sendmail with ssl (port 465)
Ashraf Mahmoud
setup, users can send with TLS port 25 from almost anywhere. There
are ISPs that block port 25 except for their own servers.
I'm trying to configure sendmail to send with SSL port 465 to avoid
the port blocking. However, when I un-comment the following line in
sendmail.mc, make, and restart sendmail:
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
I can send from anywhere but only receive from mail sent locally.
When I try to send using a different server, i.e. mail from outside, I
get:
sendmail[32683]: n5J7lgej032682: to=m...@a.b.c, delay=00:00:00,
xdelay=00:00:00, mailer=esmtp, pri=32376, relay=my.server.
[my.ip.address], dsn=4.0.0, stat=Deferred: Connection refused by
my.server.
What am I missing?
Thanks
Ashy
Grant Taylor
> I am running RedHat EL5 and sendmail-8.13.8-2.el5. With my current
> setup, users can send with TLS port 25 from almost anywhere. There
> are ISPs that block port 25 except for their own servers.
*nod*
Start using the Mail Submission Agent (a.k.a. MSA) on port 587 in
addition to your MTA on port 25.
> I'm trying to configure sendmail to send with SSL port 465 to avoid
> the port blocking. However, when I un-comment the following line in
> sendmail.mc, make, and restart sendmail:
It is my (mis)understanding that SMTPS is considered a read headed step
child that should be used as a last resort. I.e. if you have the
option, choose MSA with TLS over SMTPS.
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>
> I can send from anywhere but only receive from mail sent locally.
> When I try to send using a different server, i.e. mail from outside,
> I get:
>
> sendmail[32683]: n5J7lgej032682: to=m...@a.b.c, delay=00:00:00,
> xdelay=00:00:00, mailer=esmtp, pri=32376, relay=my.server.
> [my.ip.address], dsn=4.0.0, stat=Deferred: Connection refused by
> my.server.
*nod*
> What am I missing?
I bet that you are accidentally turning off your MTA DaemonPort. You
will probably need to have multiple DAEMON_OPTIONS, one for SMTP and
SMTPS. I'd also recommend that you throw one in for MSA as well.
Grant. . . .
Andrzej Adam Filip
1) What is reported by the command below?
grep DaemonPortOptions /etc/mail/sendmail.cf
http://www.sendmail.org/faq/section5#5.3.1.3
Why can't I receive mail with Red Hat 7.1 and later?
2) Why have you considered using MSA port (587) for messages submitted
by (authenticated) users?
--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
Open-Sendmail: http://open-sendmail.sourceforge.net/
Ten persons who speak make more noise than ten thousand who are silent.
-- Napoleon I
Ashraf Mahmoud
> On 06/19/09 13:34, Ashraf Mahmoud wrote:
>
> > I am running RedHat EL5 and sendmail-8.13.8-2.el5. With my current
> > setup, users can send with TLS port 25 from almost anywhere. There
> > are ISPs that block port 25 except for their own servers.
>
> *nod*
>
> Start using the Mail Submission Agent (a.k.a. MSA) on port 587 in
> addition to your MTA on port 25.
>
> > I'm trying to configure sendmail to send with SSL port 465 to avoid
> > the port blocking. However, when I un-comment the following line in
> > sendmail.mc, make, and restart sendmail:
>
> It is my (mis)understanding that SMTPS is considered a read headed step
> child that should be used as a last resort. I.e. if you have the
> option, choose MSA with TLS over SMTPS.
>
> > dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>
> > I can send from anywhere but only receive from mail sent locally.
> > When I try to send using a different server, i.e. mail from outside,
> > I get:
>
> > xdelay=00:00:00, mailer=esmtp, pri=32376, relay=my.server.
> > [my.ip.address], dsn=4.0.0, stat=Deferred: Connection refused by
> > my.server.
>
> *nod*
>
> > What am I missing?
>
> I bet that you are accidentally turning off your MTA DaemonPort. You
> will probably need to have multiple DAEMON_OPTIONS, one for SMTP and
> SMTPS. I'd also recommend that you throw one in for MSA as well.
>
> Grant. . . .
Thanks Grant,
I'm not a sendmail expert. Can you send the the code I need to add to
sendmail.mc?
BTW, the result of:
grep DaemonPortOptions /etc/mail/sendmail.cf
is:
O DaemonPortOptions=Name=MTA
This is for the config that works without SSL.
Just to be clear. To enable SSL, I only uncommented the one line. I
want to send with SSL for authenticated users and receive from
anywhere. When I tested, I could send to myself and receive the
message. When I tried to send to myself from my gmail account, the
message would bounce (or be held) until I changed the setting back to
TLS.
I think your answer should work. I'm just not sure how to implement
it. I was thinking of brute forcing it by have one server for sending
and one for receiving (not ideal).
One more thing. I'm forcing users to use Thunderbird as their email
client.
Thanks again,
Ashy
Grant Taylor
> Thanks Grant,
No problem.
> I'm not a sendmail expert. Can you send the the code I need to add
> to sendmail.mc?
I have the following lines spread across two different .mc / .cf files.
(I've split my MSA and MTA functions across two different daemons for
a special config that we are running.)
DAEMON_OPTIONS(`Address=<IP>, Port=25, Name=MTA-Inbound')
DAEMON_OPTIONS(`Address=127.0.0.1, Port=25, Name=MTA-Inbound-Local')
and
DAEMON_OPTIONS(`Address=127.0.0.1, Port=587, Name=MSA-Relay, M=Ea')
DAEMON_OPTIONS(`Address=<IP>, Port=587, Name=MSA-Relay, M=Ea')
Note: You will need to either remove the "Address=<IP>, " portion or
enter your IP address if you want to bind to a specific IP. You may
also want to adjust the "Name=...," to your liking. (These are both
artifacts from my special config and are not default.)
> BTW, the result of:
>
> grep DaemonPortOptions /etc/mail/sendmail.cf
>
> is:
>
> O DaemonPortOptions=Name=MTA
>
> This is for the config that works without SSL.
*nod* This is typical for a normal config. I'd be curious what the
output was when you had it configured for SSL.
> Just to be clear. To enable SSL, I only uncommented the one line. I
> want to send with SSL for authenticated users and receive from
> anywhere. When I tested, I could send to myself and receive the
> message. When I tried to send to myself from my gmail account, the
> message would bounce (or be held) until I changed the setting back to
> TLS.
*nod*
I think you (accidentally) changed your (clear text) SMTP MTA on port 25
to be (encrypted) SMTPS MTA on port 25. There by not being compatible
with what the world was expecting. The kicker being SSL encapsulation
of SMTP on port 25 rather than normal SMTPS MTA on port 465. This is
also one of the reasons that SMTP with TLS (encryption with in the SMTP
protocol as opposed to the transport) is more preferred. With SMTP with
TLS you don't have as many ports (DaemonPortOptions) to work with and
things are still compatible with standards.
> I think your answer should work. I'm just not sure how to implement
> it. I was thinking of brute forcing it by have one server for
> sending and one for receiving (not ideal).
*chuckle*
Sounds like you've been in situations where a boss says "I don't care
what it takes, just make it work /before/ you leave for the day!".
(Don't you just love those types of bosses.)
Running multiple servers is indeed sub-optimal. The only reason that I
have the two separate daemons is so that I can have customers send to my
server (for outbound relay) via the MSA at what ever speed connection
they are on. Once the MSA has the email, it will burp it to the MTA
which is virus scanning (via ClamAV) and not have to worry about milter
timeouts how long it took the "avian carriers" or "bongo drums" to send
the email.
> One more thing. I'm forcing users to use Thunderbird as their email
> client.
Good luck with that.
I've had to support a range of versions of Microsoft / Mozilla
(Netscape) / Apple / other MUAs over the years. More and more so I'm
finding that so called smart phones are rather dumb.
> Thanks again,
You are welcome.
Grant. . . .
Ashraf Mahmoud
Something is still wrong, I added these line to sendmail.mc and did a
make. The nnn are my address.
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Address=nnn.nnn.nnn.nnn, Port=25, Name=vision-
inbound')
DAEMON_OPTIONS(`Address=127.0.0.1, Port=25, Name=vision-Inbound-
Local')
DAEMON_OPTIONS(`Address=127.0.0.1, Port=587, Name=MSA-Relay, M=Ea')
DAEMON_OPTIONS(`Address=nnn.nnn.nnn.nnn, Port=587, Name=MSA-Relay,
M=Ea')
Restarting sendmail results in:
Shutting down sm-client: [ OK ]
Shutting down sendmail: [FAILED]
Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 54: unknown
configuration line "
"
[FAILED]
Starting sm-client: [ OK ]
This is the result of the grep with the changes:
O DaemonPortOptions=Port=smtps, Name=TLSMTA, M=s
O DaemonPortOptions=Address=nnn.nnn.nnn.nnn, Port=25, Name=vision-
inbound
O DaemonPortOptions=Address=127.0.0.1, Port=25, Name=vision-Inbound-
Local
O DaemonPortOptions=Address=127.0.0.1, Port=587, Name=MSA-Relay, M=Ea
O DaemonPortOptions=Address=nnn.nnn.nnn, Port=587, Name=MSA-Relay,
M=Ea
When I comment out the added lines everything works fine.
Ashy
Grant Taylor
> Something is still wrong, I added these line to sendmail.mc and did a
> make. The nnn are my address.
>
> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> DAEMON_OPTIONS(`Address=nnn.nnn.nnn.nnn, Port=25, Name=vision-inbound')
> DAEMON_OPTIONS(`Address=127.0.0.1, Port=587, Name=MSA-Relay, M=Ea')
> DAEMON_OPTIONS(`Address=nnn.nnn.nnn.nnn, Port=587, Name=MSA-Relay, M=Ea')
>
> Restarting sendmail results in:
> Shutting down sm-client: [ OK ]
> Shutting down sendmail: [FAILED]
> Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 54: unknown
> configuration line "
> "
> [FAILED]
> Starting sm-client: [ OK ]
Hum.
> This is the result of the grep with the changes:
> O DaemonPortOptions=Port=smtps, Name=TLSMTA, M=s
> O DaemonPortOptions=Address=nnn.nnn.nnn.nnn, Port=25, Name=vision-inbound
> O DaemonPortOptions=Address=127.0.0.1, Port=25, Name=vision-Inbound-Local
> O DaemonPortOptions=Address=127.0.0.1, Port=587, Name=MSA-Relay, M=Ea
> O DaemonPortOptions=Address=nnn.nnn.nnn, Port=587, Name=MSA-Relay, M=Ea
Try setting your port for your TLSMTA to the number "465" rater than the
string "smtps". (I'd be curious if "smtps" exists in your /etc/services
file or not.) I don't know if Sendmail will translate from human
readable service / port names to port numbers or not.
> When I comment out the added lines everything works fine.
I bet you can simply comment out your TLSMTA line and things work fine too.
Grant. . . .
Ashraf Mahmoud
Thanks Grant,
I got it working. I un-comented each line one at a time, did a make,
then sendmail restart. The restart does not like:
DAEMON_OPTIONS(`Address=127.0.0.1, Port=587, Name=MSA-Relay, M=Ea')
DAEMON_OPTIONS(`Address=nnn.nnn.nnn.nnn, Port=587, Name=MSA-Relay,
M=Ea')
Not a problem for me. And, my firewall is probably blocking port
587. And, I can force the users to use Thunderbird. I configure
their computers and do not install anything else.
I can now send/receive to myself and receive from outside (gmail).
I've been trying to get this working for a while. The last time I
tried it looked like I killed our server (bounces left and right). It
turned out to be our outside firewall was dying (dropping
connections).
If you ever need an eye exam, I might be able to arrange something.
Ashy