDIR}/certs
cat cacert.pem cert.pem key.pem > p12input.pem
${OSSL} pkcs12 -export -in p12input.pem -name "DMT's SMTP/TLS CERTIFICATE" -out dmt2smtp_tls.p12

2. Sendmail configuration [sendmail.mc];
Code:

divert(0)dnl
VERSIONID(`$Id: sendmail.mc,v 8.13.1 Sun Dec 2 16:10:30 EET 2004 Exp $')dnl
...
FEATURE(`access_db')dnl
...
dnl start STARTTLS options
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')dnl
dnl end STARTTLS options
...
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(`procmail')dnl

3. Contents of /etc/mail/certs;
Code:

/etc/mail/certs# ls -Al
total 48
-rw-r--r--  1 root root  1846 2005-03-12 01:31 cacert.pem
-rw-r--r--  1 root root  5360 2005-03-12 01:31 cert.pem
-rw-r--r--  1 root root  4450 2005-03-12 02:55 dmt2smtp_tls.p12
lrwxrwxrwx  1 root root    10 2005-03-12 01:31 faeeb9ec.0 -> cacert.pem
-rw-r-----  1 root smmsp 1679 2005-03-12 01:31 key.pem
-rw-r--r--  1 root root  8885 2005-03-12 02:55 p12input.pem
-rw-r--r--  1 root root  3476 2005-03-12 01:31 servreq.pem

4. Exemplary MS Mail Client setting [Mozilla Thunderburd 1.0];
Code:

dmt2smtp_tls.p12 - applied to Windows 2K for any M$ Client - Mozilla Thunderburd 1.0 (MT1.0)
MT1.0 with settings in Tools->Account Settings->Outgoing Server (SMTP):
-------------------------------------------------
Server Name: mail.mydomain.org
Port: 25
[ ] No  [ ] TLS, if available  [x] TLS  [ ] SSL
-------------------------------------------------

5. Sendmail tunning for TLS-Relay in /etc/mail/access;
Code:

...
# Relay certified sender - TLS option
#
# openssl x509 -in cacert.pem -noout -text | grep Issuer
# Issuer: C=BG, ST=capital, L=Sofia, O=Digital Media Technologies Ltd,
#        OU=Technical Department, CN=DMT's Certificate Authority/emailAddress=alex@mydomain.org
# Each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by
# their HEX value with a leading '+'.
CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT's+20Certificate+20Authority/Email=alex@mydomain.org    RELAY

6. Initiation log for sm-mta daemon;
Code:

...
sm-mta[6208]: gethostbyaddr(192.168.10.1) failed: 1
sm-mta[6209]: starting daemon (8.13.1): SMTP+queueing@00:25:00
sm-mta[6209]: STARTTLS: CRLFile missing
sm-mta[6209]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
sm-mta[6209]: STARTTLS=server, init=1
sm-mta[6209]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
sm-mta[6210]: j2AH0V5f030999: SMTP outgoing connect on ns.mydomain.org
sm-msp-queue[6212]: starting daemon (8.13.1): queueing@00:25:00

7. Part from /var/log/maillog for "Relaying denied" problem presentation.
Code:

...
sm-mta[6578]: NOQUEUE: connect from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): init success to negotiate
sm-mta[6578]: j2CIP82O006578: Milter: connect to filters
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=connect, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (C), 0
sm-mta[6578]: j2CIP82O006578: --- 220 DMT ESMTP Mailserver; Sat, 12 Mar 2005 20:25:08 +0200
sm-mta[6578]: j2CIP82O006578: <-- EHLO [192.168.0.2]
sm-mta[6578]: j2CIP82O006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82O006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82O006578: --- 250-gatei.dmt.my_lan_domain.org Hello Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], pleased to meet you
sm-mta[6578]: j2CIP82O006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82O006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82O006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82O006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82O006578: --- 250-DSN
sm-mta[6578]: j2CIP82O006578: --- 250-ETRN
sm-mta[6578]: j2CIP82O006578: --- 250-STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82O006578: --- 250 HELP
sm-mta[6578]: j2CIP82O006578: <-- STARTTLS
sm-mta[6578]: j2CIP82O006578: --- 220 2.0.0 Ready to start TLS
sm-mta[6578]: STARTTLS=server, get_verify: 0 get_peer: 0x0
sm-mta[6578]: STARTTLS=server, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[6578]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok

sm-mta[6578]: j2CIP82O006578: <-- EHLO [192.168.0.2]
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=helo, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (H), 0
sm-mta[6578]: j2CIP82P006578: --- 250-gatei.dmt.my_lan_domain.org Hello Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], pleased to meet you
sm-mta[6578]: j2CIP82P006578: --- 250-ENHANCEDSTATUSCODES
sm-mta[6578]: j2CIP82P006578: --- 250-PIPELINING
sm-mta[6578]: j2CIP82P006578: --- 250-8BITMIME
sm-mta[6578]: j2CIP82P006578: --- 250-SIZE 10000000
sm-mta[6578]: j2CIP82P006578: --- 250-DSN
sm-mta[6578]: j2CIP82P006578: --- 250-ETRN
sm-mta[6578]: j2CIP82P006578: --- 250-DELIVERBY
sm-mta[6578]: j2CIP82P006578: --- 250 HELP
sm-mta[6578]: j2CIP82P006578: <-- MAIL FROM:<alex@mydomain.org> SIZE=448
sm-mta[6578]: j2CIP82P006578: Milter: senders: <alex@mydomain.org>
sm-mta[6578]: j2CIP82P006578: milter=milter-amavis, action=mail, continue
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): time command (M), 0
sm-mta[6578]: j2CIP82P006578: --- 250 2.1.0 <alex@mydomain.org>... Sender ok
sm-mta[6578]: j2CIP82P006578: <-- RCPT TO:<al_al_alexiev<at>sympatico.ca>
sm-mta[6578]: j2CIP82P006578: --- 550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied
sm-mta[6578]: j2CIP82P006578: ruleset=check_rcpt, arg1=<al_al_alexiev<at>sympatico.ca>, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], reject=550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: --- 421 4.4.1 gatei.dmt.my_lan_domain.org Lost input channel from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
sm-mta[6578]: j2CIP82P006578: lost input channel from Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175] to MTA after rcpt
sm-mta[6578]: j2CIP82P006578: Milter (milter-amavis): quit filter
sm-mta[6578]: j2CIP82P006578: from=<alex@mydomain.org>, size=448, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175]
amavis-milter[6588]: j2CIP82P006578: (mlfi_abort)
...


freealx 03-13-2005 02:26 PM

Hi again,

So, first problem was in MS Mail Client setting [Mozilla Thunderburd 1.0]:

Code:

sm-mta[6578]: STARTTLS=server, relay=Toronto-HSE-ppp3775340.sympatico.ca [67.68.202.175], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[6578]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok

After fixing of the client the log change a little bit:

Code:

Mar 13 20:40:16 gatei sm-mta[1819]: STARTTLS=server, relay=Toronto-HSE-ppp3741959.sympatico.ca [67.68.71.68], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Mar 13 20:40:16 gatei sm-mta[1819]: STARTTLS=server, cert-subject=/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=IT/CN=mail.mydomain.org/emailAddress=alex@mydomain.org, cert-issuer=/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT/emailAddress=alex@mydomain.org, verifymsg=ok

, but the problem with TLS-RELAY still exist:

Code:

Mar 13 20:40:17 gatei sm-mta[1819]: j2DIe8A6001819: --- 550 5.7.1 <al_al_alexiev<at>sympatico.ca>... Relaying denied
I feel I leave out anything, but in /etc/access I already write:

Code:

CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Technical+20Department/CN=DMT/Email=alex@mydomain.org RELAY
and makemap hash and etc.
Maybe there need something more?

Thanks in advance guys,

Alex

freealx 03-15-2005 11:41 AM

Resolved
 
Quote:

03-14-05 11:04 PM


In article <xt%Yd.165$N8.25368@news20.bellglobal.com> "Aleksandar
Aleksiev" <al_al_alexiev@sympatico.ca> writes:
>
>cert-issuer=/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/OU=Tech
nical+20Department/CN=DMT/emailAddress=alex@mydomain.org, verifymsg=ok

Your original post had the access db entry as:

CERTIssuer:/C=BG/ST=capital/L=Sofia/O=Digital+20Media+20Technologies+20Ltd/O
U=Technical+20Department/CN=DMT's+20Certificate+20Authority/Email=alex@mydom
ain.org RELAY

I.e. they don't match (CN is different, and 'emailAddress' vs 'Email').

--Per Hedeland
per@hedeland.org

TNX to Per Hedeland,

I changed [DMT's+20Certificate+20Authority] with [DMT] in both
(access/certificate) places, but until now I didn't realize that
[/emailAddress] from the certificate and [/Email] from the access file are
different. This is the problem :)

Thank you very much again, Per, cheers

Alex


All times are GMT -5. The time now is 08:57 AM.