Upgraded to fc7, but sendmail submission with TLS no longer works
Philip Prindeville
philipp_subx at redfish-solutions.com
Sun Sep 30 02:20:57 UTC 2007
I'm running fc7 (updated). I updated via yum from fc6.
Oddly, Cyrus continued to work after the upgrade (it usually breaks).
This time it was sendmail that broke, even though I'm running with a
fairly stock system.
The extent of my sendmail.mc edits are below.
I get messages from sendmail saying that my client (Thunderbird on
Windows Vista and FC7), well:
Sep 29 19:21:59 mail sendmail[5288]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 29 19:22:23 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8]: possible SMTP attack: command=AUTH, count=4
Sep 29 19:22:30 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4
Sep 29 19:23:05 mail sendmail[5295]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
but if I turn off TLS, it seems to work ok (using username/password authentication in the clear, I guess).
Since it's TLS, I couldn't use tcpdump to read the transactions...
Here are the sendmail.mc edits. Nothing too weird:
--- sendmail.mc.orig 2006-09-05 07:27:48.000000000 -0600
+++ sendmail.mc 2007-03-08 21:26:38.000000000 -0700
@@ -41,7 +41,7 @@
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
-dnl define(`confAUTH_OPTIONS', `A p')dnl
+define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
@@ -49,18 +49,18 @@
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
-dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
-dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
-dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
-dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
-dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
-dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
+define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
@@ -71,8 +71,10 @@
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
+dnl # don't apply domain search suffixes...
+define(`confBIND_OPTS', `+AAONLY -DNSRCH -DEFNAMES')dnl
define(`confTO_IDENT', `0')dnl
-dnl FEATURE(delay_checks)dnl
+FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
@@ -100,27 +102,35 @@
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
+dnl # Anti-spam features suggested from ACME.COM
+FEATURE(`greet_pause', `5000')dnl
+define(`confCONNECTION_RATE_WINDOW_SIZE', `60s')dnl
+FEATURE(`conncontrol')dnl
+FEATURE(`ratecontrol', `nodelay', `terminate')dnl
+define(`confBAD_RCPT_THROTTLE', `3')dnl
+define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
+define(`confMAX_DAEMON_CHILDREN', `5')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
-dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
-dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
+define(`confLOCAL_MAILER', `cyrusv2')dnl
+define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
-DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
+dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
-dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
+DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
@@ -141,18 +151,20 @@
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
+DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
-FEATURE(`accept_unresolvable_domains')dnl
+dnl FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
+INPUT_MAIL_FILTER(`mimdefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m')
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
@@ -173,4 +185,4 @@
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
-dnl MAILER(cyrusv2)dnl
+MAILER(cyrusv2)dnl
Anyone seen anything similar to this?
More information about the fedora-list
mailing list