[Solved in a way] Sendmail as client via smarthost and ssl
On Thu, Oct 28, 2010 at 02:49:34PM +0200, Christopher Illies wrote: To send email from my computer at work I need to send through a smarthost. ... After having had no success with sendmail and sasl, I switched to mail/dma and it worked right away. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Sendmail as client via smarthost and ssl
On 29/10/2010 14:49, Christopher Illies wrote: ... Ok, when I use telnet, this happens: telnet send.ki.se 587 Trying 130.xxx.xxx.26... Connected to send.ki.se. Escape character is '^]'. 220 KIMSX09.user.ki.se Microsoft ESMTP MAIL Service ready at Fri, 29 Oct 2010 14:55:51 +0200 EHLO 250-KIMSX09.user.ki.se Hello [136.xxx.xxx.214] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250 CHUNKING ... I'd guess from here that the microsoft mail server (i'd say exchange but its part of IIS these days i think) is being awkward. GSSAPI is kerberos related i believe, NTLM is a windows method from what i remember. I'm not familiar with either i'm afraid. Thanks for your suggestions, anyhow. It might very well be that something about the server's behaviour is awkward. fetchmail, which worked well with the old server, stopped working after the mailserver was changed to the current one. The settings were correct, but only after I installed a new version of fetchmail, it worked again. It looks like that I will have to use webmail for now. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Sendmail as client via smarthost and ssl
GSSAPI is the Generic Security Services Application Program Interface and NTLM is NT Lan Manager -- they are both authentication systems popular amongst various generations of Microsoft OSes. GSSAPI is actually based on that old Unix stalwart: Kerberos, and hence is also fairly popular amongst non-Microsoft types. They are some of the authentication mechanisms that come as standard with SASL implementations. Unless you know that you do need them, you almost certainly don't. ... Thanks your for the explanation. I was actually not sure whether or not these options were needed. Authentication to the smarthost did not work, and at one point I noticed the line: ... 250-AUTH GSSAPI NTLM ... coming from the server. So I gave it a try - and it still did not work. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Sendmail as client via smarthost and ssl
From: owner-freebsd-questi...@freebsd.org [owner-freebsd-questi...@freebsd.org] On Behalf Of Vincent Hoffman [vi...@unsane.co.uk] Sent: Thursday, October 28, 2010 11:22 PM To: freebsd-questions@freebsd.org Subject: Re: Sendmail as client via smarthost and ssl On 28/10/2010 15:25, Christopher Illies wrote: 2010-10-28 14:49, Christopher Illies: To send email from my computer at work I need to send through a smarthost. In the past I had added the line: define(`SMART_HOST', `[smpt.ki.se]') Brackets are only needed for ipaddresses. ... All I had to do for was add AuthInfo:relay.isp.net U:smmsp I:username P:PassWord M:PLAIN to /etc/mail/access and the smarthost directive. I added U:smmsp and M:PLAIN to my /etc/mail/auth/client-info file, but that did not change anything. When I left out the square brackets around the server name in that file, I got another error message in /val/log/maillog: Oct 29 12:05:22 muck sm-mta[42252]: o9TA5Mtt042250: to=christopher.ill...@web.de, ctladdr=ch...@muck.ks.se (1001/1001), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30466, relay=send.ki.se. [130.229.20.28], dsn=4.0.0, stat=Deferred: Name server: send.ki.se.: host name lookup failure ... (I also set up SSL separately as i'm using plain method but you seem to have that covered.) Could you explain this a bit further, please? I am not clear on how this works. Setting up SSL is done by compiling sendmail with sasl, isn't it? Or is there something else to do? Also, the term plain method confuses me: This does not refer to whether or not you are using ssl? Sorry to bother you with all these questions. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sendmail as client via smarthost and ssl
On 29/10/2010 11:19, Christopher Illies wrote: I added U:smmsp and M:PLAIN to my /etc/mail/auth/client-info file, but that did not change anything. When I left out the square brackets around the server name in that file, I got another error message in /val/log/maillog: Oct 29 12:05:22 muck sm-mta[42252]: o9TA5Mtt042250: to=christopher.ill...@web.de, ctladdr=ch...@muck.ks.se (1001/1001), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30466, relay=send.ki.se. [130.229.20.28], dsn=4.0.0, stat=Deferred: Name server: send.ki.se.: host name lookup failure ... odd http://www.sendmail.org/~ca/email/sm-812.html#812AUTH has an example with no square brackets. Not sure why this would break it for you. (I also set up SSL separately as i'm using plain method but you seem to have that covered.) Could you explain this a bit further, please? I am not clear on how this works. Setting up SSL is done by compiling sendmail with sasl, isn't it? Or is there something else to do? Also, the term plain method confuses me: This does not refer to whether or not you are using ssl? Sorry wrong terminology. That should have been plain mechanism not method. PLAIN mechanism mean that i'm sending the password/user in plain rather than using something like DIGEST-MD5 or any of the other possible mechanisms that can be listed in confAUTH_MECHANISMS in your sendmail .mc file to get a list of whats supported by your relay telnet to it on port 25 and issue an EHLO command. the supported mechanisms are listed following the AUTH keyword. for example for me (11:59:59 ~) 1 $ telnet RELAY.ISP.net 25 Trying 213.xxx.xxx.53... Connected to RELAY.ISP.net. Escape character is '^]'. 220 RELAY.ISP.net ESMTP Sendmail 8.13.8/8.13.8; Fri, 29 Oct 2010 12:00:08 +0100 ehlo unsane.co.uk 250-RELAY.ISP.net Hello foo.ISP.net [195.x.x.102], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN ---THIS ONE. 250-STARTTLS 250-DELIVERBY 250 HELP Ignore the ssl comment, I was obviously half asleep, the ssl config I have is for receiving mail over ssl (server side) not sending (client side) I have tried copying your steps for testing, dnl define(`SMART_HOST', `RELAY.ISP.net')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl to ostracod.unsane.co.uk.mc (my machines mc file) [r...@ostracod /etc/mail]# make all /usr/bin/m4 -D_CF_DIR_=/usr/local/share/sendmail/cf/ /usr/local/share/sendmail/cf/m4/cf.m4 ostracod.unsane.co.uk.mc ostracod.unsane.co.uk.cf [r...@ostracod /etc/mail]# make install install -m 444 ostracod.unsane.co.uk.cf /etc/mail/sendmail.cf install -m 444 ostracod.unsane.co.uk.submit.cf /etc/mail/submit.cf [r...@ostracod /etc/mail]# then created /etc/mail/auth/client-info with [r...@ostracod /etc/mail]# cat /etc/mail/auth/client-info AuthInfo:RELAY.ISP.net U:smmsp I:USER P:PASSWORD M:PLAIN and then makemap hash client-info client-info restarted sendmail echo This is a test | mail -s Smarthost test vhoff...@domainitdoesntrelayfor.co.uk and it worked. If I made the entry in client-info AuthInfo:[RELAY.ISP.net] U:smmsp I:USER P:PASSWORD M:PLAIN it stopped working. Sorry to bother you with all these questions. Thats fine, what sendmail I do know will be forgotten if i dont use it.. hope these data-points help but it looks like a bit of a works for me without solving your issue. Vince Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Sendmail as client via smarthost and ssl
Thanks for your explanations, Vince. It got me one step further (I think). ... PLAIN mechanism mean that i'm sending the password/user in plain rather than using something like DIGEST-MD5 or any of the other possible mechanisms that can be listed in confAUTH_MECHANISMS in your sendmail .mc file to get a list of whats supported by your relay telnet to it on port 25 and issue an EHLO command. the supported mechanisms are listed following the AUTH keyword. for example for me (11:59:59 ~) 1 $ telnet RELAY.ISP.net 25 Trying 213.xxx.xxx.53... Connected to RELAY.ISP.net. ... 250-AUTH LOGIN PLAIN ---THIS ONE. 250-STARTTLS 250-DELIVERBY 250 HELP Ok, when I use telnet, this happens: telnet send.ki.se 587 Trying 130.xxx.xxx.26... Connected to send.ki.se. Escape character is '^]'. 220 KIMSX09.user.ki.se Microsoft ESMTP MAIL Service ready at Fri, 29 Oct 2010 14:55:51 +0200 EHLO 250-KIMSX09.user.ki.se Hello [136.xxx.xxx.214] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250 CHUNKING Although I have no idea what GSSAPI and NTLM are, I remembered that I have seen these abbreviations before: NTLM is an OPTION for cyrus-sasl2, and yes, it is compiled in (WITH_NTLM=true). And GSSAPI appeared first in the mc file: define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl So I changed the authinfo/client-info file to: AuthInfo:[send.ki.se] U:smmsp I:XXX P:YYY M:GSSAPI Still, it does not work: 530 5.7.1 Client was not authenticated Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sendmail as client via smarthost and ssl
On 29/10/2010 14:49, Christopher Illies wrote: Although I have no idea what GSSAPI and NTLM are, I remembered that I have seen these abbreviations before: NTLM is an OPTION for cyrus-sasl2, and yes, it is compiled in (WITH_NTLM=true). And GSSAPI appeared first in the mc file: GSSAPI is the Generic Security Services Application Program Interface and NTLM is NT Lan Manager -- they are both authentication systems popular amongst various generations of Microsoft OSes. GSSAPI is actually based on that old Unix stalwart: Kerberos, and hence is also fairly popular amongst non-Microsoft types. They are some of the authentication mechanisms that come as standard with SASL implementations. Unless you know that you do need them, you almost certainly don't. You can turn off support for those mechanisms at the point of compiling cyrus-sasl2, or you can take them out of the configuration for the various SASL consumers if you want. They are pretty much harmless though, so just doing nothing is also a viable option[*]. Cheers, Matthew [*] I have run into situations where not compiling them into various software made everything run much more smoothly: however, those were exceptional circumstances, and probably a temporary artefact of the particular software versions. Your mileage will probably vary. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Sendmail as client via smarthost and ssl
On 29/10/2010 14:49, Christopher Illies wrote: Thanks for your explanations, Vince. It got me one step further (I think). ... Ok, when I use telnet, this happens: telnet send.ki.se 587 Trying 130.xxx.xxx.26... Connected to send.ki.se. Escape character is '^]'. 220 KIMSX09.user.ki.se Microsoft ESMTP MAIL Service ready at Fri, 29 Oct 2010 14:55:51 +0200 EHLO 250-KIMSX09.user.ki.se Hello [136.xxx.xxx.214] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250 CHUNKING Although I have no idea what GSSAPI and NTLM are, I remembered that I have seen these abbreviations before: NTLM is an OPTION for cyrus-sasl2, and yes, it is compiled in (WITH_NTLM=true). And GSSAPI appeared first in the mc file: define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl So I changed the authinfo/client-info file to: AuthInfo:[send.ki.se] U:smmsp I:XXX P:YYY M:GSSAPI Still, it does not work: 530 5.7.1 Client was not authenticated I'd guess from here that the microsoft mail server (i'd say exchange but its part of IIS these days i think) is being awkward. GSSAPI is kerberos related i believe, NTLM is a windows method from what i remember. I'm not familiar with either i'm afraid. Vince Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Sendmail as client via smarthost and ssl
To send email from my computer at work I need to send through a smarthost. In the past I had added the line: define(`SMART_HOST', `[smpt.ki.se]') to my mc file, plus some address rewriting for outgoing mail. This has worked for years. Now the mail system has changed and it requires some authentication, connection via ssl to a different server and via a different port (587). Since then I have not been able to get my computer to send email via the smarthost. Not knowing much about sendmail, I tried google and more or less blindly followed suggestions. Here is what I have done so far, but sending email still does not work: 1. recompiled sendmail with sasl by adding the following lines to /etc/make.conf + installing security/cyrus-sasl2 + recompiling sendmail: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 2. Adding the following line to my mc file (+ make all install restart): define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587') I also changed the smarthost to the new name: define(`SMART_HOST', `[send.ki.se]') 3. create the file /etc/mail/auth/client-info + run makemap hash client-info client-info: AuthInfo:[send.ki.se] I:LOGIN P:PASSWORD When trying to send email the returned email from the Mail Delivery Subsystem MAILER-DAEMON contains the following error message: - The following addresses had permanent fatal errors - christopher.ill...@web.de (reason: 530 5.7.1 Client was not authenticated) - Transcript of session follows - ... while talking to send.ki.se.: MAIL From:christopher.ill...@ki.se SIZE=473 AUTH= 530 5.7.1 Client was not authenticated 554 5.0.0 Service unavailable In /var/log/maillog the following error messages appear: Oct 28 13:52:53 muck sm-mta[19110]: STARTTLS=client, relay=send.ki.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128 Oct 28 13:52:58 muck sm-mta[19110]: o9SBqqHs019108: to=christopher.ill...@web.de, ctladdr=ch...@muck.ks.se (1001/1001), delay=00:00:06, xdelay=00:00:06, mailer=relay, pri=30473, relay=send.ki.se. [130.229.20.26], dsn=5.0.0, stat=Service unavailable Oct 28 13:52:58 muck sm-mta[19110]: o9SBqqHs019108: o9SBqwHs019110: DSN: Service unavailable Any suggestions to help me send email from my computer are gratefully appreciated. The system is 8-stable. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Sendmail as client via smarthost and ssl
2010-10-28 14:49, Christopher Illies: To send email from my computer at work I need to send through a smarthost. In the past I had added the line: define(`SMART_HOST', `[smpt.ki.se]') Brackets are only needed for ipaddresses. What happens when you remove the brackets, like so define(`SMART_HOST', `your.mail.server') Nothing changes. I get the same error messages as with the brackets. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sendmail as client via smarthost and ssl
On Thu, 2010-10-28 at 14:49 +0200, Christopher Illies wrote: snip Not knowing much about sendmail, I tried google and more or less blindly followed suggestions. Here is what I have done so far, but sending email still does not work: 1. recompiled sendmail with sasl by adding the following lines to /etc/make.conf + installing security/cyrus-sasl2 + recompiling sendmail: SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 2. Adding the following line to my mc file (+ make all install restart): define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587') I can't speak to the validity of the technique that you're attempting to use, however the 'dnl' directive is an instruction to ignore the rest of the line (c.f. '#' in shell scripts, etc., in fact I believe 'dnl' is a mnemonic for something like delete to newline or discard to newline). In which case these are probably intended to be: define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587')dnl Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Sendmail as client via smarthost and ssl
On Thu, 2010-10-28 at 14:49 +0200, Christopher Illies wrote: snip define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587') I can't speak to the validity of the technique that you're attempting to use, however the 'dnl' directive is an instruction to ignore the rest of the line (c.f. '#' in shell scripts, etc., in fact I believe 'dnl' is a mnemonic for something like delete to newline or discard to newline). In which case these are probably intended to be: define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587')dnl Wayne Yes, you are right. This is not only how these lines are intended to be, this is how they actually look like. Some newlines were deleted while copy-and-pasting these lines. Sorry for the confusion. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sendmail as client via smarthost and ssl
On 28/10/2010 15:25, Christopher Illies wrote: 2010-10-28 14:49, Christopher Illies: To send email from my computer at work I need to send through a smarthost. In the past I had added the line: define(`SMART_HOST', `[smpt.ki.se]') Brackets are only needed for ipaddresses. What happens when you remove the brackets, like so define(`SMART_HOST', `your.mail.server') Nothing changes. I get the same error messages as with the brackets. I'm a bit late here, but... All I had to do for was add AuthInfo:relay.isp.net U:smmsp I:username P:PassWord M:PLAIN to /etc/mail/access and the smarthost directive. I assume from your config this would go in /etc/mail/auth/client-info From /usr/share/sendmail/cf/README Providing SMTP AUTH Data when sendmail acts as Client - If sendmail acts as client, it needs some information how to authenticate against another MTA. This information can be provided by the ruleset authinfo or by the option DefaultAuthInfo. The authinfo ruleset looks up {server_name} using the tag AuthInfo: in the access map. If no entry is found, {server_addr} is looked up in the same way and finally just the tag AuthInfo: to provide default values. Note: searches for domain parts or IP nets are only performed if the access map is used; if the authinfo feature is used then only up to three lookups are performed (two exact matches, one default). (I also set up SSL separately as i'm using plain method but you seem to have that covered.) Hope thats useful to you. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org