asked on Sendmail config
Hi there,
I am new to sendmail/systems administration. I'm running a dedicated server, and I think I've finally got sendmail working more or less the way I want: I can send and receive emails. However, when I try to send email from some domains to my server, it never gets through, and I get messages like this in my logs:
STARTTLS=client, relay=somesite.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Any ideas about how I can fix this?
Thanks in advance,
Matt
I am new to sendmail/systems administration. I'm running a dedicated server, and I think I've finally got sendmail working more or less the way I want: I can send and receive emails. However, when I try to send email from some domains to my server, it never gets through, and I get messages like this in my logs:
STARTTLS=client, relay=somesite.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Any ideas about how I can fix this?
Thanks in advance,
Matt
LinuxWeb Languages and Standards
Last Comment
nicholassolutions
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
In most cases you won't need STARTTLS enabled in sendmail.mc. The only reason for doing so would be if you need to enable SMTP AUTH and also need to allow clients to use PLAIN or LOGIN for authentication and need to protect the plaintext password those methods use. Are you using SMTP AUTH?
ASKER
currently I am not using SMTP AUTH, but eventually I think I'd like to be able to do AUTH LOGIN from a remote computer to send mail.
SMTP AUTH can be done outside of an SSL encrypted session with the understanding that the username and password will be exposed to anyone with a sniffer that can see the SMTP transaction. But, the same is true of IMAP or POP. Whether is something to be concerned about only you can say. I'd need to see your senmail.mc to tell what's wrong.
ASKER
This is not a huge concern -- I am planning to do most of my email using pine from the terminal (SSH connection), using a webmail client over https, or using scripts running on the server. In fact, for the time being I am considering limiting relaying ability only to the local machine. Would I need to buy a certificate for STARTTLS to work correctly, or is it possible to do a 'self-signed' one? If I can't self sign, doing SMTP AUTH outside of SSL would probably be acceptable....
Here are the non-comment lines from my sendmail.mc file (most of this is default settings...I also set up some simple domain masquerading using Webmin):
divert(-1)dnl
include(`/usr/share/sendma
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',`
dnl define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI
define(`confDONT_PROBE_INT
define(`PROCMAIL_MAILER_PA
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics'
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS'
define(`confAUTH_OPTIONS',
define(`confDEF_USER_ID',`
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI
define(`confDONT_PROBE_INT
define(`PROCMAIL_MAILER_PA
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics'
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS'
define(`confAUTH_OPTIONS',
define(`confCACERT_PATH',`
define(`confCACERT',`/usr/
define(`confSERVER_CERT',`
define(`confSERVER_KEY',`/
define(`confCACERT_PATH',`
define(`confCACERT',`/usr/
define(`confSERVER_CERT',`
define(`confSERVER_KEY',`/
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(always_add_domain)
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(always_add_domain)
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,
DAEMON_OPTIONS(`Port=smtp,
FEATURE(`accept_unresolvab
FEATURE(`accept_unresolvab
LOCAL_DOMAIN(`localhost.lo
MAILER(smtp)dnl
MAILER(procmail)dnl
--------------------------
Thanks again for your help, it's appreciated!
-Matt
Here are the non-comment lines from my sendmail.mc file (most of this is default settings...I also set up some simple domain masquerading using Webmin):
divert(-1)dnl
include(`/usr/share/sendma
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',`
dnl define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI
define(`confDONT_PROBE_INT
define(`PROCMAIL_MAILER_PA
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics'
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS'
define(`confAUTH_OPTIONS',
define(`confDEF_USER_ID',`
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI
define(`confDONT_PROBE_INT
define(`PROCMAIL_MAILER_PA
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics'
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS'
define(`confAUTH_OPTIONS',
define(`confCACERT_PATH',`
define(`confCACERT',`/usr/
define(`confSERVER_CERT',`
define(`confSERVER_KEY',`/
define(`confCACERT_PATH',`
define(`confCACERT',`/usr/
define(`confSERVER_CERT',`
define(`confSERVER_KEY',`/
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(always_add_domain)
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(always_add_domain)
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,
DAEMON_OPTIONS(`Port=smtp,
FEATURE(`accept_unresolvab
FEATURE(`accept_unresolvab
LOCAL_DOMAIN(`localhost.lo
MAILER(smtp)dnl
MAILER(procmail)dnl
--------------------------
Thanks again for your help, it's appreciated!
-Matt
Thanks for the comment -- looks like you're gonna be the guy to help me sort out all my Sendmail problems ;)
The sender is my main website, which is a shared hosting setup run by guys who know what they're doing, so I think the problem is on my dedicated box, especially since I don't have problems sending mail to any other domain with my main site.
I thought maybe I had a problem with STARTTLS confiugration, so I enabled the following lines in my sendmail.mc file:
define(`confCACERT_PATH',`
define(`confCACERT',`/usr/
define(`confSERVER_CERT',`
define(`confSERVER_KEY',`/
(they were commented-out by default). However, this didn't really seem to help anything -- I have a feeling maybe my certificates are not set up right. Could you tell me how to set this up? If I'd have to buy a certificate, I'd rather not -- could I just disable STARTTLS ?
BTW, I am running RedHat 9
Thanks again for the help!
-Matt