Need help configuring smart_host relaying

  • Permalink
  • submit to reddit
  • Email
  • Follow


The answer is probably staring me in the face, but I've reached the end
of my admittedly short rope.

Problem:  I need to set up my sendmail as a client to my (new) ISP's
outbound mailserver with SSL authentication.

I've created an authinfo file and authinfo.db map with the following
entry:  AuthInfo outbound.mail.ISP:465 "I:my-id" "P:password"
I've tried adding "M:LOGIN" and have added
fine(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
to my host.mc file.

Result in all cases is I get a time-out message
stat=Deferred: Operation timed out with outbound.mail.ISP

I'll happily post my .mc file, but don't think it'd help much at this point.

Any suggestions/dope slaps would be appreciated.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/17/2013 1:24:29 AM

See related articles to this posting


Bob Melson <amia9018@mypacks.net> wrote:
> The answer is probably staring me in the face, but I've reached the end
> of my admittedly short rope.
>
> Problem:  I need to set up my sendmail as a client to my (new) ISP's
> outbound mailserver with SSL authentication.
>
> I've created an authinfo file and authinfo.db map with the following
> entry:  AuthInfo outbound.mail.ISP:465 "I:my-id" "P:password"
> I've tried adding "M:LOGIN" and have added
> fine(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> to my host.mc file.
>
> Result in all cases is I get a time-out message
> stat=Deferred: Operation timed out with outbound.mail.ISP
>
> I'll happily post my .mc file, but don't think it'd help much at this point.
>
> Any suggestions/dope slaps would be appreciated.

Do you want SMTP authentication (login+password) 
or SSL authentication (client certificate)?

Push delivery of queued messages in verbose mode with map lookups
tracing. As root execute:
  sendmail -d38.20 -v -q

It should help you to narrow problem area.
0
Reply anfi2 (1425) 2/17/2013 8:17:48 AM

Andrzej Adam Filip wrote:
> sendmail -d38.20 -v -q

First, the results of the command above:
strider# sendmail -d38.20 -v -q
regex_map_init: mapname 'badmx', args '-a<BADMX>
^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
^(127\.|10\.|0\.0\.0\.0)'
regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
seq_map_parse(aliases.files, )

Running /var/spool/mqueue/r1H3rvdB073817 (sequence 1 of 1)
r1H3rvdB073817: locked

I have successfully configured my browser's emailer (SeaMonkey)with
SSL/TLS connection security using a normal password and am able to send
emails through the direct connect.  I'm unable to duplicate the
"connect" via sendmail, however.  So, I *think* the answer to your
question is that I want login+password.

Thanks for your reply, above, and for any other help you might be able
to offer.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/17/2013 6:14:41 PM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> sendmail -d38.20 -v -q
>
> First, the results of the command above:
> strider# sendmail -d38.20 -v -q
> regex_map_init: mapname 'badmx', args '-a<BADMX>
> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
> ^(127\.|10\.|0\.0\.0\.0)'
> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
> seq_map_parse(aliases.files, )
>
> Running /var/spool/mqueue/r1H3rvdB073817 (sequence 1 of 1)
> r1H3rvdB073817: locked
>
> I have successfully configured my browser's emailer (SeaMonkey)with
> SSL/TLS connection security using a normal password and am able to send
> emails through the direct connect.  I'm unable to duplicate the
> "connect" via sendmail, however.  So, I *think* the answer to your
> question is that I want login+password.
>
> Thanks for your reply, above, and for any other help you might be able
> to offer.

[ If you can not push queened messages then ]
Try to send a new test message in verbose mode as root:

#!/bin/sh
# replace the email address in To: header below with a valid one

/usr/sbin/sendmail -d38.20 -v -oi <<END
To: john.doe@example.net
Subject: test

test
END
0
Reply anfi2 (1425) 2/17/2013 6:54:18 PM

Andrzej Adam Filip wrote:

> 
> [ If you can not push queened messages then ]
> Try to send a new test message in verbose mode as root:
> 
> #!/bin/sh
> # replace the email address in To: header below with a valid one
> 
> /usr/sbin/sendmail -d38.20 -v -oi <<END
> To: john.doe@example.net
> Subject: test
> 
> test
> END
> 

No joy, I get:
strider# sendmail -d38.20 -v -oi <<END
? To: melsonr@earthlink.net
? Subject: test
?
? test
? END
openmap()	dequote:dequote NULL: valid
Recipient names must be specified
closemaps: closing dequote (NULL)

Part of the frustration is that the my previous ISP didn't require the
use of SSL/TLS as the connection security and the sendmail configuration
was pretty straightforward.  Silly me, I thought I could merely add the
missing bits for a secure connect and login - after all, I can do that
with my browser's mailer - and be good to go.  No such luck.  I have, to
this point, tried every combination of "mechanism" in my authinfo file
and all have timed out.  Here, by the way, is my *current* authinfo file:

AuthInfo:outbound.my.ISP:465 "U:my_addr" "I:my_addr" "P:my_password"
"M:LOGIN"

Could it be that the port specification should go elsewhere?  If so, where?

Thanks again.



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/17/2013 7:21:14 PM

My omission/mistake

#!/bin/sh
# -bt 
# replace the email address in To: header below with a valid one

/usr/sbin/sendmail -d38.20 -Am -v -i -t <<END
To: john.doe@example.net
Subject: test
 
test
END
0
Reply anfi2 (1425) 2/17/2013 8:36:55 PM

Andrzej Adam Filip wrote:
> My omission/mistake
> 
> #!/bin/sh
> # -bt 
> # replace the email address in To: header below with a valid one
> 
> /usr/sbin/sendmail -d38.20 -Am -v -i -t <<END
> To: john.doe@example.net
> Subject: test
>  
> test
> END
> 
OK, here are the results:

sendmail -d38.20 -Am -v -i -t <<END
? To: melsonr@earthlink.net
? Subject: test
?
? test
? END
regex_map_init: mapname 'badmx', args '-a<BADMX>
^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
^(127\.|10\.|0\.0\.0\.0)'
regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
seq_map_parse(aliases.files, )
openmap()	dequote:dequote NULL: valid
openmap()	host:host NULL: valid
getcanonname(earthlink.net), trying dns
getcanonname(earthlink.net), found
melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
melsonr@earthlink.net... Deferred: Operation timed out with outbound.att.net
closemaps: closing host (NULL)
closemaps: closing dequote (NULL)

Looking at that and considering all the other evidence, it seems to me
that the problem is a timeout on the connection.  That suggests that
either the port specification is wrong in the authinfo file or that the
connection is being refused because it's not SSL/TLS.  So the questions
appear to be (1) is the port specification correct; if not where should
I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
I'll have to see what build options for SSL/TLS I have for a new build
of sendmail or see how to get them configured into the existing
sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.

Thanks for your help so far.  I'm thinking it's not a simple matter,
after all.

Bob Melson



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/17/2013 9:20:41 PM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> My omission/mistake
>> 
>> #!/bin/sh
>> # -bt 
>> # replace the email address in To: header below with a valid one
>> 
>> /usr/sbin/sendmail -d38.20 -Am -v -i -t <<END
>> To: john.doe@example.net
>> Subject: test
>>  
>> test
>> END
>> 
> OK, here are the results:
> [...]
> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
> melsonr@earthlink.net... Deferred: Operation timed out with outbound.att.net
> [...]
>
> Looking at that and considering all the other evidence, it seems to me
> that the problem is a timeout on the connection.  That suggests that
> either the port specification is wrong in the authinfo file or that the
> connection is being refused because it's not SSL/TLS.  So the questions
> appear to be (1) is the port specification correct; if not where should
> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
> I'll have to see what build options for SSL/TLS I have for a new build
> of sendmail or see how to get them configured into the existing
> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
>
> Thanks for your help so far.  I'm thinking it's not a simple matter,
> after all.

I would dare to bet that most of the hard part is behind you.

Your outgoing connections to port 25 may be blocked by a firewall.
=> you may make sendmail use another port to relay to the smart host.
[ From my location all 3 port of outbound.att.net are accessible ]

Can you telnet smtp (25), submission (587) and smtps (465) port on 
outbound.att.net?
  telnet  outbound.att.net 25
You should get smtp server greeting message except smtps case.

P.S.
How to contact another "smtp like" port  (submission) is described in
sendmail FAQ.
0
Reply anfi2 (1425) 2/18/2013 9:26:20 AM

On 02/17/2013 03:20 PM, Bob Melson wrote:
> sendmail -d38.20 -Am -v -i -t<<END
> ? To: melsonr@earthlink.net
> ? Subject: test
> ?
> ? test
> ? END
> regex_map_init: mapname 'badmx', args '-a<BADMX>
> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
> ^(127\.|10\.|0\.0\.0\.0)'
> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
> seq_map_parse(aliases.files, )
> openmap()	dequote:dequote NULL: valid
> openmap()	host:host NULL: valid
> getcanonname(earthlink.net), trying dns
> getcanonname(earthlink.net), found
> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
> melsonr@earthlink.net... Deferred: Operation timed out with outbound.att.net
> closemaps: closing host (NULL)
> closemaps: closing dequote (NULL)
>
> Looking at that and considering all the other evidence, it seems to me
> that the problem is a timeout on the connection.  That suggests that
> either the port specification is wrong in the authinfo file or that the
> connection is being refused because it's not SSL/TLS.  So the questions
> appear to be (1) is the port specification correct; if not where should
> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
> I'll have to see what build options for SSL/TLS I have for a new build
> of sendmail or see how to get them configured into the existing
> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.

It's a lot easier to use port 587 (submission) than port 465(smtps).  A
connection on port 587 starts in the clear and immediately uses STARTTLS
to switch to encrypted if the remote server supports that, and sendmail
will handle that automagically.  A connection on port 465 must use SSL
for the initial connection, and sendmail _cannot_ do that by itself.

If you cannot use port 587 and must use port 465, I can tell you how to
do that (it's fairly complex -- uses stunnel to carry the connection),
but it certainly shouldn't be your first choice.

-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
Reply SEE_SIGNATURE1 (214) 2/18/2013 4:00:44 PM

Andrzej Adam Filip wrote:

> I would dare to bet that most of the hard part is behind you.
> 
> Your outgoing connections to port 25 may be blocked by a firewall.
> => you may make sendmail use another port to relay to the smart host.
> [ From my location all 3 port of outbound.att.net are accessible ]
> 
> Can you telnet smtp (25), submission (587) and smtps (465) port on 
> outbound.att.net?
>   telnet  outbound.att.net 25
> You should get smtp server greeting message except smtps case.
> 
> P.S.
> How to contact another "smtp like" port  (submission) is described in
> sendmail FAQ.
> 
telnet to outbound.my.ISP 25 just hangs.
telnet to outbound.my.ISP 587 responds with the expected "220" message
telnet to outbound.my.ISP 465 responds with a "connected" message but no
"220"

I'll have to check the FAQ out.

Thanks again for your help.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/18/2013 4:50:59 PM

Robert Nichols wrote:
> On 02/17/2013 03:20 PM, Bob Melson wrote:
>> sendmail -d38.20 -Am -v -i -t<<END
>> ? To: melsonr@earthlink.net
>> ? Subject: test
>> ?
>> ? test
>> ? END
>> regex_map_init: mapname 'badmx', args '-a<BADMX>
>> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
>> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
>> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
>> ^(127\.|10\.|0\.0\.0\.0)'
>> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
>> seq_map_parse(aliases.files, )
>> openmap()    dequote:dequote NULL: valid
>> openmap()    host:host NULL: valid
>> getcanonname(earthlink.net), trying dns
>> getcanonname(earthlink.net), found
>> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
>> melsonr@earthlink.net... Deferred: Operation timed out with
>> outbound.att.net
>> closemaps: closing host (NULL)
>> closemaps: closing dequote (NULL)
>>
>> Looking at that and considering all the other evidence, it seems to me
>> that the problem is a timeout on the connection.  That suggests that
>> either the port specification is wrong in the authinfo file or that the
>> connection is being refused because it's not SSL/TLS.  So the questions
>> appear to be (1) is the port specification correct; if not where should
>> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
>> I'll have to see what build options for SSL/TLS I have for a new build
>> of sendmail or see how to get them configured into the existing
>> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
> 
> It's a lot easier to use port 587 (submission) than port 465(smtps).  A
> connection on port 587 starts in the clear and immediately uses STARTTLS
> to switch to encrypted if the remote server supports that, and sendmail
> will handle that automagically.  A connection on port 465 must use SSL
> for the initial connection, and sendmail _cannot_ do that by itself.
> 
> If you cannot use port 587 and must use port 465, I can tell you how to
> do that (it's fairly complex -- uses stunnel to carry the connection),
> but it certainly shouldn't be your first choice.
> 
OK, I *can* see port 587 on outbound.att.net (telnet returns the
expected "220" greeting); telnet on 465 gives a "connected to" return
but no "220".

The reason I'm battling with 465 is that that's what AT&T *told* me to
use for outbound emails - not something I'd do on my own, believe me.
I've never used STARTTLS before and would appreciate the hand holding
you offer above.

Question:  you say that 587 starts in the clear but shifts to STARTTLS
if the remote server requires it.  That suggests I'd have to have all
the certificates/keys/etc already configured on my side.  Assuming that
to be true, can I reasonably "get away with" self-certification?

Thanks for your comments and any help you might be able to provide

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/18/2013 5:00:58 PM

Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> Question:  you say that 587 starts in the clear but shifts to STARTTLS
> if the remote server requires it.  
> That suggests I'd have to have all the certificates/keys/etc already
> configured on my side.  Assuming that to be true, can I reasonably
> "get away with" self-certification?
>
> Thanks for your comments and any help you might be able to provide

AFAIK most servers offering SSL/STARTTLS do not require _client_
certificates => most likely you will not need a certificate for
_outgoing_ connections.

Sendmail FAQ
3.39 How do I send using an alternate port?

Connections to SMART_HOST by default use relay mailer but you may
specify it directly -> IMHO it is a "better style" for modified relay
mailer.

define(`SMART_HOST',`relay:outbound.example.net')
0
Reply anfi2 (1425) 2/18/2013 7:30:06 PM

In article <6PydnWm_EdfXw7_MnZ2dnUVZ_qqdnZ2d@earthlink.com>, Bob Melson says...
>The reason I'm battling with 465 is that that's what AT&T *told* me to
>use for outbound emails - not something I'd do on my own, believe me.
>I've never used STARTTLS before and would appreciate the hand holding
>you offer above.
>
>Question:  you say that 587 starts in the clear but shifts to STARTTLS
>if the remote server requires it.  That suggests I'd have to have all
>the certificates/keys/etc already configured on my side.  Assuming that
>to be true, can I reasonably "get away with" self-certification?

It's only the use of port 465 for outgoing mail that gets complicated.

You don't need to set up anything beyond your authinfo in order to use
port 587. The use of STARTTLS is automatic, in fact you would have to
do something special to avoid it. Your authinfo is what identifies you
to the server. No certificate is required. Just specify the port number
in your *_MAILER_ARGS, set up your authinfo, and you're good to go.

    define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl
    define(`ESMTP_MAILER_ARGS',`TCP $h 587')dnl
    define(`SMART_HOST', `smtp.wherever.which')dnl
    FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

and in /etc/mail/auth/client-info:
    AuthInfo:smtp.wherever.what "U:root" "I:myIDatISP" "P:mypassword"

-- 
Bob Nichols AT comcast.net I am "RNichols42"

0
Reply SEE_SIGNATURE1 (214) 2/18/2013 7:46:38 PM

Robert Nichols wrote:
> On 02/17/2013 03:20 PM, Bob Melson wrote:
>> sendmail -d38.20 -Am -v -i -t<<END
>> ? To: melsonr@earthlink.net
>> ? Subject: test
>> ?
>> ? test
>> ? END
>> regex_map_init: mapname 'badmx', args '-a<BADMX>
>> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
>> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
>> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
>> ^(127\.|10\.|0\.0\.0\.0)'
>> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
>> seq_map_parse(aliases.files, )
>> openmap()    dequote:dequote NULL: valid
>> openmap()    host:host NULL: valid
>> getcanonname(earthlink.net), trying dns
>> getcanonname(earthlink.net), found
>> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
>> melsonr@earthlink.net... Deferred: Operation timed out with
>> outbound.att.net
>> closemaps: closing host (NULL)
>> closemaps: closing dequote (NULL)
>>
>> Looking at that and considering all the other evidence, it seems to me
>> that the problem is a timeout on the connection.  That suggests that
>> either the port specification is wrong in the authinfo file or that the
>> connection is being refused because it's not SSL/TLS.  So the questions
>> appear to be (1) is the port specification correct; if not where should
>> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
>> I'll have to see what build options for SSL/TLS I have for a new build
>> of sendmail or see how to get them configured into the existing
>> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
> 
> It's a lot easier to use port 587 (submission) than port 465(smtps).  A
> connection on port 587 starts in the clear and immediately uses STARTTLS
> to switch to encrypted if the remote server supports that, and sendmail
> will handle that automagically.  A connection on port 465 must use SSL
> for the initial connection, and sendmail _cannot_ do that by itself.
> 
> If you cannot use port 587 and must use port 465, I can tell you how to
> do that (it's fairly complex -- uses stunnel to carry the connection),
> but it certainly shouldn't be your first choice.
> 
OK, having tried all the variations suggested WRT port 587, I'm still at
the point where I get a timeout on the connect to outbound.att.net, as
shown above
Here's my .mc file:
divert(-1)
include(`/usr/local/share/sendmail/cf/m4/cf.m4')
dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
define(`confDEF_USER_ID',``8:14'')
VERSIONID(`freebsd strider.rgmhome.net')
dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
strider.homeunix.net
OSTYPE(`bsd4.4')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confEBINDIR',`/usr/local/libexec')dnl
dnl define(`confEBINDIR',`/usr/libexec')dnl
FEATURE(virtusertable)
FEATURE(always_add_domain)
dnl FEATURE(use_cw_file)
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
strider.mc: unmodified: line 1
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
FEATURE(`badmx')dnl
FEATURE(`greet_pause',`3000')dnl
FEATURE(`require_rdns')dnl
FEATURE(`local_procmail')dnl
FEATURE(`delay_checks')dnl
FEATURE(blacklist_recipients)
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
FEATURE(redirect)
MASQUERADE_AS(`att.net')
MASQUERADE_DOMAIN(`strider.rgmhome.net')
FEATURE(allmasquerade)
FEATURE(masquerade_entire_domain)
FEATURE(masquerade_envelope)
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
FEATURE(local_lmtp)
FEATURE(`accept_unresolvable_domains')
FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from "
$&{client_addr} " refused. Rejected for bad WHOIS info on IP of your
SMTP server
 - see http://www.rfc-ignorant.org/"')
FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see
http://spamcop.net/bl.shtml?$&{client_addr}')
FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host
"$&{client_addr}" delivery refused -- see
http://njabl.org/"',`',`127.0.0.2',`127.
0.0.4',`127.0.0.8',`127.0.0.9')dnl
FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11
')dnl
FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
MAILER(local)
MAILER(smtp)
Cwlocalhost
Cwrgmhome.net
Dmrgmhome.net
Cwrgmhome.homeunix.net
Dmrgmhome.homeunix.net
Cwstrider.homeunix.net
Dmstrider.homeunix.net
define(`confDOMAIN_NAME',`rgmhome.net')
define(RELAY_HOST, relay:outbound.att.net)
define(SMART_HOST, smtp:outbound.att.net)
dnl define(RELAY_MAILER, TCP)
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
F=, T=C:15m;S:4m;R:4m;E:10m')
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
{if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
---- cut and paste didn't work quite as expected; ignore the line wraps,
please
And my authinfo/client-info file:
AuthInfo:outbound.att.net:587 "U:root""I:melson.r@att.net"  "P:my-password"

I get the same connection timeout for port 465, which I suppose
shouldn't be surprising since I don't have STARTTLS configured into
sendmail.  Whatever, I'm now officially at my wit's end.

I very much appreciate the help you and Andrej have given up to this
point but have to wonder where we go from here as nothing suggested
seems to have worked.

Bob Melson



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/18/2013 9:47:56 PM

On 02/18/2013 03:47 PM, Bob Melson wrote:
[deleted]

You can't just tack things on to the end of sendmail.mc and expect it
to work.  There is a required ordering.  The general rules (from
README.cf) are that the order should be:

	VERSIONID
	OSTYPE
	DOMAIN
	FEATURE
	local macro definitions
	MAILER
	LOCAL_CONFIG
	LOCAL_RULE_*
	LOCAL_RULESETS

But, local macro definitions that affect a FEATURE() should be before
that feature.

Everything you have except the "Cw" and "Dm" local ruleset lines needs
to come _before_ the MAILER declarations,

But, if you really have a sendmail that was built without STARTTLS
support, none of this is going to work.  Note that just because you
don't have the various certs and keys defined to allow sendmail to offer
STARTTLS on incoming connections (I don't) doesn't mean that it can't
utilize that feature on an outgoing connection (Mine does).  You can see
whether "ldd /usr/lib/sendmail" lists "libcrypto.so" as one of the
libraries.

Here is a revision of your sendmail.mc with the lines ordered, I
believe, properly.  Let's see how that works.  (I think I undid all the
extraneous line wraps.)

divert(-1)
include(`/usr/local/share/sendmail/cf/m4/cf.m4')
dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
define(`confDEF_USER_ID',``8:14'')
VERSIONID(`freebsd strider.rgmhome.net')
dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
strider.homeunix.net
OSTYPE(`bsd4.4')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confEBINDIR',`/usr/local/libexec')dnl
dnl define(`confEBINDIR',`/usr/libexec')dnl
define(RELAY_HOST, relay:outbound.att.net)
define(SMART_HOST, smtp:outbound.att.net)
dnl define(RELAY_MAILER, TCP)
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')
FEATURE(virtusertable)
FEATURE(always_add_domain)
dnl FEATURE(use_cw_file)
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
strider.mc: unmodified: line 1
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
FEATURE(`badmx')dnl
FEATURE(`greet_pause',`3000')dnl
FEATURE(`require_rdns')dnl
FEATURE(`local_procmail')dnl
FEATURE(`delay_checks')dnl
FEATURE(blacklist_recipients)
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
FEATURE(redirect)
MASQUERADE_AS(`att.net')
MASQUERADE_DOMAIN(`strider.rgmhome.net')
FEATURE(allmasquerade)
FEATURE(masquerade_entire_domain)
FEATURE(masquerade_envelope)
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
FEATURE(local_lmtp)
FEATURE(`accept_unresolvable_domains')
FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from "$&{client_addr} " 
refused. Rejected for bad WHOIS info on IP of your SMTP server - see 
http://www.rfc-ignorant.org/"')
FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see 
http://spamcop.net/bl.shtml?$&{client_addr}')
FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host "$&{client_addr}" 
delivery refused -- see 
http://njabl.org/"',`',`127.0.0.2',`127.0.0.4',`127.0.0.8',`127.0.0.9')dnl
FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11')dnl
FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, 
T=C:15m;S:4m;R:4m;E:10m')
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, 
{if_addr}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
MAILER(local)
MAILER(smtp)
Cwlocalhost
Cwrgmhome.net
Dmrgmhome.net
Cwrgmhome.homeunix.net
Dmrgmhome.homeunix.net
Cwstrider.homeunix.net
Dmstrider.homeunix.net
define(`confDOMAIN_NAME',`rgmhome.net')


-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
Reply SEE_SIGNATURE1 (214) 2/19/2013 1:01:34 AM

Bob:

Thanks.  Believe it or not, the .mc file worked just fine before this,
tho' I must acknowledge a clean-up was long overdue and was on my list
of things to do.

I chuck it into place and give it a shot.

Bob Melson

Bob wrote:
> On 02/18/2013 03:47 PM, Bob Melson wrote:
> [deleted]
> 
> You can't just tack things on to the end of sendmail.mc and expect it
> to work.  There is a required ordering.  The general rules (from
> README.cf) are that the order should be:
> 
>     VERSIONID
>     OSTYPE
>     DOMAIN
>     FEATURE
>     local macro definitions
>     MAILER
>     LOCAL_CONFIG
>     LOCAL_RULE_*
>     LOCAL_RULESETS
> 
> But, local macro definitions that affect a FEATURE() should be before
> that feature.
> 
> Everything you have except the "Cw" and "Dm" local ruleset lines needs
> to come _before_ the MAILER declarations,
> 
> But, if you really have a sendmail that was built without STARTTLS
> support, none of this is going to work.  Note that just because you
> don't have the various certs and keys defined to allow sendmail to offer
> STARTTLS on incoming connections (I don't) doesn't mean that it can't
> utilize that feature on an outgoing connection (Mine does).  You can see
> whether "ldd /usr/lib/sendmail" lists "libcrypto.so" as one of the
> libraries.
> 
> Here is a revision of your sendmail.mc with the lines ordered, I
> believe, properly.  Let's see how that works.  (I think I undid all the
> extraneous line wraps.)
> 
> divert(-1)
> include(`/usr/local/share/sendmail/cf/m4/cf.m4')
> dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
> define(`confDEF_USER_ID',``8:14'')
> VERSIONID(`freebsd strider.rgmhome.net')
> dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
> strider.homeunix.net
> OSTYPE(`bsd4.4')
> undefine(`UUCP_RELAY')
> undefine(`BITNET_RELAY')
> define(`confEBINDIR',`/usr/local/libexec')dnl
> dnl define(`confEBINDIR',`/usr/libexec')dnl
> define(RELAY_HOST, relay:outbound.att.net)
> define(SMART_HOST, smtp:outbound.att.net)
> dnl define(RELAY_MAILER, TCP)
> define(`RELAY_MAILER_ARGS',`TCP $h 587')
> define(`ESMTP_MAILER_ARGS',`TCP $h 587')
> FEATURE(virtusertable)
> FEATURE(always_add_domain)
> dnl FEATURE(use_cw_file)
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> strider.mc: unmodified: line 1
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> FEATURE(`badmx')dnl
> FEATURE(`greet_pause',`3000')dnl
> FEATURE(`require_rdns')dnl
> FEATURE(`local_procmail')dnl
> FEATURE(`delay_checks')dnl
> FEATURE(blacklist_recipients)
> GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
> FEATURE(redirect)
> MASQUERADE_AS(`att.net')
> MASQUERADE_DOMAIN(`strider.rgmhome.net')
> FEATURE(allmasquerade)
> FEATURE(masquerade_entire_domain)
> FEATURE(masquerade_envelope)
> FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
> FEATURE(local_lmtp)
> FEATURE(`accept_unresolvable_domains')
> FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from
> "$&{client_addr} " refused. Rejected for bad WHOIS info on IP of your
> SMTP server - see http://www.rfc-ignorant.org/"')
> FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see
> http://spamcop.net/bl.shtml?$&{client_addr}')
> FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host
> "$&{client_addr}" delivery refused -- see
> http://njabl.org/"',`',`127.0.0.2',`127.0.0.4',`127.0.0.8',`127.0.0.9')dnl
> FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11')dnl
> 
> FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
> INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
> F=, T=C:15m;S:4m;R:4m;E:10m')
> define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
> {if_name}, {if_addr}')dnl
> define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
> MAILER(local)
> MAILER(smtp)
> Cwlocalhost
> Cwrgmhome.net
> Dmrgmhome.net
> Cwrgmhome.homeunix.net
> Dmrgmhome.homeunix.net
> Cwstrider.homeunix.net
> Dmstrider.homeunix.net
> define(`confDOMAIN_NAME',`rgmhome.net')
> 
> 


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/19/2013 7:16:58 AM

Bob Melson <amia9018@mypacks.net> wrote:
> Robert Nichols wrote:
>> On 02/17/2013 03:20 PM, Bob Melson wrote:
>>> sendmail -d38.20 -Am -v -i -t<<END
>>> ? To: melsonr@earthlink.net
>>> ? Subject: test
>>> ?
>>> ? test
>>> ? END
>>> regex_map_init: mapname 'badmx', args '-a<BADMX>
>>> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
>>> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
>>> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
>>> ^(127\.|10\.|0\.0\.0\.0)'
>>> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
>>> seq_map_parse(aliases.files, )
>>> openmap()    dequote:dequote NULL: valid
>>> openmap()    host:host NULL: valid
>>> getcanonname(earthlink.net), trying dns
>>> getcanonname(earthlink.net), found
>>> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
>>> melsonr@earthlink.net... Deferred: Operation timed out with
>>> outbound.att.net
>>> closemaps: closing host (NULL)
>>> closemaps: closing dequote (NULL)
>>>
>>> Looking at that and considering all the other evidence, it seems to me
>>> that the problem is a timeout on the connection.  That suggests that
>>> either the port specification is wrong in the authinfo file or that the
>>> connection is being refused because it's not SSL/TLS.  So the questions
>>> appear to be (1) is the port specification correct; if not where should
>>> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
>>> I'll have to see what build options for SSL/TLS I have for a new build
>>> of sendmail or see how to get them configured into the existing
>>> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
>> 
>> It's a lot easier to use port 587 (submission) than port 465(smtps).  A
>> connection on port 587 starts in the clear and immediately uses STARTTLS
>> to switch to encrypted if the remote server supports that, and sendmail
>> will handle that automagically.  A connection on port 465 must use SSL
>> for the initial connection, and sendmail _cannot_ do that by itself.
>> 
>> If you cannot use port 587 and must use port 465, I can tell you how to
>> do that (it's fairly complex -- uses stunnel to carry the connection),
>> but it certainly shouldn't be your first choice.
>> 
> OK, having tried all the variations suggested WRT port 587, I'm still at
> the point where I get a timeout on the connect to outbound.att.net, as
> shown above
> Here's my .mc file:
> divert(-1)
> include(`/usr/local/share/sendmail/cf/m4/cf.m4')
> dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
> define(`confDEF_USER_ID',``8:14'')
> VERSIONID(`freebsd strider.rgmhome.net')
> dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
> strider.homeunix.net
> OSTYPE(`bsd4.4')
> undefine(`UUCP_RELAY')
> undefine(`BITNET_RELAY')
> define(`confEBINDIR',`/usr/local/libexec')dnl
> dnl define(`confEBINDIR',`/usr/libexec')dnl
> FEATURE(virtusertable)
> FEATURE(always_add_domain)
> dnl FEATURE(use_cw_file)
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> strider.mc: unmodified: line 1
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> FEATURE(`badmx')dnl
> FEATURE(`greet_pause',`3000')dnl
> FEATURE(`require_rdns')dnl
> FEATURE(`local_procmail')dnl
> FEATURE(`delay_checks')dnl
> FEATURE(blacklist_recipients)
> GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
> FEATURE(redirect)
> MASQUERADE_AS(`att.net')
> MASQUERADE_DOMAIN(`strider.rgmhome.net')
> FEATURE(allmasquerade)
> FEATURE(masquerade_entire_domain)
> FEATURE(masquerade_envelope)
> FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
> FEATURE(local_lmtp)
> FEATURE(`accept_unresolvable_domains')
> FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from "
> $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your
> SMTP server
>  - see http://www.rfc-ignorant.org/"')
> FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see
> http://spamcop.net/bl.shtml?$&{client_addr}')
> FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host
> "$&{client_addr}" delivery refused -- see
> http://njabl.org/"',`',`127.0.0.2',`127.
> 0.0.4',`127.0.0.8',`127.0.0.9')dnl
> FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11
> ')dnl
> FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
> MAILER(local)
> MAILER(smtp)
> Cwlocalhost
> Cwrgmhome.net
> Dmrgmhome.net
> Cwrgmhome.homeunix.net
> Dmrgmhome.homeunix.net
> Cwstrider.homeunix.net
> Dmstrider.homeunix.net
> define(`confDOMAIN_NAME',`rgmhome.net')
> define(RELAY_HOST, relay:outbound.att.net)
> define(SMART_HOST, smtp:outbound.att.net)
> dnl define(RELAY_MAILER, TCP)
> define(`RELAY_MAILER_ARGS',`TCP $h 587')
> define(`ESMTP_MAILER_ARGS',`TCP $h 587')
> INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
> F=, T=C:15m;S:4m;R:4m;E:10m')
> define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
> {if_name}, {if_addr}')dnl
> define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
> ---- cut and paste didn't work quite as expected; ignore the line wraps,
> please
> And my authinfo/client-info file:
> AuthInfo:outbound.att.net:587 "U:root""I:melson.r@att.net"  "P:my-password"
>
> I get the same connection timeout for port 465, which I suppose
> shouldn't be surprising since I don't have STARTTLS configured into
> sendmail.  Whatever, I'm now officially at my wit's end.
>
> I very much appreciate the help you and Andrej have given up to this
> point but have to wonder where we go from here as nothing suggested
> seems to have worked.

Beside correcting sequence of mc lines (as suggested in another reply:

Part to replace:
define(RELAY_HOST, relay:outbound.att.net)
define(SMART_HOST, smtp:outbound.att.net)
dnl define(RELAY_MAILER, TCP)
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')

New Part:
define(`SMART_HOST', `relay:outbound.att.net')
define(`RELAY_MAILER_ARGS',`TCP $h 587')

[You have used unmodified smtp mailer ("smtp" mailer != "esmtp" mailer)]

P.S.
Your mc file does require cleanup anyway.
0
Reply anfi2 (1425) 2/19/2013 8:59:49 AM

Gents,

I really am grateful for your help and interest.  Unfortunately,
however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
file broke the email system completely (nothing in, nothing out).  So,
for the moment, I'm going to shelve this and maybe come back to it at a
later date.

Many sincere thanks for your help.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/19/2013 5:37:45 PM

Bob Melson <amia9018@mypacks.net> wrote:
> I really am grateful for your help and interest.  Unfortunately,
> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
> file broke the email system completely (nothing in, nothing out).  So,
> for the moment, I'm going to shelve this and maybe come back to it at a
> later date.

Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
0
Reply anfi2 (1425) 2/19/2013 6:51:33 PM

On 02/19/2013 11:37 AM, Bob Melson wrote:
> I really am grateful for your help and interest.  Unfortunately,
> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
> file broke the email system completely (nothing in, nothing out).  So,
> for the moment, I'm going to shelve this and maybe come back to it at a
> later date.

Looking back at that file, I find that I missed several places that the
line wrapping in what you had posted incorrectly broke, or in some cases
_joined_ lines.  Sorry about that.  If you can post or send me an
uncorrupted copy of the file, I can try again.

-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
Reply SEE_SIGNATURE1 (214) 2/19/2013 10:15:43 PM

Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> I really am grateful for your help and interest.  Unfortunately,
>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>> file broke the email system completely (nothing in, nothing out).  So,
>> for the moment, I'm going to shelve this and maybe come back to it at a
>> later date.
> 
> Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
> 
Yes, with no effect.

What seems to be the case is that I can reach the outbound server but am
failing to authenticate.  That's why I went chasing the SASL and STARTLS
rabbit.  From everything I've seen after googling for all possible
combinations of smart_host/client/authentication, it should be a piece
of cake .. except it isn't.  All the setups that work seem to go to port
587, while my provider insists on 465 and, in my innocence, I suspect
that's at the root of the problem.  Their tech support is unable to help
and I refuse to go to the pay-for-support site/service recommended
because it's both expensive and unreliable.

Thank you once again for trying to help.  I genuinely appreciate it.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/19/2013 10:23:51 PM

Robert Nichols wrote:
> On 02/19/2013 11:37 AM, Bob Melson wrote:
>> I really am grateful for your help and interest.  Unfortunately,
>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>> file broke the email system completely (nothing in, nothing out).  So,
>> for the moment, I'm going to shelve this and maybe come back to it at a
>> later date.
> 
> Looking back at that file, I find that I missed several places that the
> line wrapping in what you had posted incorrectly broke, or in some cases
> _joined_ lines.  Sorry about that.  If you can post or send me an
> uncorrupted copy of the file, I can try again.
> 

Bob,

I really do appreciate all the help you've given.  I'll forward a copy
of the .mc to your email address, tho' I expect it'll make little to no
difference.  As I told Andrej in reply to his last, I can get to the
outbound server on the *required* port 465 but am failing to
authenticate.  All the successful solutions I've found by googling for
all combinations of smart_host/authentication/client/sendmail appear to
be going to port 587, which my ISP doesn't seem to accept.  So the
problem would appear to be one of authentication.

After a last swing, I really am going to hang it up and accept what I
have - outbound from seamonkey-mailer, inbound as a pulldown using
fetchmail/sendmail/procmail.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/19/2013 10:46:50 PM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> Bob Melson <amia9018@mypacks.net> wrote:
>>> I really am grateful for your help and interest.  Unfortunately,
>>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>>> file broke the email system completely (nothing in, nothing out).  So,
>>> for the moment, I'm going to shelve this and maybe come back to it at a
>>> later date.
>> 
>> Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
>> 
> Yes, with no effect.
>
> What seems to be the case is that I can reach the outbound server but am
> failing to authenticate.  That's why I went chasing the SASL and STARTLS
> rabbit.  From everything I've seen after googling for all possible
> combinations of smart_host/client/authentication, it should be a piece
> of cake .. except it isn't.  All the setups that work seem to go to port
> 587, while my provider insists on 465 and, in my innocence, I suspect
> that's at the root of the problem.  Their tech support is unable to help
> and I refuse to go to the pay-for-support site/service recommended
> because it's both expensive and unreliable.
>
> Thank you once again for trying to help.  I genuinely appreciate it.

Make sendmail send a test message in verbose mode to port 587 using the
script I have posted already.

Try to locate the next problem. The script should show:
* transcript of SMTP session (before and after STARTTLS)
* authinfo map lookup(s)
0
Reply anfi2 (1425) 2/19/2013 10:47:46 PM

Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> Andrzej Adam Filip wrote:
>>> Bob Melson <amia9018@mypacks.net> wrote:
>>>> I really am grateful for your help and interest.  Unfortunately,
>>>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>>>> file broke the email system completely (nothing in, nothing out).  So,
>>>> for the moment, I'm going to shelve this and maybe come back to it at a
>>>> later date.
>>>
>>> Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
>>>
>> Yes, with no effect.
>>
>> What seems to be the case is that I can reach the outbound server but am
>> failing to authenticate.  That's why I went chasing the SASL and STARTLS
>> rabbit.  From everything I've seen after googling for all possible
>> combinations of smart_host/client/authentication, it should be a piece
>> of cake .. except it isn't.  All the setups that work seem to go to port
>> 587, while my provider insists on 465 and, in my innocence, I suspect
>> that's at the root of the problem.  Their tech support is unable to help
>> and I refuse to go to the pay-for-support site/service recommended
>> because it's both expensive and unreliable.
>>
>> Thank you once again for trying to help.  I genuinely appreciate it.
> 
> Make sendmail send a test message in verbose mode to port 587 using the
> script I have posted already.
> 
> Try to locate the next problem. The script should show:
> * transcript of SMTP session (before and after STARTTLS)
> * authinfo map lookup(s)
> 
OK - here's the session transcript:
sendmail -d38.20 -Am -v -i -t <<END
? To:melsonr@earthlink.net
? Subject:testing
?
? test
? END
regex_map_init: mapname 'badmx', args '-a<BADMX>
^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
^(127\.|10\.|0\.0\.0\.0)'
regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
seq_map_parse(aliases.files, )
openmap()	dequote:dequote NULL: valid
openmap()	host:host NULL: valid
getcanonname(earthlink.net), trying dns
getcanonname(earthlink.net), found
melsonr@earthlink.net... Connecting to outbound.att.net via relay...
220 smtp107.sbc.mail.mud.yahoo.com ESMTP
>>> EHLO rgmhome.net
250-smtp107.sbc.mail.mud.yahoo.com
250-AUTH LOGIN PLAIN XYMCOOKIE
250-PIPELINING
250-SIZE 41697280
250 8BITMIME
openmap()	macro:macro NULL: valid
macro_map_lookup(macro, {TLS_Name})
hash_map_open(access, /etc/mail/access, 0)
openmap()	hash:access /etc/mail/access: valid
db_map_lookup(access, TLS_Srv:outbound.att.net)
db_map_lookup(access, TLS_Srv:att.net)
db_map_lookup(access, TLS_Srv:net)
db_map_lookup(access, TLS_Srv:68.142.198.51)
db_map_lookup(access, TLS_Srv:68.142.198)
db_map_lookup(access, TLS_Srv:68.142)
db_map_lookup(access, TLS_Srv:68)
db_map_lookup(access, TLS_Srv:)
hash_map_open(authinfo, /etc/mail/authinfo, 0)
openmap()	hash:authinfo /etc/mail/authinfo: valid
db_map_lookup(authinfo, AuthInfo:outbound.att.net)
db_map_lookup(authinfo, AuthInfo:68.142.198.51)
db_map_lookup(authinfo, AuthInfo:)
>>> MAIL From:<root@att.net> SIZE=47
530 authentication required - for help go to
http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html
switch_map_open(aliases, aliases, 0)
	switch_map_find => 1
		files
	map_stack[0] = sequence:aliases.files
openmap()	switch:aliases aliases: valid
seq_map_lookup(aliases, root)
openmap()	sequence:aliases.files NULL: valid
seq_map_lookup(aliases.files, root)
impl_map_open(Alias0, /etc/mail/aliases, 0)
hash_map_open(Alias0, /etc/mail/aliases, 0)
impl_map_lookup(Alias0, @)
db_map_lookup(Alias0, @)
openmap()	implicit:Alias0 /etc/mail/aliases: valid
impl_map_lookup(Alias0, root)
db_map_lookup(Alias0, root)
/root/dead.letter... Saved message in /root/dead.letter
Closing connection to outbound.att.net
>>> QUIT
221 Service Closing transmission
closemaps: closing aliases.files (NULL)
closemaps: closing authinfo (/etc/mail/authinfo)
db_map_close(authinfo, /etc/mail/authinfo, 1000321)
closemaps: closing Alias0 (/etc/mail/aliases)
impl_map_close(Alias0, /etc/mail/aliases, 10012a3)
db_map_close(Alias0, /etc/mail/aliases, 10012a3)
closemaps: closing access (/etc/mail/access)
db_map_close(access, /etc/mail/access, 1000321)
closemaps: closing host (NULL)
closemaps: closing aliases (aliases)
closemaps: closing dequote (NULL)
closemaps: closing macro (NULL)



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/19/2013 11:02:31 PM

Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> melsonr@earthlink.net... Connecting to outbound.att.net via relay...
> 220 smtp107.sbc.mail.mud.yahoo.com ESMTP
> >>> EHLO rgmhome.net
> 250-smtp107.sbc.mail.mud.yahoo.com
> 250-AUTH LOGIN PLAIN XYMCOOKIE
> 250-PIPELINING
> 250-SIZE 41697280
> 250 8BITMIME
> [...]
> >>> MAIL From:<root@att.net> SIZE=47
> 530 authentication required - for help go to
> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html
> [...]

The remote host:
a) does not offer STARTTLS (switching to encrypted connection)
b) offers SMTP AUTH methods [LOGIN PLAIN] sendmail it unwilling 
   (in default configurations) to use over not encrypted connections

You can force sendmail to send password in "plain text" but trying SMTPS
based sending would be a better choice in this case.

How many messages per day do you expect to send out?

BTW att.net in "MAIL From:<root@att.net>" is the right domain?
0
Reply anfi2 (1425) 2/19/2013 11:57:22 PM

Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> melsonr@earthlink.net... Connecting to outbound.att.net via relay...
> 220 smtp107.sbc.mail.mud.yahoo.com ESMTP
>>>> EHLO rgmhome.net
> 250-smtp107.sbc.mail.mud.yahoo.com
> 250-AUTH LOGIN PLAIN XYMCOOKIE
> 250-PIPELINING
> 250-SIZE 41697280
> 250 8BITMIME
> [...]
> db_map_lookup(authinfo, AuthInfo:outbound.att.net)
> db_map_lookup(authinfo, AuthInfo:68.142.198.51)
> db_map_lookup(authinfo, AuthInfo:)
>>>> MAIL From:<root@att.net> SIZE=47
> 530 authentication required - for help go to
> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html
> [...]

Remove :465 from your authinfo entry (as reported in the opening post):
outbound.mail.ISP:465 "I:my-id" "P:password"
0
Reply anfi2 (1425) 2/20/2013 1:05:52 AM

Andrzej Adam Filip wrote:

> The remote host:
> a) does not offer STARTTLS (switching to encrypted connection)
> b) offers SMTP AUTH methods [LOGIN PLAIN] sendmail it unwilling 
>    (in default configurations) to use over not encrypted connections
> 
> You can force sendmail to send password in "plain text" but trying SMTPS
> based sending would be a better choice in this case.
> 
> How many messages per day do you expect to send out?
> 
> BTW att.net in "MAIL From:<root@att.net>" is the right domain?
> 

How many emails?  Probably somewhere between 20-40 on a heavy day.  This
is a home account and traffic is really variable but on the low side.

SMTPS?  Huh?  Seems this is deprecated, from what I just read.

In reply to your later message (remove 465 from authinfo), I did so,
with no effect when sending a message.  The remote system either
complains because of no authentication or just resets the connection.


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/20/2013 1:50:38 AM

Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> In reply to your later message (remove 465 from authinfo), I did so,
> with no effect when sending a message.  The remote system either
> complains because of no authentication or just resets the connection.

<quote>
db_map_lookup(authinfo, AuthInfo:outbound.att.net)
db_map_lookup(authinfo, AuthInfo:68.142.198.51)
db_map_lookup(authinfo, AuthInfo:)
</quote>

1) Sendmail looks for "AuthInfo:outbound.att.net" key in authinfo map
2) It does not find the value/entry because it asks later for
   "AuthInfo:68.142.198.51" and  "AuthInfo:"
=> correct the authinfo entry
0
Reply anfi2 (1425) 2/20/2013 10:08:20 AM

Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> [...]
>> In reply to your later message (remove 465 from authinfo), I did so,
>> with no effect when sending a message.  The remote system either
>> complains because of no authentication or just resets the connection.
> 
> <quote>
> db_map_lookup(authinfo, AuthInfo:outbound.att.net)
> db_map_lookup(authinfo, AuthInfo:68.142.198.51)
> db_map_lookup(authinfo, AuthInfo:)
> </quote>
> 
> 1) Sendmail looks for "AuthInfo:outbound.att.net" key in authinfo map
> 2) It does not find the value/entry because it asks later for
>    "AuthInfo:68.142.198.51" and  "AuthInfo:"
> => correct the authinfo entry
> 

That's the address AT&T specified.

The problem, I think, is twofold:  first, that port 587 doesn't offer
STARTTLS authentication and, second, that they (AT&T) are relying on the
use of XYMCOOKIE on port 465 - and that's a Yahoo "special" feature for
mail security.

This is not, as it turns out, a problem with a simple solution.

With my most sincere thanks to you and Bob Nichols, I'm going to drop it
for now and take the issue up with AT&T and, if I fail to get what I
consider an acceptable resolution, will return to my previous ISP.

Thanks very much once again.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/20/2013 4:44:58 PM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> Bob Melson <amia9018@mypacks.net> wrote:
>>> [...]
>>> In reply to your later message (remove 465 from authinfo), I did so,
>>> with no effect when sending a message.  The remote system either
>>> complains because of no authentication or just resets the connection.
>> 
>> <quote>
>> db_map_lookup(authinfo, AuthInfo:outbound.att.net)
>> db_map_lookup(authinfo, AuthInfo:68.142.198.51)
>> db_map_lookup(authinfo, AuthInfo:)
>> </quote>
>> 
>> 1) Sendmail looks for "AuthInfo:outbound.att.net" key in authinfo map
>> 2) It does not find the value/entry because it asks later for
>>    "AuthInfo:68.142.198.51" and  "AuthInfo:"
>> => correct the authinfo entry
>> 
>
> That's the address AT&T specified.
>
> The problem, I think, is twofold:  
> first, that port 587 doesn't offer STARTTLS authentication 

STARTTLS is not authentication, it is encryption.

> and, second, that they (AT&T) are relying on the use of XYMCOOKIE on
> port 465 - and that's a Yahoo "special" feature for mail security.
>
> This is not, as it turns out, a problem with a simple solution.
>
> With my most sincere thanks to you and Bob Nichols, I'm going to drop it
> for now and take the issue up with AT&T and, if I fail to get what I
> consider an acceptable resolution, will return to my previous ISP.

As I understand the debug output you provided:
Your sendmail 
1) makes connection to outbound.att.net:587
2) searches for authinfo data to use in PLAIN or LOGIN authentications
3) does not try to authenticate because it finds no appropriate entry
0
Reply anfi2 (1425) 2/20/2013 6:05:01 PM

Andrzej Adam Filip wrote:

> As I understand the debug output you provided:
> Your sendmail 
> 1) makes connection to outbound.att.net:587
> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
> 3) does not try to authenticate because it finds no appropriate entry
> 
That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
outbound:465 just sits there and does nothing (this on a telnet session
to outbound on each of the ports.  Since AT?&T *requires* use of 465,
anything further would appear to be pretty much a case of spinning
my/our wheels.  I don't like it - it seems far too restrictive at the
very least - but I also don't like to go tilting at windmills, either.
(I do understand that STARTTLS is an encryption method - X.509, IIRC -
but its absence on outbound hints that there can be no secure password
exchange and, by extension, no connect.)

Once again, thanks for your help.  I've learned a lot (and relearned
much I had forgotten!).  I'll just have to be satisfied with what I have.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/20/2013 6:23:23 PM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>
>> As I understand the debug output you provided:
>> Your sendmail 
>> 1) makes connection to outbound.att.net:587
>> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
>> 3) does not try to authenticate because it finds no appropriate entry
>> 
> That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
> outbound:465 just sits there and does nothing (this on a telnet session
> to outbound on each of the ports.  

Outbound:465 wants you to start SSL negotiation/session.

On Linux/Debian there is telnet-ssl package providing telnet client
implementation capable to (also) establish SSL session. 

> Since AT?&T *requires* use of 465, anything further would appear to be
> pretty much a case of spinning my/our wheels.
>  I don't like it - it seems far too restrictive at the very least -
> but I also don't like to go tilting at windmills, either.  (I do
> understand that STARTTLS is an encryption method - X.509, IIRC - but
> its absence on outbound hints that there can be no secure password
> exchange and, by extension, no connect.)
> Once again, thanks for your help.  I've learned a lot (and relearned
> much I had forgotten!).  I'll just have to be satisfied with what I have.

Do you have openssl program installed?
YES=> you can make sendail use openssl in new custom mailer definition
to handle smtps connection. [It seems to be acceptable solution for <100
outgoing messages per day].
Test command:
openssl s_client -verify 2 -ssl3 -quiet -connect outbound.att.net:465

Another option may be (transparent) stunnel proxy.

0
Reply anfi2 (1425) 2/20/2013 7:40:35 PM

Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> Andrzej Adam Filip wrote:
>>
>>> As I understand the debug output you provided:
>>> Your sendmail 
>>> 1) makes connection to outbound.att.net:587
>>> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
>>> 3) does not try to authenticate because it finds no appropriate entry
>>>
>> That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
>> outbound:465 just sits there and does nothing (this on a telnet session
>> to outbound on each of the ports.  
> 
> Outbound:465 wants you to start SSL negotiation/session.
> 
> On Linux/Debian there is telnet-ssl package providing telnet client
> implementation capable to (also) establish SSL session. 
> 
>> Since AT?&T *requires* use of 465, anything further would appear to be
>> pretty much a case of spinning my/our wheels.
>>  I don't like it - it seems far too restrictive at the very least -
>> but I also don't like to go tilting at windmills, either.  (I do
>> understand that STARTTLS is an encryption method - X.509, IIRC - but
>> its absence on outbound hints that there can be no secure password
>> exchange and, by extension, no connect.)
>> Once again, thanks for your help.  I've learned a lot (and relearned
>> much I had forgotten!).  I'll just have to be satisfied with what I have.
> 
> Do you have openssl program installed?
> YES=> you can make sendail use openssl in new custom mailer definition
> to handle smtps connection. [It seems to be acceptable solution for <100
> outgoing messages per day].
> Test command:
> openssl s_client -verify 2 -ssl3 -quiet -connect outbound.att.net:465
> 
> Another option may be (transparent) stunnel proxy.
> 
openssl is installed but not configured, i.e., no local certificate.

strider# openssl s_client -verify 2 -ssl3 -quiet -connect
outbound.att.net:465
verify depth is 2
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
verify error:num=27:certificate not trusted
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
CA - G3
verify return:1
depth=0 /C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net
Mail/CN=outbound.att.net
verify return:1
220 smtp111.sbc.mail.mud.yahoo.com ESMTP


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/20/2013 8:01:33 PM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> Bob Melson <amia9018@mypacks.net> wrote:
>>> Andrzej Adam Filip wrote:
>>>
>>>> As I understand the debug output you provided:
>>>> Your sendmail 
>>>> 1) makes connection to outbound.att.net:587
>>>> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
>>>> 3) does not try to authenticate because it finds no appropriate entry
>>>>
>>> That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
>>> outbound:465 just sits there and does nothing (this on a telnet session
>>> to outbound on each of the ports.  
>> 
>> Outbound:465 wants you to start SSL negotiation/session.
>> 
>> On Linux/Debian there is telnet-ssl package providing telnet client
>> implementation capable to (also) establish SSL session. 
>> 
>>> Since AT?&T *requires* use of 465, anything further would appear to be
>>> pretty much a case of spinning my/our wheels.
>>>  I don't like it - it seems far too restrictive at the very least -
>>> but I also don't like to go tilting at windmills, either.  (I do
>>> understand that STARTTLS is an encryption method - X.509, IIRC - but
>>> its absence on outbound hints that there can be no secure password
>>> exchange and, by extension, no connect.)
>>> Once again, thanks for your help.  I've learned a lot (and relearned
>>> much I had forgotten!).  I'll just have to be satisfied with what I have.
>> 
>> Do you have openssl program installed?
>> YES=> you can make sendail use openssl in new custom mailer definition
>> to handle smtps connection. [It seems to be acceptable solution for <100
>> outgoing messages per day].
>> Test command:
>> openssl s_client -verify 2 -ssl3 -quiet -connect outbound.att.net:465
>> 
>> Another option may be (transparent) stunnel proxy.
>> 
> openssl is installed but not configured, i.e., no local certificate.
>
> strider# openssl s_client -verify 2 -ssl3 -quiet -connect
> outbound.att.net:465
> verify depth is 2
> depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5
> verify error:num=27:certificate not trusted
> verify return:1
> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
> CA - G3
> verify return:1
> depth=0 /C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net
> Mail/CN=outbound.att.net
> verify return:1
> 220 smtp111.sbc.mail.mud.yahoo.com ESMTP

1) create openssl wrapper script named e.g. /usr/local/bin/smtps
It is needed to ignore STDERR output and change exit codes as sendail likes

#!/bin/sh
/usr/bin/openssl  s_client -verify 2 -ssl3 -quiet -connect $1:465 2>/dev/null || exit 75

2) Get esmtp mailer definition from your sendail.cf

echo =M | sendail -bt | grep esmtp

3) Insert it after MAILER_DEFINITIONS line in your sendail.mc with the
following changes
3a) change mailer name to smtps 
Mesmtp -> Msmtps
3b) change mailer part to you openssl wrapper script
P=[IPC] -> P=/usr/local/bin/smtps
3c) change arguments
A=TCP $h -> A=smtps $h

4) make SMART_HOST use smtps mailer
define(`SMART_HOST',`smtps:outbound.att.net')

P.S.
A) Check elsewhere if openssl option are right/safe.
   I am not openssl expert.
B) It is a quick&dirty initial implementation [working prototype]
   [I may write clean cf/mailer/smtps.m4 in a few weeks]
0
Reply anfi2 (1425) 2/20/2013 9:18:43 PM

Andrzej Adam Filip wrote:

> 1) create openssl wrapper script named e.g. /usr/local/bin/smtps
> It is needed to ignore STDERR output and change exit codes as sendail likes
> 
> #!/bin/sh
> /usr/bin/openssl  s_client -verify 2 -ssl3 -quiet -connect $1:465 2>/dev/null || exit 75
> 
> 2) Get esmtp mailer definition from your sendail.cf
> 
> echo =M | sendail -bt | grep esmtp
> 
> 3) Insert it after MAILER_DEFINITIONS line in your sendail.mc with the
> following changes
> 3a) change mailer name to smtps 
> Mesmtp -> Msmtps
> 3b) change mailer part to you openssl wrapper script
> P=[IPC] -> P=/usr/local/bin/smtps
> 3c) change arguments
> A=TCP $h -> A=smtps $h
> 
> 4) make SMART_HOST use smtps mailer
> define(`SMART_HOST',`smtps:outbound.att.net')
> 
> P.S.
> A) Check elsewhere if openssl option are right/safe.
>    I am not openssl expert.
> B) It is a quick&dirty initial implementation [working prototype]
>    [I may write clean cf/mailer/smtps.m4 in a few weeks]
> 

I'll give it a try in a couple of days.  I've had issues with AT&T as a
result of all the previous "playing", so want to let it rest for just a
bit.  I *will* give it a try, though, and let you know.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/21/2013 2:10:06 AM

Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>
>> 1) create openssl wrapper script named e.g. /usr/local/bin/smtps
>> It is needed to ignore STDERR output and change exit codes as sendail likes
>> 
>> #!/bin/sh
>> /usr/bin/openssl  s_client -verify 2 -ssl3 -quiet -connect $1:465 2>/dev/null || exit 75
>> 
>> 2) Get esmtp mailer definition from your sendail.cf
>> 
>> echo =M | sendail -bt | grep esmtp
>> 
>> 3) Insert it after MAILER_DEFINITIONS line in your sendail.mc with the
>> following changes
>> 3a) change mailer name to smtps 
>> Mesmtp -> Msmtps
>> 3b) change mailer part to you openssl wrapper script
>> P=[IPC] -> P=/usr/local/bin/smtps
>> 3c) change arguments
>> A=TCP $h -> A=smtps $h
>> 
>> 4) make SMART_HOST use smtps mailer
>> define(`SMART_HOST',`smtps:outbound.att.net')
>> 
>> P.S.
>> A) Check elsewhere if openssl option are right/safe.
>>    I am not openssl expert.
>> B) It is a quick&dirty initial implementation [working prototype]
>>    [I may write clean cf/mailer/smtps.m4 in a few weeks]
>> 
>
> I'll give it a try in a couple of days.  I've had issues with AT&T as a
> result of all the previous "playing", so want to let it rest for just a
> bit.  I *will* give it a try, though, and let you know.

IHO it would be safer to use outgoing stunnel proxy
[ 127.0.0.1:X -> outbound.att.net:smtps ]. I have not 
tested smtps-openssl mailer in practice, some small/"small"
problems are possible.

Required stunnel configuration is described in Postfix FAQ:
  http://www.postfix.org/TLS_README.html#client_smtps
0
Reply anfi2 (1425) 2/21/2013 9:36:52 AM

On 02/21/2013 03:36 AM, Andrzej Adam Filip wrote:
> Required stunnel configuration is described in Postfix FAQ:
>    http://www.postfix.org/TLS_README.html#client_smtps

The description in that README is basically what I used to use to make
port 465 work with smtp.comcast.net as my smart host.  If you like, I
can dig out my backups from 2007 and send the relevant files, but I
think the only thing not in that README was the init.d script to start
an stunnel daemon listening on a local port (I used 127.0.0.25 port
465), and I'm not sure how relevant that would be on the BSD 4.4 that
you list as OSTYPE in your sendmail.mc.

-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
Reply SEE_SIGNATURE1 (214) 2/22/2013 9:24:24 PM

Robert Nichols wrote:
> On 02/21/2013 03:36 AM, Andrzej Adam Filip wrote:
>> Required stunnel configuration is described in Postfix FAQ:
>>    http://www.postfix.org/TLS_README.html#client_smtps
> 
> The description in that README is basically what I used to use to make
> port 465 work with smtp.comcast.net as my smart host.  If you like, I
> can dig out my backups from 2007 and send the relevant files, but I
> think the only thing not in that README was the init.d script to start
> an stunnel daemon listening on a local port (I used 127.0.0.25 port
> 465), and I'm not sure how relevant that would be on the BSD 4.4 that
> you list as OSTYPE in your sendmail.mc.
> 
Thanks to you both for the hint/hand-holding.  I'm going to let it rest
for a bit:  all the previous "playing" with test mails, etc., caused my
email, both in- and out-bound, to be blocked and I don't want to cause
the same thing to happen a 2d time.  That said, I *will* try it out in
the not distant future, just not in the next few days.

Again, my sincere thanks to you both for all the help you've given.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
Reply amia9018 (43) 2/22/2013 10:01:08 PM
comp.mail.sendmail 13418 articles. 2 followers. Post

37 Replies
147 Views

Similar Articles

[PageSpeed] 23


  • Permalink
  • submit to reddit
  • Email
  • Follow


Reply:

Similar Artilces:

Need configuration help
I'm using a godaddy dedicated server and a separate email hosting service for my email. I have the MX entries set up so that all email is sent to the separate hosting service. When setting things up, I enabled the mail server on the dedicated server and set up a mailbox called "info" When I send email to info@example.com, it goes to my hosted email service. When the web application running on the server sends an email to info@example.com, it stays on the local server's mailbox. I'd prefer to have the outgoing email NOT stay on the server. Unfortunately, about 300 ema...

Need configuration help
As our database runs, there are occasions where someone in the organization should be notified about significant events, such as automatically advising the Design Engineer when a new part has been added or the Production Manager when some other event has happened. For these notes I use a little Instant Messaging system I built into our database, that I call TMail. It allows quick messages to be sent around from person to person, without having to leave the database. As this same code (but different backend) is running in three different companies, I cannot, should not, hardwire the IDs of the...

need help with configuration
Hi guys, I need your help on port forwarding on CISCOrouter, I am new to configuring CISCO router, any way I did configuer my router, now I can internet and send and recieve mail, so this part is good. I did try to open these ports on the router; 25 ,22,443,4002 and I did forward these ports to one of my servers. but when I try to telnet any of these port I get no anserw at all or when I try to access my server (SBS 2003) with remote desktop (port 4002)no connection is made. I send you a copy of the router configuration,maybe some of you can see some mistake in it. Please let me know where ...

help needed in configuration
Hi, I'm starting implementing an "high Capacity, High Availability and Load Balancing" infrastructure as described in the UltraMonkey 2.0.1 Topologies section. (http://www.ultramonkey.org/2.0.1/topologies/hc-ha-lb-overview.html) I have some questions to ask if you can help me: I need to set up Apache/MySql/Smtpserver/Rsync on every Real server (with Master Slave replication for Mysql). I have two scenarios: 1) two servers: can I install LdirectorD, HeartBeat, MySql, Apache, rsync, Smtpserver (not yet decided which one: any idea?) on each server without having tw...

Help me fast please! Cisco 3005 VPN, need help with fully mesh configuration
Hi! I�ve got a Cisco 3005 VPN concentrator, a couple of lan2lan connections and some "ordinary" vpn connections by 3002 Hw clients. My problem is when connected with 3002 HW client i can connect to all my internal recources but not the recources "on the other side of lan2lan", i believe that i must put fully mesh on in the 3005 but how? Best regards Jonas ...

Help needed configuring teTeX
It's like this: I've grabbed the MacTeX installer from <http://tug.org/mactex/> and installed it. This gives me (along with a shell and other goodies) a teTeX installation. What I'd like to do is add a texmf directory tree for my personal additions in parallel with the standard texmf trees already existing. I can see where to put it, and I can see what directory structure to use, but I cannot see how to tell teTeX to pay attention to what I've added. I've got as far as working out that I probably need to edit *that* particular texmf.cnf file. My problem now is th...

Router Configuration help needed
Hi I have a Duxbury Dsl/Cable Router with Isdn Backup. How do you reset it to factory default. There is no model number on the router. It does say Router 645 on the main board. ...

Need help configuring LoginGenerator
I'm new to Rails and I'm trying to get user login working on my app. I'm running Ruby 1.8.2 on OSX 10.4 with Rails 1.0 I've installed the most recent LoginGenerator(1.1.0) and followed the instructions in README_LOGIN as well as referencing any additional information at http://wiki.rubyonrails.com/rails/pages/LoginGenerator. The error message I'm stuck at is : undefined method `LoginSystem' for ApplicationController:Class when trying to access http://localhost:3000/player/signup where player is the name of the login controller. Any help to either solve this or poin...

Need help in configuration for TimedRotatingFileHandler
Hi, Need help in configure the TimedRotatingFileHandler from configuration file I have tried with the below code and ended up with the error, code is pasted below Error - IOError: [Errno 2] No such file or directory: 'G:\\lok_sib\ \logs\rotate_test' [loggers] keys=root,simpleExample [handlers] keys=consoleHandler,timedRotatingFileHandler [formatters] keys=simpleFormatter [logger_root] level=DEBUG handlers=consoleHandler [logger_simpleExample] level=DEBUG handlers=timedRotatingFileHandler qualname=simpleExample propagate=0 [handler_consoleHandler] class=StreamHandler level=DEBUG ...

need help configuring ediff
Hi. I use ediff all the time (mostly under xemacs 21.4.15 / ediff.el v2.78). I've customized some of the settings, but others don't seem to work. For example, I set ediff-ignore-similar-regions to true, but when I envoke ediff, it's nil and I have to manual turn it on with ##. Similarly, I've set ediff-auto-refine-limit to a very large value, but it's back to it's default when I invoke ediff. What's going on? Other stuff I set (e.g. ediff-diff-options) works fine. Here's the code from my init.el file: (require 'ediff) ;; - try setting in hook instead - ...

Need help configuring router
I am still fairly new to configuring routers and would appreciate any assistance. I have a PTP wireless network consisting of Cisco 350 series bridges at several locations. On the inside of each bridge sits a Linksys router with an IP address of 192.168.1.x, 192.168.2.x, etc. The outside interface on each bridge has an IP address of 10.25.25.10, 10.25.25.20, etc. I have purchased a Cisco 1711 security access router and need to config to route traffic from each location back to a central location (192.168.1.0 network) to access a records system housed on a server on that network. Would somebody...

Need help configuring Alpine!
Hi, I just installed the Alpine email programm, and need a good guide on how to configure it for a single person, non-network, PC just to retrieve and send my emails. I found a few guides but all of them only caterd to multi- user network setups and such.... I only have a www.runbox.com IMAP account that I want to get working. If anyone can help me or point me in the right direction, I'd be very grateful... On Fri, 13 Jun 2008, Irwin J. Finster wrote: :) I just installed the Alpine email programm, and need a good guide on :) how to configure it for a single person, non-network, PC...

need help configuring eclipse
I'm having problems creating a launch configuration. And hopefully when I get it to run, I can do the same for a profiler because that's what I really want to do, use a profiler. In the main tab of the 'Create, manage, and run configurations' window, I put the project name in the 'project' field, yet when I click browse, there's nothing there to browse. Is this field supposed to be an absolute path? Is it the project name that I checked my code out from (svn)? Neither seems to work. Any help much appreciated. <Wizumwalt@gmail.com> wrote in message news:1...

Need help configuring named
I'm trying to setup a DNS server on my home network so the computers on my network can get their name resolution from one computer, but I'm not having any success. From what I have found on the net I believe I need a name caching server. The concept seems simple enough, but the examples I found don't work for me. I have caching-nameserver-7.3-5.FC5 installed. Can anyone help? Suze wrote: > I'm trying to setup a DNS server on my home network so the computers on > my network can get their name resolution from one computer, but I'm not > having any success. From w...

Need help on MTS configuration
Hi Oracle 8174 on Alpha OpenVMS 7.2-1 I'm working on the configuration of MTS (multithreaded / shared server). I was able to get it to work rather quickly yesterday, but I had a problem with clients connecting through CMAN. The dispatcher would just froze (don`t ask me why but that`s the way it was) and the db had to be bounced. Any client already connmected to a shared server would freeze as soon as a client connecting through CMAN, tried to connect to the shared server. Anyway... I looked in the documentation some more and found that some of the parameters (namely mts_service and mts...

Need help with configuration problem
Recently my configuration under Tool\Options is being altered after a bootup. My normal Mail Server(Incoming) gets changed from - mail."name of my isp" to "localhost" and Login Name "my login" changes to "my login%mail.name of isp". I can still send mail but cannot receive until I change back the configuration. The configuration gets changed back again after the next bootup. Any help with this would be appreciated. I'm using ver 6.0.3.0 John Kehoe <quadrant17@hotmail.com> wrote: >Recently my configuration under Tool\Options is...

Need help configuring ZoneAlarm
Is there a web site that has a good discussion of ZoneAlarm(free version) and a detailed explanation of the options and how to set them? I just installed it and need to configure it. I use a cable server and, therefore, am connected all of the time. ...

need help to configure @domains
Hi, does any one know how to configure apache to redirect/point a domain like: m@tthis.de to a directory ? thanks, Carsten * carsten.radke@web.de (Carsten) wrote: > does any one know how to configure apache to redirect/point a domain like: > > m@tthis.de > > to a directory ? http-urls containing such "@ stuff" are invalid, according to RFC 2396, RFC 1738 and RFC 2616. However, the part before the @ will never be sent to the server. You'll need javascript for doing this and a good portion of luck. HTH, nd ...

Need help on Java server configuration
Hi, I am trying to configure java server program in the pathway where in which cobol program interact with java, i.e. Cobol calling Java program. Steps we followed to configure Java class in Pathway server: 1. Complied and generated the sa.Jar files in Tandem/OSS 2. The Java class "ABC" configured in Tandem/Guardian Pathway 3. Run the below pathway server configuration.( Configuration steps listed below marked bold) Problem is if one starts the START SERVER order, it shows the status of the Server as running and immediately within a second the server ...

Need Help !!! USB device configuration
Hello All, I am a newbie to USB programming and trying to build up communication between LPC2368 (the slave device) and the PC(the host). I am looking for the exact algorithm, although generalized, to setup this communication. Till now, i have done the following : 1. Connect USB clock 2. Initialize USB device interrupt. 3. Initialize Endpoint interrupt. 4. Realize Endpoint 0 in both IN and OUT directions. 5. NOW WHAT ? Any help will be greatly appreciated. Thanks. Nitin "nik" <nitinkothari@gmail.com> wrote in message news:ea831493-59f0-4b3b-b3aa-77cf156047c1@j9g...

Need Help on Configuring Proxy on Fedora
Hi , Need Help on configuring Squid Proxy ,Mainly I need to use this to Block unwanted websites for LAN Users Thanks in Advance Take a look at the SquidGuard (http://www.squidguard.org/) plugin for Squid. It should simplify your job. Trivam wrote: > Hi , > > Need Help on configuring Squid Proxy ,Mainly I need to use this to > Block unwanted websites for LAN Users > > Thanks in Advance > On Jun 28, 8:05 pm, Trivam <tri...@gmail.com> wrote: > Hi , > > NeedHelpon configuring SquidProxy,Mainly I need to use this to > Block unwanted websites for LAN...

Two NIC Configuration Help Needed
Hi: I have a PC running SuSE 10.1. The PC has two wired NIC's. I have one set to a public IP address that we "lease" (68.xxx.xxx.xxx) and the second one in on an private internal LAN (192.168.1.xxx supplied by DHCP). Both cards apparently are functioning properly. The public IP card can browse the Internet and www.wahtismyip.com returns the public IP address. Note also that Steve Gibson's site shows port 22 open and "sees" me at the public IP address What I want to do is have the PC on the public side to be a SFTP server and be to access it remotely via VNC. On t...

Need Help Configuring LAN for Email
I need help setting up my small network of machines to receive email. My email goes to a mailbox on the internet. I want one of my machines (the "server") to retrieve this email and hold it in a mailbox. I want to be able to read the email held on the server from a remote client machine. I am not fully sure what I am doing here, but I want to use the "mutt" mail client on the remote machine. I'm not sure what I need on the server, but I believe that "exim" may be one of the packages for the job. Do I need also need "fetchmail" on the server?...

Help needed to install and configure php
Hello everyone, I am new to php. I want to install php on my machine to learn. I've installed php5 and written a small script in html file. <html> <head> <title>Example</title> </head> <body> <?php echo "Hi, I'm a PHP script!"; ?> </body> </html> when I open this html file, nothing is displayed. Do I need to have installed apache on my machine to run this. If so, which version of apache is compatible with php5. How to configure apache to run php scripts. Can anyone please provi...