On Mon, Dec 22, 2003 at 12:40:46PM -0600, Kevin D. Kinsey, DaleCo, S.P. wrote:
Don't know if anyone can or wants to help, I've
scanned a lot of search results and followed
3 different how to's (starting with the Handbook)
and though I'm closer, perhaps, I'm still not there.
I need an SSL-capable POP3 and SMTP as our
needs expand. POP3 I've accomplished with
imap-uw; Sendmail has been some trouble
for 3 days now, and at least one client is really
needing to be able to send with M$ OE ASAP
I've got one colleague who uses OE to read e-mail off my server via UW
IMAPS, a second that uses both OE and Mozilla and a third who has
never managed to get OE to authenticate properly. I guess it's
something to do with the OE version...
Both OE and the Mozilla mail client (and Mutt *on*
the server, last I checked) are timing out attempting
to use SMTP Auth. With Sendmail set to LogLevel=25,
here's a snippet of where I *think* the problem lies...
Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212:
--- 451 0.131.27.69.relosirusoft.com.: Name server
timeout
Osirusoft is dead and gone. You should take that out of your
MTA/anti-spam configuration.
Dec 22 12:20:51 ezekiel sm-mta[94212]: AUTH: available mech=NTLM
LOGIN ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed
mech=PLAIN LOGIN
Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: Milter: no active
filter
Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server,
error: accept failed=-1, SSL_error=1, timedout=0, errno=0
Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server:
94212:error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:886:
Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: [66.27.130.10]
did not issue MAIL/EXPN/VRFY/ETRN during connection
to TLSMTA
Dec 22 12:21:02 ezekiel sm-mta[94238]: NOQUEUE: connect from [66.27.130.10]
Dec 22 12:22:08 ezekiel sm-mta[94238]: hBMIL2ka094238: ---
451 0.131.27.69.bl.spamcop.net.: Name server timeout
Dec 22 12:24:30 ezekiel sm-mta[94224]: hBMIJVka094224: ---
451 119.204.136.216osirusoft.com.: Name server
timeout
There are a few curiosities here in my mind, (Milter (?) and timeouts
looking for the spamcop NS's, but the issue seems most likely to
be the SSL error (accept failed=-1 and no shared cipher.
What have I misconfigured? I've tried all possible combinations of
checkboxes on the clients ... at least I think so. They just hang forever;
OE during the securing phase. If someone knows the incantations
I don't know for Sendmail, I'd appreciate a look at your spell book
Hmmm... SASL related stuff from my config:
/etc/make.conf:
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
SASL ports:
% pkg_info -I '*sasl*'
cyrus-sasl-2.1.17_1 RFC SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.17_1 SASL authentication server for cyrus-sasl2
/etc/mail/`hostname`.mc:
dnl ## Set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
[...]
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
I'm using a self-signed cert generated according to these instructions:
http://www.sendmail.org/~ca/email/other/cagreg.html
and you may find this page useful, although using client certificates
is possibly overkill (the standard LOGIN that OE uses should be
sufficient):
http://www.ofb.net/%7Ejheiss/sendmail/tlsandrelay.shtml
Note the bit about making sure the certificate signer (CN of
cacert.pem) is different to the common name of the certificate.
Not having a windows box anywhere available I can't remember off-hand
exactly how to set up the OE end, but it's not too difficult if you
work through the available options.
Cheers,
Matthew
PS. Reply only to list, as your mailer bounces messages from my site
for no apparent reason.
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow