Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Sendmail smtps support
126 views
Skip to first unread message
kevin
Mar 20, 2020, 8:08:32 AM3/20/20
to
Does Sendmail 8.15.x support client side smtps ?
I can't find any docs about client side smtps support.
I can't find any docs about client side smtps support.
Claus Aßmann
Mar 20, 2020, 12:43:46 PM3/20/20
to
kevin wrote:
> Does Sendmail 8.15.x support client side smtps ?
> I can't find any docs about client side smtps support.
Which usually means there isn't any...
> Does Sendmail 8.15.x support client side smtps ?
> I can't find any docs about client side smtps support.
Exception: an (undocumented) FFR which can be found in conf.c,
but there isn't one for that either.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
Claus Aßmann
Mar 22, 2020, 8:09:45 AM3/22/20
to
PS: maybe you could write/contribute a patch?
That shouldn't be too hard to do, e.g.,
- add a new mailer flag "this mailer uses smtps"
- if that mailer flag is set, invoke starttls() and
just run the TLS handshake without using the
STARTTLS command.
That shouldn't be too hard to do, e.g.,
- add a new mailer flag "this mailer uses smtps"
- if that mailer flag is set, invoke starttls() and
just run the TLS handshake without using the
STARTTLS command.
Grant Taylor
Mar 25, 2020, 11:47:11 PM3/25/20
to
However I wonder if a new mailer using existing functionality might
work. Perhaps something like the following:
Msmtps,
P=/usr/bin/openssl,
F=mDFMuX,
S=EnvFromSMTP/HdrFromSMTP,
R=EnvToSMTP,
E=\r\n,
L=990,
T=DNS/RFC822/SMTP,
A=openssl s_client -host $h -port 465 -crlf -quiet
I'm just copying the flags from Msmtp. I'm not sure which set of flags
would be best to use. (I'd have to reference documentation to evaluate
each flag.)
This method would require using mailertable (or the likes) to cause
Sendmail to use the smtps mailer.
If this system was only to act as a client and send to an upstream smart
host using SMTPS, it would probably be possible to (copy and) modify the
existing smtp mailer(s) to use this type of P & A.
One thing that I'm not quite sure of is how Sendmail will respond to
OpenSSL printing things to STDERR. The SMTP dialog will happen on STDIN
& STDOUT.
--
Grant. . . .
unix || die
Claus Aßmann
Mar 26, 2020, 2:25:43 AM3/26/20
to
Grant Taylor wrote:
> A=openssl s_client -host $h -port 465 -crlf -quiet
Interesting idea -- have you tried it?
> A=openssl s_client -host $h -port 465 -crlf -quiet
Let us know how it works!
Grant Taylor
Mar 26, 2020, 12:29:17 PM3/26/20
to
On 3/26/20 12:25 AM, Claus Aßmann wrote:
> Interesting idea -- have you tried it?
No, I have not tried it /yet/.
> Interesting idea -- have you tried it?
To be perfectly honest, I assumed that there was something I was
overlooking and that it wouldn't work. I was counting on you informing
me of my ignorance Claus. ;-)
I also didn't want to disrupt my main mail server.
> Let us know how it works!
Grant Taylor
Mar 29, 2020, 10:33:35 PM3/29/20
to
TL;DR: It works.
On 3/26/20 10:29 AM, Grant Taylor wrote:
> No, I have not tried it /yet/.
I have now tested using OpenSSL's s_client as an SMTPS mailer for
Sendmail and got it working.
Not only did I get it working, but I got it working with client
certificate and key to authenticate with the smart host to allow relaying.
> To be perfectly honest, I assumed that there was something I was
> overlooking and that it wouldn't work. I was counting on you informing
> me of my ignorance Claus. ;-)
Sometimes it's best to try things and see what happens. ;-)
> I also didn't want to disrupt my main mail server.
It's nice having multiple servers that aren't production mail servers to
test things on. }:-)
> I'll poke things on another server as soon as time permits.
I did have to remove the "-crlf" option to get things to work properly.
Things would start working with it, but would hang after the closing dot.
Here's what I currently have on the system that I'm testing things on:
Mrelay, P=/usr/bin/openssl,
F=mDFMuXa8,
S=EnvFromSMTP/HdrFromSMTP,
R=MasqSMTP,
E=\r\n,
L=2040,
T=DNS/RFC822/SMTP,
A=openssl s_client -host $h -port 465 -quiet -cert
/etc/mail/tls/server.crt -key /etc/mail/tls/server.key
For testing I edited sendmail.cf directly. — I know shame on me.
I was able to test the following define(…) statement to make confirm
that it produces the proper mailer arguments (A=) line.
define(`RELAY_MAILER_ARGS', `openssl s_client -host $h -port 465 -quiet
-cert confCLIENT_CERT -key confCLIENT_KEY')dnl
Aside: I really like how it's possible to re-use the existing macros to
specify the client cert and key.
Note: I don't know how to specify that the relay mailer should use
"/usr/sbin/openssl" instead of "[IPC]" for the program path (P=). But,
I don't think that's strictly necessary for a proof of concept to make
Sendmail be an SMTPS client.
Finally, here's the access entries that I'm using to allow relaying
based on client certificate:
CERTISSUER:/C=US/O=Let's+20Encrypt/CN=Let's+20Encrypt+20Authority+20X3
SUBJECT
CERTSUBJECT:/CN=server.example.com RELAY
CERTISSUER:…SUBJECT tells Sendmail to search for a CERTSUBJECT entry
with the a that matches the client certificate's subject. If said
CERTSUBJECT entry is RELAY, then the client is allowed to relay. }:-)
On 3/26/20 10:29 AM, Grant Taylor wrote:
> No, I have not tried it /yet/.
Sendmail and got it working.
Not only did I get it working, but I got it working with client
certificate and key to authenticate with the smart host to allow relaying.
> To be perfectly honest, I assumed that there was something I was
> overlooking and that it wouldn't work. I was counting on you informing
> me of my ignorance Claus. ;-)
> I also didn't want to disrupt my main mail server.
test things on. }:-)
> I'll poke things on another server as soon as time permits.
Things would start working with it, but would hang after the closing dot.
Here's what I currently have on the system that I'm testing things on:
Mrelay, P=/usr/bin/openssl,
F=mDFMuXa8,
S=EnvFromSMTP/HdrFromSMTP,
R=MasqSMTP,
E=\r\n,
L=2040,
T=DNS/RFC822/SMTP,
A=openssl s_client -host $h -port 465 -quiet -cert
/etc/mail/tls/server.crt -key /etc/mail/tls/server.key
For testing I edited sendmail.cf directly. — I know shame on me.
I was able to test the following define(…) statement to make confirm
that it produces the proper mailer arguments (A=) line.
define(`RELAY_MAILER_ARGS', `openssl s_client -host $h -port 465 -quiet
-cert confCLIENT_CERT -key confCLIENT_KEY')dnl
Aside: I really like how it's possible to re-use the existing macros to
specify the client cert and key.
Note: I don't know how to specify that the relay mailer should use
"/usr/sbin/openssl" instead of "[IPC]" for the program path (P=). But,
I don't think that's strictly necessary for a proof of concept to make
Sendmail be an SMTPS client.
Finally, here's the access entries that I'm using to allow relaying
based on client certificate:
CERTISSUER:/C=US/O=Let's+20Encrypt/CN=Let's+20Encrypt+20Authority+20X3
SUBJECT
CERTSUBJECT:/CN=server.example.com RELAY
CERTISSUER:…SUBJECT tells Sendmail to search for a CERTSUBJECT entry
with the a that matches the client certificate's subject. If said
CERTSUBJECT entry is RELAY, then the client is allowed to relay. }:-)
deniya...@gmail.com
Nov 3, 2020, 4:39:17 AM11/3/20
to
0 new messages