MUA's time out - Sendmail + SASL2 : no shared cipher and more...

2003-12-22 Thread Kevin D. Kinsey, DaleCo, S.P. 
Don't know if anyone can or wants to help, I've
scanned a lot of search results and followed
3 different how to's (starting with the Handbook)
and though I'm closer, perhaps, I'm still not there.
I need an SSL-capable POP3 and SMTP as our
needs expand.  POP3 I've accomplished with
imap-uw; Sendmail has been some trouble
for 3 days now, and at least one client is really
needing to be able to send with M$ OE ASAP
Both OE and the Mozilla mail client (and Mutt *on*
the server, last I checked) are timing out attempting
to use SMTP Auth.  With Sendmail set to LogLevel=25,
here's a snippet of where I *think* the problem lies...

Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212:
   --- 451 0.131.27.69.relosirusoft.com.: Name server 
timeout
Dec 22 12:20:51 ezekiel sm-mta[94212]: AUTH: available mech=NTLM
   LOGIN ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed 
mech=PLAIN LOGIN
Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: Milter: no active 
filter
Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server,
   error: accept failed=-1, SSL_error=1, timedout=0, errno=0
Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server: 
94212:error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared  
cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:886:
Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: [66.27.130.10]
   did not issue MAIL/EXPN/VRFY/ETRN during connection 
to TLSMTA
Dec 22 12:21:02 ezekiel sm-mta[94238]: NOQUEUE: connect from [66.27.130.10]
Dec 22 12:22:08 ezekiel sm-mta[94238]: hBMIL2ka094238: ---
   451 0.131.27.69.bl.spamcop.net.: Name server timeout
Dec 22 12:24:30 ezekiel sm-mta[94224]: hBMIJVka094224: ---
   451 119.204.136.216osirusoft.com.: Name server 
timeout

There are a few curiosities here in my mind, (Milter (?) and timeouts
looking for the spamcop NS's, but the issue seems most likely to
be the SSL error (accept failed=-1 and no shared cipher.

What have I misconfigured?  I've tried all possible combinations of
checkboxes on the clients ... at least I think so.  They just hang forever;
OE during the securing phase.  If someone knows the incantations
I don't know for Sendmail, I'd appreciate a look at your spell book
Kevin Kinsey
DaleCo, S.P.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: MUA's time out - Sendmail + SASL2 : no shared cipher and more...

2003-12-22 Thread Matthew Seaman 
On Mon, Dec 22, 2003 at 12:40:46PM -0600, Kevin D. Kinsey, DaleCo, S.P. wrote:
 Don't know if anyone can or wants to help, I've
 scanned a lot of search results and followed
 3 different how to's (starting with the Handbook)
 and though I'm closer, perhaps, I'm still not there.
 
 I need an SSL-capable POP3 and SMTP as our
 needs expand.  POP3 I've accomplished with
 imap-uw; Sendmail has been some trouble
 for 3 days now, and at least one client is really
 needing to be able to send with M$ OE ASAP

I've got one colleague who uses OE to read e-mail off my server via UW
IMAPS, a second that uses both OE and Mozilla and a third who has
never managed to get OE to authenticate properly.  I guess it's
something to do with the OE version...
 
 Both OE and the Mozilla mail client (and Mutt *on*
 the server, last I checked) are timing out attempting
 to use SMTP Auth.  With Sendmail set to LogLevel=25,
 here's a snippet of where I *think* the problem lies...
 
 
 Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212:
--- 451 0.131.27.69.relosirusoft.com.: Name server 
 timeout

Osirusoft is dead and gone.  You should take that out of your
MTA/anti-spam configuration.

 Dec 22 12:20:51 ezekiel sm-mta[94212]: AUTH: available mech=NTLM
LOGIN ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed 
 mech=PLAIN LOGIN
 Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: Milter: no active 
 filter
 Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server,
error: accept failed=-1, SSL_error=1, timedout=0, errno=0
 Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server: 
 94212:error:1408A0C1:SSL
 routines:SSL3_GET_CLIENT_HELLO:no shared  
 cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:886:
 Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: [66.27.130.10]
did not issue MAIL/EXPN/VRFY/ETRN during connection 
 to TLSMTA
 Dec 22 12:21:02 ezekiel sm-mta[94238]: NOQUEUE: connect from [66.27.130.10]
 Dec 22 12:22:08 ezekiel sm-mta[94238]: hBMIL2ka094238: ---
451 0.131.27.69.bl.spamcop.net.: Name server timeout
 Dec 22 12:24:30 ezekiel sm-mta[94224]: hBMIJVka094224: ---
451 119.204.136.216osirusoft.com.: Name server 
 timeout
 
 There are a few curiosities here in my mind, (Milter (?) and timeouts
 looking for the spamcop NS's, but the issue seems most likely to
 be the SSL error (accept failed=-1 and no shared cipher.
 
 What have I misconfigured?  I've tried all possible combinations of
 checkboxes on the clients ... at least I think so.  They just hang forever;
 OE during the securing phase.  If someone knows the incantations
 I don't know for Sendmail, I'd appreciate a look at your spell book

Hmmm... SASL related stuff from my config:

/etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

SASL ports:

% pkg_info -I '*sasl*'
cyrus-sasl-2.1.17_1 RFC  SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.17_1 SASL authentication server for cyrus-sasl2

/etc/mail/`hostname`.mc:

dnl ## Set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl

[...]

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

I'm using a self-signed cert generated according to these instructions:

http://www.sendmail.org/~ca/email/other/cagreg.html

and you may find this page useful, although using client certificates
is possibly overkill (the standard LOGIN that OE uses should be
sufficient):

http://www.ofb.net/%7Ejheiss/sendmail/tlsandrelay.shtml

Note the bit about making sure the certificate signer (CN of
cacert.pem) is different to the common name of the certificate.

Not having a windows box anywhere available I can't remember off-hand
exactly how to set up the OE end, but it's not too difficult if you
work through the available options.

Cheers,

Matthew

PS.  Reply only to list, as your mailer bounces messages from my site
for no apparent reason.

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow