> Am Do, den 01.12.2005 schrieb Hongwei Li um 17:13: > >> > http://www.joreybump.com/code/howto/smtpauth.html > >> My system is fc3 linux, using sendmail-8.13.1-2 as email server. > > Ok, so the path to the SSL certs is the old one, which changed first > with FC4. > >> I followed the steps on that web page: >> >> # cd /usr/share/ssl/certs/ >> # make sendmail.pem >> ... (I put our server's fully qualified domain name for the Common Name >> prompt) > > Good. > >> # chkconfig saslauthd on >> # service saslauthd restart > > The saslauthd restart wasn't necessary. > >> # cd /etc/mail/ >> # vi sendmail.mc >> (changes: >> >> define(`confAUTH_OPTIONS', `A p y')dnl > > Fine, that enables AUTH, forbids anonymous and enforces a secure > connection requirement for weak auth mechanisms LOGIN and PLAIN. > >> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl >> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl > > Ok. > >> define(`confCACERT_PATH',`/usr/share/ssl/certs') >> define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') >> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') >> define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') > > Looks good. > >> define(`confLOG_LEVEL', `14')dnl > > For debugging the changed log_level is fine. > >> # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf >> # service sendmail restart > > The service restart includes an automatic rebuilding of the .cf files if > changes of the .mc files are detected. > >> Then, I set a guest Outlook account by checking the boxes under Advanced >> Setting page: >> >> Incoming server (POP3) -- This server requires an encrypted connection (SSL) >> -- the port changes from 110 to 995 > > That has nothing to do with the MTA part. So if you want to provide > secure POP3 connection - like through dovecot - that service has to be > configured for that as well, and has to know about a certificate to use. -- yes, I have enabled secure pop3 through dovecot and the port 995 is opened in iptable. >> Outgoing server (SMTP) -- This server requires an encrypted connection (SSL) >> -- the port number remains as 25 > > Correct. Do not select "Secure Password Authentication" (SPA) if that is > offered somewhere in the client's menu. Else authentication will fail. -- no, I did not select this. >> When I check the incoming emails, it shows the message about server >> certificate. I click Yes to continue, then it received all incoming emails. > > The client may show you that message always, unless you import the CA's > certificate into your client. > >> However, when I try to send email out, I first see the message: >> "An encrypted email connection has been detected...." I click OK, but >> failed >> sending email out. The error message is: >> >> ... error (0x800CCC7D): "Your outgoing (SMTP) server does not support >> SSL-encrypted connection.... > > Hm, i may be advised to restart Outlook / OE. You too should clear the > SSL cache. Because of the integration of different applications you > reach this option through Internet Exploder options menu. A different > reason for that problem can be an anti-virus scanner running in > background. Well known for this broken (since years) and probably never > fixed behaviour is Norton Antivirus. > Of course, before trying any "tricks", be sure you have the latest > version of OE on your system. > >> The system maillog shows: >> ... >> Dec 1 10:07:52 morpheus sendmail[26574]: jB1G7ogu026574: Milter accept: >> message >> Dec 1 10:07:52 morpheus sendmail[26578]: jB1G7pt6026578: [128.252.85.103] >> did >> not issue MAIL/EXPN/VRFY/ETRN during connectio >> n to MTA >> Dec 1 10:07:52 morpheus sendmail[26602]: NOQUEUE: connect from >> [128.252.85.103] >> Dec 1 10:07:52 morpheus sendmail[26602]: AUTH: available mech=CRAM-MD5 >> DIGEST-MD5, allowed mech=LOGIN PLAIN > > That does not look correct. The both MD5 mechs shouldn't been listed due > to your configuration. -- where sohuld I change? I checked sendmail.mc, but could not find which line to change. >> Did I miss something? Thanks for all help! >> >> Hongwei > > You can debug the situation by directly accessing the Sendmail MTA on > command line: > > telnet <sendmail host> 25 > ehlo foo.bar > -> server will print out some info, interesting is the part behind > "250-AUTH": it shouldn't list anything now. > > Then run in SSL mode: > > openssl s_client -connect <sendmail host>:25 -starttls smtp > > That should print out a lot of lines which tell you something about > encryption going on. It finally will give you again the greet message of > Sendmail. Then enter again: > > ehlo foo.bar > > ... and watch out for an AUTH line. It now must offer you "250-AUTH > LOGIN PLAIN". You end the session by entering QUIT. > > If things aren't fixed now, then run "service sendmail restart" and > watch the /var/log/maillog for any errors / problems reported during > daemon startup. > > Alexander > Below is what I did and got. # telnet morpheus.wustl.edu 25 Trying 128.252.85.129... Connected to morpheus.wustl.edu (128.252.85.129). Escape character is '^]'. 220 morpheus.wustl.edu ESMTP Sendmail 8.13.1/8.13.1; Thu, 1 Dec 2005 11:38:28 -0600 ehlo foo.bar 250-morpheus.wustl.edu Hello morpheus.wustl.edu [128.252.85.129], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP quit 221 2.0.0 morpheus.wustl.edu closing connection Connection closed by foreign host. # # openssl s_client -connect morpheus.wustl.edu:25 -starttls smtp CONNECTED(00000003) depth=0 /C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research Unit/CN=morpheus.wustl.edu/emailAddress=root@xxxxxxxxxxxxxxxxxx verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research Unit/CN=morpheus.wustl.edu/emailAddress=root@xxxxxxxxxxxxxxxxxx verify return:1 --- Certificate chain 0 s:/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research Unit/CN=morpheus.wustl.edu/emailAddress=root@xxxxxxxxxxxxxxxxxx i:/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research Unit/CN=morpheus.wustl.edu/emailAddress=root@xxxxxxxxxxxxxxxxxx --- Server certificate -----BEGIN CERTIFICATE----- MIID9DCCA12gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMCVVMx ... -----END CERTIFICATE----- subject=/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research Unit/CN=morpheus.wustl.edu/emailAddress=root@morp heus.wustl.edu issuer=/C=US/ST=Missouri/L=Saint Louis/O=Washington University/OU=Research Unit/CN=morpheus.wustl.edu/emailAddress=root@xxxxxxxxxxxxxxxxxx ---Acceptable client certificate CA names /C=US/ST=Utah/L=Salt Lake City/O=Xcert EZ by DST/CN=Xcert EZ by DST/emailAddress=ca@xxxxxxxxxxxxxxx /C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA /C=US/O=American Express Company, Inc./OU=American Express Technologies/CN=American Express Certificate Authority ... /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@xxxxxxxxxxxxxxxx handshake has read 10759 bytes and written 298 bytes---New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHAServer public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 74250E3AB88FE415C19840AA00EA329F8405503621B7234B3643156814DDE944 Session-ID-ctx: Master-Key: B82FCB44A32F94E5E842EB2D6DA844F17CFD5A5E8A1A6E97F634D80E38F072B57025F11C4D5D3E2839051E57DAF8FA01 Key-Arg : None Krb5 Principal: None Start Time: 1133458889 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 220 morpheus.wustl.edu ESMTP Sendmail 8.13.1/8.13.1; Thu, 1 Dec 2005 11:41:29 -0600 ehlo foo.bar 250-morpheus.wustl.edu Hello morpheus.wustl.edu [128.252.85.129], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP quit 221 2.0.0 morpheus.wustl.edu closing connection closed # I cleaned SSL cache, cookies, etc. restart Outlook / OE, test it on 3 different computers, still got the same error. Also, when I try OE, the error message is: Unable to establish SSL connection with the server. Account "morpheus", Server: "morpheus.wustl.edu', Protocol: SMTP, Server Response: '454 TLS not available due to temporary reason', Port: 25, Secure(SSL): Yes, Server Error: 454, Error Number: 0x800CCC7F Could you give me more help? Thanks! Hongwei
