How to configure sendmail to accept mobile relay

post the output of your sendmail.mc, please.

I don't know how interrelated these issues are, but I'm having problems with sendmail authentication generally, which I think needs to be sorted out first before addressing the issue of mobile connection/authentication. I have a question posted https://www.experts-exchange.com/questions/28623328/sendmail-TLS-not-working-right.html which has sendmail.mc etc. Jan has been looking at that one. I think I need to resolve that issue first, then come back here.

that's me.  i would suggest that you first test tls and smtp auth using a snake oil cert and using pem files as the link I provided directs.  then you can move on to your crt and key files.

OK, I think my TLS issue is limited to 2 particular recipients; all other TLS-required recipients are getting the messages just fine. So, I think I'll move on to this issue while I interact with the tech folk at those locations.

Arnold:

using a separate port i.e. 465/587 rather than the 25 for this purpose may provide more options i.e. 465 being an encrypted connection with your own cert that the users will need to add/trust.

I can use whatever port I want. Are you recommending 465 or 587? Are you saying these ports will automatically encrypt?

143 is an IMAP port, you could look at configuring Dovecot if possible

In fact, I am using Dovecot as my IMAP server. `doveconf` indicates port 143:

imap_urlauth_port = 143
imapc_port = 143

So I suppose my first step is to open port 143 on the firewall. Then I might need the auth statements configured in my sendmail .mc flle.

Jan: current sendmail.mc is:

include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
DOMAIN(generic)dnl
define(`confSMTP_LOGIN_MSG', `mail.ohprs.org Service ready; $b')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
define(`confBAD_RCPT_THROTTLE',`1')dnl
define(`confCONNECTION_RATE_THROTTLE',`3')dnl
define(`confDEAD_LETTER_DROP',`/dev/null')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`nobody')dnl
define(`confDF_BUFFER_SIZE',`16384')dnl
define(`confXF_BUFFER_SIZE',`16384')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confCHECKPOINT_INTERVAL',`10')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`lookupdotdomain')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`bl.spamcop.net')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`redirect')dnl
dnl#TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl#define(`confAUTH_MECHANISMS', `EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/etc/ssl/certs/')dnl
define(`confCACERT',`/etc/ssl/certs/OHPRS/GoDaddy/Apache/gd_bundle.crt')dnl
define(`confSERVER_CERT',`/etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
define(`confCLIENT_CERT',`/etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confCLIENT_KEY',`/etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
define(`confAUTH_OPTIONS', `A')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
INPUT_MAIL_FILTER(`milter-bcc',`S=local:/var/run/milter-bcc.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
MASQUERADE_AS(`ohprs.org')dnl
MASQUERADE_DOMAIN(`ohprs.org')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`always_add_domain')dnl
EXPOSED_USER(`root')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Select allOpen in new window

I've got my AUTH directives commented out for the moment for debugging the TLS issu, but I can re-enable.

But, if Dovecot is my IMAP server, does sendmail.cf matter?

Also, in looking at my Android IMAP config screen, it suggests incoming port 143 and outgoing port 587. Hmmm, I don't see a port 587 in my Dovecot config. Can I use 143 or should I set up 587 somehow?

OK, I await your expertise. I re-enabled the AUTH lines in sendmail.mc, opened port 143 on the firewall (and tested with telnet). I configured my Android as mail server mail.ohprs.org, incoming IMAP 143 no security, outgoing SMTP 25 no security. Doesn't work. I get  "Unable to connect to sever" on the Android, but no log message at all in /etc/log/maillog.

unfortunately, my sendmail experience from a while back has led to me using and being more knowledgeable with every other one.  Since I am familiar how SMTP is supposed to work, I can based on input and output kind of figure where the issue might be within the black box that in this case is sendmail.

The port 25 these days are often blocked by ISP/carries to curb the impact of spam/virus type of mailers.  A block by the ISP/carrier of port 25 would explain why you can not get through on 25.
The common practice is to use 465 SSL and 587 (simple port forward external 587 to internal 25 to your sendmail mail server) non-encrypted as alternative for client based use.
And try again.
 
143 is unencrypted, you should consider using/enabling 993 for IMAPS encrypted/secure.
The same certificate can be used. Though yours does not include imap as a host in Subject Alternative Name section.

The outgoing is always SMTP.  I think dovecot could be configured to be an intermediary to the SMTP server/function like a proxy (saw a references in one of the config files when previously dealing with other questions).

Arnold:

143 is unencrypted

Yes, I know. I'm trying to introduce as few variables as possible, just to get started. I am fairly certain Outlook on the LAN computers are successfully using 143

Port 25 for smtp should not be a problem since ALL office mail arrives at that port -- unless you are talking about the mobile device ISP (Verizon in this case)?

Another point of interest, when I changed Dovecot from PLAIN authentication to:

auth_mechanisms = plain login digest-md5 cram-md5

webmail access from roundcube stopped working. In the roundcube error log I got:

[27-Feb-2015 13:05:10 -0500]: IMAP Error: Login failed for mark from 76.181.65.196. Authentication failed. in /user/util/src/roundcubemail-1.0.4/program/lib/Roundcube/rcube_imap.php on line 184 (POST /webmail/?_task=login?_task=login&_action=login)

Select allOpen in new window

No idea why. Certainly not related to ISP blocking. Perhaps if I get this working it will work for the mobile device.

In any case, if I just stick to plain login for the moment and forget about these encrypted things, it should still work from the mobile, right?

Didn't realize this was so complicated to set up!

more info: changed Android to SMTP on 587. Forwarded port 587 to 25 on mail server (tested externally with telnet). Still have "Unable to connect to server" on Android. Nothing in maillog at all.

btw - the Android is "Checking incoming server settings ...", so that would be the IMAP bit. No messages in /var/log/dovecot.info either

I'll deal with the last first, it is not clear which app on android is trying to do wheat.

The preference on round might be to use encrypted when available so adding cram-md5 and the like triggered the self selection within round.. Look at the Dovecot log to see what method was being used when this error came up.

Complicated, it is a matter of perspective, one choice guides another.  
The time constraint you are/were under is further exacerbating thing along with sequential changes to address one issue that could have an impact on another.

Are you using the mailserver hostname in the config, or is it trying to guess based in the domain lookup? Check advanced to make sure what it references is correct.

Arnold:

Are you using the mailserver hostname in the config

Yes. I am using the plain 'ole email > Accounts > Add Account feature of Android, nothing fancy. I am specifying:

incoming: IMAP, server = mail.ohprs.org, port 143, no security
outgoing: SMTP, server = mail.ohprs.org, port 25 (also tried 587), no security
Require sign-in = yes

When I then go to the next step for the Android to connect I get the message (on the Android), "Setup could not finish. User name of password incorrect. (535 5.7.0 authentication failed)". I've checked the ID and password several time. In the dovecot log I get:

Feb 27 20:38:11 auth: Debug: auth client connected (pid=2780)
Feb 27 20:38:11 auth: Debug: client in: AUTH    1       PLAIN   service=imap    session=6EC2CRwQUgBMtUHE      lip=64.129.23.80 rip=76.181.65.196       lport=143       rport=42834     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Feb 27 20:38:11 auth-worker(30756): Debug: shadow(mark,76.181.65.196): lookup
Feb 27 20:38:11 auth: Debug: client passdb out: OK      1       user=mark
Feb 27 20:38:11 auth: Debug: master in: REQUEST 2249588737      2780    1       f1b8d62d0c5fa829f6ecb776e62a2967       session_pid=2781        request_auth_token
Feb 27 20:38:11 auth-worker(30756): Debug: shadow(mark,76.181.65.196): lookup
Feb 27 20:38:11 auth: Debug: master userdb out: USER    2249588737      mark    system_groups_user=mark uid=3000026    gid=100 home=/home/HPRS/mark    auth_token=17ddfb37de85c588af3e3e69622da37e47879718
Feb 27 20:38:11 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=76.181.65.196, lip=64.129.23.80, mpid=2781, session=<6EC2CRwQUgBMtUHE>
Feb 27 20:38:11 imap(mark): Info: Connection closed in=0 out=353

Select allOpen in new window

In /var/log/maillog I get:

Feb 27 20:38:11 mail sm-mta[23690]: t1S1SJUZ023690: cpe-76-181-65-196.columbus.res.rr.com [76.181.65.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Select allOpen in new window

Here's a dovecot logfile session from Roundcube that works

Feb 27 20:49:12 auth: Debug: auth client connected (pid=18573)
Feb 27 20:49:12 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=xMMgMRwQhgBAgRdQ       lip=64.129.23.80        rip=64.129.23.80        lport=143       rport=59270     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Feb 27 20:49:12 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:12 auth: Debug: client passdb out: OK      1       user=mark
Feb 27 20:49:12 auth: Debug: master in: REQUEST 1143341057      18573   1       06e13e39c3d50f8ac15d5f63a99b5f5b       session_pid=18574       request_auth_token
Feb 27 20:49:12 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:12 auth: Debug: master userdb out: USER    1143341057      mark    system_groups_user=mark uid=3000026    gid=100 home=/home/HPRS/mark    auth_token=275bdb5912651f91b2b09d40407c956ada0fc62d
Feb 27 20:49:12 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=64.129.23.80, lip=64.129.23.80, mpid=18574, secured, session=<xMMgMRwQhgBAgRdQ>
Feb 27 20:49:12 imap(mark): Info: Disconnected: Logged out in=29 out=466
Feb 27 20:49:13 auth: Debug: auth client connected (pid=18576)
Feb 27 20:49:13 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=jnoiMRwQhwBAgRdQ       lip=64.129.23.80        rip=64.129.23.80        lport=143       rport=59271     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Feb 27 20:49:13 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:13 auth: Debug: client passdb out: OK      1       user=mark
Feb 27 20:49:13 auth: Debug: master in: REQUEST 3451125761      18576   1       4843d9167f4ff8b6d7b918f8a482302e       session_pid=18577       request_auth_token
Feb 27 20:49:13 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:13 auth: Debug: master userdb out: USER    3451125761      mark    system_groups_user=mark uid=3000026    gid=100 home=/home/HPRS/mark    auth_token=1fdbd7a6511ecec7b1f96dcf3c0c62ba40acb6d2
Feb 27 20:49:13 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=64.129.23.80, lip=64.129.23.80, mpid=18577, secured, session=<jnoiMRwQhwBAgRdQ>
Feb 27 20:49:13 imap(mark): Info: Disconnected: Logged out in=44 out=820
Feb 27 20:49:13 auth: Debug: auth client connected (pid=18581)
Feb 27 20:49:13 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=ZB0tMRwQiABAgRdQ       lip=64.129.23.80        rip=64.129.23.80        lport=143       rport=59272     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Feb 27 20:49:13 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:13 auth: Debug: client passdb out: OK      1       user=mark
Feb 27 20:49:13 auth: Debug: master in: REQUEST 3857186817      18581   1       a2e6bad38666a589e5a04d81f29fe561       session_pid=18582       request_auth_token
Feb 27 20:49:13 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:13 auth: Debug: master userdb out: USER    3857186817      mark    system_groups_user=mark uid=3000026    gid=100 home=/home/HPRS/mark    auth_token=4b9e3c1bcc422530bbbd86eda91a29651084e135
Feb 27 20:49:13 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=64.129.23.80, lip=64.129.23.80, mpid=18582, secured, session=<ZB0tMRwQiABAgRdQ>
Feb 27 20:49:13 auth: Debug: auth client connected (pid=18584)
Feb 27 20:49:13 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=XlItMRwQiQBAgRdQ       lip=64.129.23.80        rip=64.129.23.80        lport=143       rport=59273     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Feb 27 20:49:13 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:13 auth: Debug: client passdb out: OK      1       user=mark
Feb 27 20:49:13 auth: Debug: master in: REQUEST 794820609       18584   1       d824cf699b06cd5f13c4cffed0525e27       session_pid=18585       request_auth_token
Feb 27 20:49:13 auth-worker(14207): Debug: shadow(mark,64.129.23.80): lookup
Feb 27 20:49:13 auth: Debug: master userdb out: USER    794820609       mark    system_groups_user=mark uid=3000026    gid=100 home=/home/HPRS/mark    auth_token=56c58fc7138e3cd209c5a872244a04efce7ba478
Feb 27 20:49:13 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=64.129.23.80, lip=64.129.23.80, mpid=18585, secured, session=<XlItMRwQiQBAgRdQ>
Feb 27 20:49:13 imap(mark): Info: Disconnected: Logged out in=533 out=1629
Feb 27 20:49:13 imap(mark): Info: Disconnected: Logged out in=337 out=23363

Select allOpen in new window

Differences of note: line 2 in the roundcube session says "secured session=" rather than simply "session=". Why? SSL? Things look virtually identical between the two logs until line 8 where again roundcube has "secured, session=" versus Android "session=". Otherwise, the main difference is that the roundcube session connects 3 more times after that, then give two logout at the end whereas with the Android the one connection is it.

I remain clueless.

As to the roundCube webmail, maybe we should leave that until later and get the Android connecting first. Perhaps that will simple solve the roundCube issue.

more info: I changed to a POP3 connection on incoming (might as well solve one piece of the puzzle at a time). That worked and I got by the 'incoming' configuration check on the Android.

SMTP still didn't work as long as I had 'Require sign-in' checked. Absolutely nothing appears in /var/log/maillog indicating rejection. I get  "pop3d Authentication passed" in /var/log/messages and /var/log/secure.

When I removed the sign-in requirement for outgoing/smtp, the configuration was accepted.

I've checked and followed web steps in e.g. http://www.sendmail.org/~ca/email/auth.html, but mine just doesn't seem to work. I'm thinking about changing professions; night janitor perhaps.

So, first things first. I obviously don't have SMTP configured correctly for authentication on the server side. To restate, all I have configured in sendmail.mc for authentication is:

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

This is clearly insufficient. Telnet test gives:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.ohprs.org ESMTP Service ready; Fri, 27 Feb 2015 21:52:20 -0500
ehlo localhost
250-mail.hprs.local Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.hprs.local closing connection
Connection closed by foreign host.

Select allOpen in new window

Should it be "PLAIN LOGIN"? Just "PLAIN"? Just "LOGIN"? Barking up the wrong tree?

increased log level to 13 in sendmail:

Feb 27 22:56:28 mail sm-mta[481]: NOQUEUE: connect from cpe-76-181-65-196.columbus.res.rr.com [76.181.65.196]
Feb 27 22:56:28 mail sm-mta[481]: AUTH: available mech=CRAM-MD5 DIGEST-MD5 PLAIN LOGIN OTP, allowed mech=LOGIN PLAIN
Feb 27 22:56:28 mail sm-mta[481]: t1S3uShs000481: Milter (spamassassin): init success to negotiate
Feb 27 22:56:28 mail sm-mta[481]: t1S3uShs000481: Milter (milter-bcc): init success to negotiate
Feb 27 22:56:28 mail sm-mta[481]: t1S3uShs000481: Milter: connect to filters
Feb 27 22:56:28 mail sm-mta[481]: t1S3uShs000481: milter=spamassassin, action=connect, continue
Feb 27 22:56:28 mail sm-mta[481]: t1S3uShs000481: milter=spamassassin, action=helo, continue
Feb 27 22:56:28 mail sm-mta[481]: t1S3uShs000481: AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed, relay=cpe-76-181-65-196.columbus.res.rr.com [76.181.65.196]

Select allOpen in new window

Yes, login plain, with TLS will achieve a more secure exchange.on port 587 and should work. You might have to use username@realm if plain username does not work.

Arnold: no where near using TLS or any such thing yet. I cannot get Android to authorize smtp, port 25 or 587 using *no* encryption/security. If I can't accomplish that, no sense looking at TLS or such.

I've done the following several times with IDs and PW known to be correct. I've generated the Id and pw base64 by e.g. `echo mark | base64`:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.ohprs.org ESMTP Service ready; Fri, 27 Feb 2015 23:23:29 -0500
ehlo localhost
250-mail.hprs.local Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
auth login
334 VXNlcm5hbWU6
bWZvbGV5Cg==
334 UGFzc3dvcmQ6
dHJ1c3RubzEK
535 5.7.0 authentication failed
auth login
334 VXNlcm5hbWU6
bWFyawo=
334 UGFzc3dvcmQ6
Z2xhY29uXzkK
535 5.7.0 authentication failed

Select allOpen in new window

I hate when these questions get to be the size of a telephone book (archaic reference?) and I'm no closer to a solution than when I started. I've followed the instructions from a dozen website which are all the same.

I'm going to sleep on this and possibly start a fresh post on only one aspect tomorrow unless some new insight hits me (or you , or Jan). This should be simple. People get their Androids and iPhones connected all the time. I'm looking pretty stupid right now because my Director sits around the conference table with Directors from other agencies all who can get email on their phone, but not him! Hopefully, he won't consider me too stupid for that janitorial opening!

[end of rant]

Here's someone that had the exact same error message as me: https://forums.gentoo.org/viewtopic-t-702614-start-0.html

The problem lies in the fact that in sendmail.mc I have a directive like "Mailer(SMTP)dnl" at the bottom of the file... now, I had to copy /etc/pam.d/saslauthd to /etc/pam.d/smtp ... with the exact contents, because SASLd was looking up for a "[service=smtp]" file in /etc/pam.d, because I use the SMTP protocol to Send Mail....
 I figured out that the service=OBJECT requires that the OBJECT must have a file in /etc/pam.d/ with that same name.

He's using PAM authentication, but maybe I have some similar config requirement with saslauthd to enable authentication for smtp?

Many sites I've checked talk about an saslauthd config file:

Now have to configure cyrus to accept the request of sendmail

# cd /usr/lib/sasl2
# vi smtp.conf
or
# vim /etc/sasl2/sendmail.conf

pwcheck_method: saslauthd

Is this a piece of the puzzle I'm missing? I have no such directory or sedmail.conf file on my system. `man saslauthd` does not mention such files.

Auth login plain should be fine.
Can you look at the same log when using plain auth?
Double check the username that is being sent? User, User@youraddomain or user@yourpublicdomain?

I figured out the solution to SMTP/Outgoing authentication. I'm giving points to Arnold for hanging in there.