From: Aaron Hsu (arcfidesacrificumdeo.net)
Date: Sun Sep 02 2007 - 02:44:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Goal: Configure my laptop's sendmail as a client to connect securely to my
remotely configured (sendmail VPS Slackware) mail relay server using port 587.

I am running the latest (as of a few days ago) OpenBSD snapshot on a Macbook
Pro Intel Core Duo 2.16ghz 17". Below you can find a copy of my .mc file.

What I tried: setting up the .mc file to use a SMART_HOST with
mailer_relay_args customized to use port 587, enabled masquerading, and added
a line to use the access_db. Added AuthInfo lines to the access map, of the
form:

        AuthInfo:smtp.sacrificumdeo.net "U:unamesacrificumdeo.net" \
                "P:my_pass"

[Line breaks are artificial and marked by `\'.]

I also added similar lines that usee vps.sacrificumdeo.net and
sacrificumdeo.net as names. Additionally, I set another entry with the ip
address. I also configured a default AuthInfo (blank) with the same
authentication information.

I did not configure certs, because by the time I realized that I would
eventually want to do this, I realized, that there was another problem.
OpenBSD's compilation of sendmail does not seem to have SASL compiled into it.
This would mean that I could not do SMTP AUTH. [1]

This means that I can't do what I was originally thinking, unless someone
points me in another direction. It makes sense, of course, because I continued
to get 530 Authentication required errors, which suggests that the sendmail
client has no idea how to authenticate.

Now, my question is, how can I configure this? I was thinking that it might be
possible just using STARTTLS. Is this a proper assumption? If I configured the
right certificates and what not, I could authenticate on the basis of
STARTTLS, and wouldn't have to rely on sasl at all? Is this the recommended
way to configure something like this?

Here is a telnet session to my mailhost:

arcfide:1$ telnet smtp.sacrificumdeo.net 587
Trying 69.12.222.205...
Connected to smtp.sacrificumdeo.net.
Escape character is '^]'.
220 vps.sacrificumdeo.net ESMTP Sendmail 8.14.1/8.14.1; Sun, 2 Sep 2007
02:37:07 -0500
EHLO illuminus.local
250-vps.sacrificumdeo.net Hello h-68-164-11-81.chcgilgm.dynamic.covad.net
[68.164.11.81], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
QUIT
221 2.0.0 vps.sacrificumdeo.net closing connection
Connection closed by foreign host.
arcfide:2$

Output from a sendmail info dump on my local machine:

arcfide:2$ sudo /usr/sbin/sendmail -d0.1 -bv root
Version 8.14.1
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF
                STARTTLS TCPWRAPPERS USERDB XDEBUG
Warning: Option: AuthMechanisms requires SASL support (-DSASL)

============ SYSTEM IDENTITY (after readcf) ============
      (short domain name) $w = illuminus
  (canonical domain name) $j = illuminus.local
         (subdomain name) $m = local
              (node name) $k = illuminus.local
========================================================

arcfide... deliverable: mailer local, user arcfide
arcfide:3$

And here is a copy of my .mc file:

divert(-1)
#
# Copyright (c) 1998 Sendmail, Inc. All rights reserved.
# Copyright (c) 1983 Eric P. Allman. All rights reserved.
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

#
# This configuration only runs sendmail on the localhost interface.
# This allows mail on the local host to work without accepting
# connections from the net at large.
#

divert(0)dnl
VERSIONID(`(#)openbsd-localhost.mc $Revision: 1.4 $')
OSTYPE(openbsd)dnl
dnl define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`SMART_HOST', `smtp.earthlink.net')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
MASQUERADE_AS(`sacrificumdeo.net')dnl
FEATURE(`local_no_masquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(nouucp, `reject')dnl
FEATURE(`accept_unresolvable_domains')dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet6, address=::1, Name=MTA6, M=O')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Port=587, Name=MSA, M=E')dnl
DAEMON_OPTIONS(`Family=inet6, address=::1, Port=587, Name=MSA6, M=O, M=E')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
dnl
dnl Some broken nameservers will return SERVFAIL (a temporary failure)
dnl on T_AAAA (IPv6) lookups.
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
MAILER(local)dnl
MAILER(smtp)dnl

(Notice that I have changed the mailer relay args and smart host sections to
something that works for the moment.)

Can anyone help me?

Thank you very much.

- Aaron

[1] Information from #sendmailirc.freenode.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]