Link to home
Start Free TrialLog in
Avatar of nicholassolutions
nicholassolutionsFlag for United States of America

asked on

Sendmail config

Hi there,

I am new to sendmail/systems administration. I'm running a dedicated server, and I think I've finally got sendmail working more or less the way I want: I can send and receive emails. However, when I try to send email from some domains to my server, it never gets through, and I get messages like this in my logs:

STARTTLS=client, relay=somesite.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Any ideas about how I can fix this?

Thanks in advance,
Matt
ASKER CERTIFIED SOLUTION
Avatar of jlevie
jlevie

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nicholassolutions

ASKER

jlevie,

Thanks for the comment -- looks like you're gonna be the guy to help me sort out all my Sendmail problems ;)

The sender is my main website, which is a shared hosting setup run by guys who know what they're doing, so I think the problem is on my dedicated box, especially since I don't have problems sending mail to any other domain with my main site.

I thought maybe I had a problem with STARTTLS confiugration, so I enabled the following lines in my sendmail.mc file:

define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')dnl

(they were commented-out by default). However, this didn't really seem to help anything -- I have a feeling maybe my certificates are not set up right. Could you tell me how to set this up? If I'd have to buy a certificate, I'd rather not -- could I just disable STARTTLS ?

BTW, I am running RedHat 9

Thanks again for the help!
-Matt
Avatar of jlevie
jlevie

In most cases you won't need STARTTLS enabled in sendmail.mc. The only reason for doing so would be if you need to enable SMTP AUTH and also need to allow clients to use PLAIN or LOGIN for authentication and need to protect the plaintext password those methods use. Are you using SMTP AUTH?
currently I am not using SMTP AUTH, but eventually I think I'd like to be able to do AUTH LOGIN from a remote computer to send mail.
SMTP AUTH can be done outside of an SSL encrypted session with the understanding that the username and password will be exposed to anyone with a sniffer that can see the SMTP transaction. But, the same is true of IMAP or POP. Whether is something to be concerned about only you can say. I'd need to see your senmail.mc to tell what's wrong.
This is not a huge concern -- I am planning to do most of my email using pine from the terminal (SSH connection), using a webmail client over https, or using scripts running on the server. In fact, for the time being I am considering limiting relaying ability only to the local machine. Would I need to buy a certificate for STARTTLS to work correctly, or is it possible to do a 'self-signed' one? If I can't self sign, doing SMTP AUTH outside of SSL would probably be acceptable....

Here are the non-comment lines from my sendmail.mc file  (most of this is default settings...I also set up some simple domain masquerading using Webmin):

divert(-1)dnl

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl

define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl

define(`confDEF_USER_ID',``8:12'')dnl

define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl

define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')dnl

define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')dnl

define(`confTO_IDENT', `0')dnl

FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl

define(`confTO_IDENT', `0')dnl

FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

FEATURE(`accept_unresolvable_domains')dnl

FEATURE(`accept_unresolvable_domains')dnl

LOCAL_DOMAIN(`localhost.localdomain')dnl

MAILER(smtp)dnl
MAILER(procmail)dnl


----------------------------------------
Thanks again for your help, it's appreciated!
-Matt