Need help configuring smart_host relaying

The answer is probably staring me in the face, but I've reached the end
of my admittedly short rope.

Problem:  I need to set up my sendmail as a client to my (new) ISP's
outbound mailserver with SSL authentication.

I've created an authinfo file and authinfo.db map with the following
entry:  AuthInfo outbound.mail.ISP:465 "I:my-id" "P:password"
I've tried adding "M:LOGIN" and have added
fine(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
to my host.mc file.

Result in all cases is I get a time-out message
stat=Deferred: Operation timed out with outbound.mail.ISP

I'll happily post my .mc file, but don't think it'd help much at this point.

Any suggestions/dope slaps would be appreciated.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/17/2013 1:24:29 AM
comp.mail.sendmail 13482 articles. 0 followers. jfretby (35) is leader. Post Follow

37 Replies
234 Views

Similar Articles

[PageSpeed] 16
Bob Melson <amia9018@mypacks.net> wrote:
> The answer is probably staring me in the face, but I've reached the end
> of my admittedly short rope.
>
> Problem:  I need to set up my sendmail as a client to my (new) ISP's
> outbound mailserver with SSL authentication.
>
> I've created an authinfo file and authinfo.db map with the following
> entry:  AuthInfo outbound.mail.ISP:465 "I:my-id" "P:password"
> I've tried adding "M:LOGIN" and have added
> fine(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> to my host.mc file.
>
> Result in all cases is I get a time-out message
> stat=Deferred: Operation timed out with outbound.mail.ISP
>
> I'll happily post my .mc file, but don't think it'd help much at this point.
>
> Any suggestions/dope slaps would be appreciated.

Do you want SMTP authentication (login+password) 
or SSL authentication (client certificate)?

Push delivery of queued messages in verbose mode with map lookups
tracing. As root execute:
  sendmail -d38.20 -v -q

It should help you to narrow problem area.
0
anfi2 (1425)
2/17/2013 8:17:48 AM
Andrzej Adam Filip wrote:
> sendmail -d38.20 -v -q

First, the results of the command above:
strider# sendmail -d38.20 -v -q
regex_map_init: mapname 'badmx', args '-a<BADMX>
^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
^(127\.|10\.|0\.0\.0\.0)'
regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
seq_map_parse(aliases.files, )

Running /var/spool/mqueue/r1H3rvdB073817 (sequence 1 of 1)
r1H3rvdB073817: locked

I have successfully configured my browser's emailer (SeaMonkey)with
SSL/TLS connection security using a normal password and am able to send
emails through the direct connect.  I'm unable to duplicate the
"connect" via sendmail, however.  So, I *think* the answer to your
question is that I want login+password.

Thanks for your reply, above, and for any other help you might be able
to offer.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/17/2013 6:14:41 PM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> sendmail -d38.20 -v -q
>
> First, the results of the command above:
> strider# sendmail -d38.20 -v -q
> regex_map_init: mapname 'badmx', args '-a<BADMX>
> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
> ^(127\.|10\.|0\.0\.0\.0)'
> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
> seq_map_parse(aliases.files, )
>
> Running /var/spool/mqueue/r1H3rvdB073817 (sequence 1 of 1)
> r1H3rvdB073817: locked
>
> I have successfully configured my browser's emailer (SeaMonkey)with
> SSL/TLS connection security using a normal password and am able to send
> emails through the direct connect.  I'm unable to duplicate the
> "connect" via sendmail, however.  So, I *think* the answer to your
> question is that I want login+password.
>
> Thanks for your reply, above, and for any other help you might be able
> to offer.

[ If you can not push queened messages then ]
Try to send a new test message in verbose mode as root:

#!/bin/sh
# replace the email address in To: header below with a valid one

/usr/sbin/sendmail -d38.20 -v -oi <<END
To: john.doe@example.net
Subject: test

test
END
0
anfi2 (1425)
2/17/2013 6:54:18 PM
Andrzej Adam Filip wrote:

> 
> [ If you can not push queened messages then ]
> Try to send a new test message in verbose mode as root:
> 
> #!/bin/sh
> # replace the email address in To: header below with a valid one
> 
> /usr/sbin/sendmail -d38.20 -v -oi <<END
> To: john.doe@example.net
> Subject: test
> 
> test
> END
> 

No joy, I get:
strider# sendmail -d38.20 -v -oi <<END
? To: melsonr@earthlink.net
? Subject: test
?
? test
? END
openmap()	dequote:dequote NULL: valid
Recipient names must be specified
closemaps: closing dequote (NULL)

Part of the frustration is that the my previous ISP didn't require the
use of SSL/TLS as the connection security and the sendmail configuration
was pretty straightforward.  Silly me, I thought I could merely add the
missing bits for a secure connect and login - after all, I can do that
with my browser's mailer - and be good to go.  No such luck.  I have, to
this point, tried every combination of "mechanism" in my authinfo file
and all have timed out.  Here, by the way, is my *current* authinfo file:

AuthInfo:outbound.my.ISP:465 "U:my_addr" "I:my_addr" "P:my_password"
"M:LOGIN"

Could it be that the port specification should go elsewhere?  If so, where?

Thanks again.



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/17/2013 7:21:14 PM
My omission/mistake

#!/bin/sh
# -bt 
# replace the email address in To: header below with a valid one

/usr/sbin/sendmail -d38.20 -Am -v -i -t <<END
To: john.doe@example.net
Subject: test
 
test
END
0
anfi2 (1425)
2/17/2013 8:36:55 PM
Andrzej Adam Filip wrote:
> My omission/mistake
> 
> #!/bin/sh
> # -bt 
> # replace the email address in To: header below with a valid one
> 
> /usr/sbin/sendmail -d38.20 -Am -v -i -t <<END
> To: john.doe@example.net
> Subject: test
>  
> test
> END
> 
OK, here are the results:

sendmail -d38.20 -Am -v -i -t <<END
? To: melsonr@earthlink.net
? Subject: test
?
? test
? END
regex_map_init: mapname 'badmx', args '-a<BADMX>
^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
^(127\.|10\.|0\.0\.0\.0)'
regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
seq_map_parse(aliases.files, )
openmap()	dequote:dequote NULL: valid
openmap()	host:host NULL: valid
getcanonname(earthlink.net), trying dns
getcanonname(earthlink.net), found
melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
melsonr@earthlink.net... Deferred: Operation timed out with outbound.att.net
closemaps: closing host (NULL)
closemaps: closing dequote (NULL)

Looking at that and considering all the other evidence, it seems to me
that the problem is a timeout on the connection.  That suggests that
either the port specification is wrong in the authinfo file or that the
connection is being refused because it's not SSL/TLS.  So the questions
appear to be (1) is the port specification correct; if not where should
I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
I'll have to see what build options for SSL/TLS I have for a new build
of sendmail or see how to get them configured into the existing
sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.

Thanks for your help so far.  I'm thinking it's not a simple matter,
after all.

Bob Melson



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/17/2013 9:20:41 PM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> My omission/mistake
>> 
>> #!/bin/sh
>> # -bt 
>> # replace the email address in To: header below with a valid one
>> 
>> /usr/sbin/sendmail -d38.20 -Am -v -i -t <<END
>> To: john.doe@example.net
>> Subject: test
>>  
>> test
>> END
>> 
> OK, here are the results:
> [...]
> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
> melsonr@earthlink.net... Deferred: Operation timed out with outbound.att.net
> [...]
>
> Looking at that and considering all the other evidence, it seems to me
> that the problem is a timeout on the connection.  That suggests that
> either the port specification is wrong in the authinfo file or that the
> connection is being refused because it's not SSL/TLS.  So the questions
> appear to be (1) is the port specification correct; if not where should
> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
> I'll have to see what build options for SSL/TLS I have for a new build
> of sendmail or see how to get them configured into the existing
> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
>
> Thanks for your help so far.  I'm thinking it's not a simple matter,
> after all.

I would dare to bet that most of the hard part is behind you.

Your outgoing connections to port 25 may be blocked by a firewall.
=> you may make sendmail use another port to relay to the smart host.
[ From my location all 3 port of outbound.att.net are accessible ]

Can you telnet smtp (25), submission (587) and smtps (465) port on 
outbound.att.net?
  telnet  outbound.att.net 25
You should get smtp server greeting message except smtps case.

P.S.
How to contact another "smtp like" port  (submission) is described in
sendmail FAQ.
0
anfi2 (1425)
2/18/2013 9:26:20 AM
On 02/17/2013 03:20 PM, Bob Melson wrote:
> sendmail -d38.20 -Am -v -i -t<<END
> ? To: melsonr@earthlink.net
> ? Subject: test
> ?
> ? test
> ? END
> regex_map_init: mapname 'badmx', args '-a<BADMX>
> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
> ^(127\.|10\.|0\.0\.0\.0)'
> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
> seq_map_parse(aliases.files, )
> openmap()	dequote:dequote NULL: valid
> openmap()	host:host NULL: valid
> getcanonname(earthlink.net), trying dns
> getcanonname(earthlink.net), found
> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
> melsonr@earthlink.net... Deferred: Operation timed out with outbound.att.net
> closemaps: closing host (NULL)
> closemaps: closing dequote (NULL)
>
> Looking at that and considering all the other evidence, it seems to me
> that the problem is a timeout on the connection.  That suggests that
> either the port specification is wrong in the authinfo file or that the
> connection is being refused because it's not SSL/TLS.  So the questions
> appear to be (1) is the port specification correct; if not where should
> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
> I'll have to see what build options for SSL/TLS I have for a new build
> of sendmail or see how to get them configured into the existing
> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.

It's a lot easier to use port 587 (submission) than port 465(smtps).  A
connection on port 587 starts in the clear and immediately uses STARTTLS
to switch to encrypted if the remote server supports that, and sendmail
will handle that automagically.  A connection on port 465 must use SSL
for the initial connection, and sendmail _cannot_ do that by itself.

If you cannot use port 587 and must use port 465, I can tell you how to
do that (it's fairly complex -- uses stunnel to carry the connection),
but it certainly shouldn't be your first choice.

-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
2/18/2013 4:00:44 PM
Andrzej Adam Filip wrote:

> I would dare to bet that most of the hard part is behind you.
> 
> Your outgoing connections to port 25 may be blocked by a firewall.
> => you may make sendmail use another port to relay to the smart host.
> [ From my location all 3 port of outbound.att.net are accessible ]
> 
> Can you telnet smtp (25), submission (587) and smtps (465) port on 
> outbound.att.net?
>   telnet  outbound.att.net 25
> You should get smtp server greeting message except smtps case.
> 
> P.S.
> How to contact another "smtp like" port  (submission) is described in
> sendmail FAQ.
> 
telnet to outbound.my.ISP 25 just hangs.
telnet to outbound.my.ISP 587 responds with the expected "220" message
telnet to outbound.my.ISP 465 responds with a "connected" message but no
"220"

I'll have to check the FAQ out.

Thanks again for your help.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/18/2013 4:50:59 PM
Robert Nichols wrote:
> On 02/17/2013 03:20 PM, Bob Melson wrote:
>> sendmail -d38.20 -Am -v -i -t<<END
>> ? To: melsonr@earthlink.net
>> ? Subject: test
>> ?
>> ? test
>> ? END
>> regex_map_init: mapname 'badmx', args '-a<BADMX>
>> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
>> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
>> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
>> ^(127\.|10\.|0\.0\.0\.0)'
>> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
>> seq_map_parse(aliases.files, )
>> openmap()    dequote:dequote NULL: valid
>> openmap()    host:host NULL: valid
>> getcanonname(earthlink.net), trying dns
>> getcanonname(earthlink.net), found
>> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
>> melsonr@earthlink.net... Deferred: Operation timed out with
>> outbound.att.net
>> closemaps: closing host (NULL)
>> closemaps: closing dequote (NULL)
>>
>> Looking at that and considering all the other evidence, it seems to me
>> that the problem is a timeout on the connection.  That suggests that
>> either the port specification is wrong in the authinfo file or that the
>> connection is being refused because it's not SSL/TLS.  So the questions
>> appear to be (1) is the port specification correct; if not where should
>> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
>> I'll have to see what build options for SSL/TLS I have for a new build
>> of sendmail or see how to get them configured into the existing
>> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
> 
> It's a lot easier to use port 587 (submission) than port 465(smtps).  A
> connection on port 587 starts in the clear and immediately uses STARTTLS
> to switch to encrypted if the remote server supports that, and sendmail
> will handle that automagically.  A connection on port 465 must use SSL
> for the initial connection, and sendmail _cannot_ do that by itself.
> 
> If you cannot use port 587 and must use port 465, I can tell you how to
> do that (it's fairly complex -- uses stunnel to carry the connection),
> but it certainly shouldn't be your first choice.
> 
OK, I *can* see port 587 on outbound.att.net (telnet returns the
expected "220" greeting); telnet on 465 gives a "connected to" return
but no "220".

The reason I'm battling with 465 is that that's what AT&T *told* me to
use for outbound emails - not something I'd do on my own, believe me.
I've never used STARTTLS before and would appreciate the hand holding
you offer above.

Question:  you say that 587 starts in the clear but shifts to STARTTLS
if the remote server requires it.  That suggests I'd have to have all
the certificates/keys/etc already configured on my side.  Assuming that
to be true, can I reasonably "get away with" self-certification?

Thanks for your comments and any help you might be able to provide

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/18/2013 5:00:58 PM
Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> Question:  you say that 587 starts in the clear but shifts to STARTTLS
> if the remote server requires it.  
> That suggests I'd have to have all the certificates/keys/etc already
> configured on my side.  Assuming that to be true, can I reasonably
> "get away with" self-certification?
>
> Thanks for your comments and any help you might be able to provide

AFAIK most servers offering SSL/STARTTLS do not require _client_
certificates => most likely you will not need a certificate for
_outgoing_ connections.

Sendmail FAQ
3.39 How do I send using an alternate port?

Connections to SMART_HOST by default use relay mailer but you may
specify it directly -> IMHO it is a "better style" for modified relay
mailer.

define(`SMART_HOST',`relay:outbound.example.net')
0
anfi2 (1425)
2/18/2013 7:30:06 PM
In article <6PydnWm_EdfXw7_MnZ2dnUVZ_qqdnZ2d@earthlink.com>, Bob Melson says...
>The reason I'm battling with 465 is that that's what AT&T *told* me to
>use for outbound emails - not something I'd do on my own, believe me.
>I've never used STARTTLS before and would appreciate the hand holding
>you offer above.
>
>Question:  you say that 587 starts in the clear but shifts to STARTTLS
>if the remote server requires it.  That suggests I'd have to have all
>the certificates/keys/etc already configured on my side.  Assuming that
>to be true, can I reasonably "get away with" self-certification?

It's only the use of port 465 for outgoing mail that gets complicated.

You don't need to set up anything beyond your authinfo in order to use
port 587. The use of STARTTLS is automatic, in fact you would have to
do something special to avoid it. Your authinfo is what identifies you
to the server. No certificate is required. Just specify the port number
in your *_MAILER_ARGS, set up your authinfo, and you're good to go.

    define(`RELAY_MAILER_ARGS',`TCP $h 587')dnl
    define(`ESMTP_MAILER_ARGS',`TCP $h 587')dnl
    define(`SMART_HOST', `smtp.wherever.which')dnl
    FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

and in /etc/mail/auth/client-info:
    AuthInfo:smtp.wherever.what "U:root" "I:myIDatISP" "P:mypassword"

-- 
Bob Nichols AT comcast.net I am "RNichols42"

0
2/18/2013 7:46:38 PM
Robert Nichols wrote:
> On 02/17/2013 03:20 PM, Bob Melson wrote:
>> sendmail -d38.20 -Am -v -i -t<<END
>> ? To: melsonr@earthlink.net
>> ? Subject: test
>> ?
>> ? test
>> ? END
>> regex_map_init: mapname 'badmx', args '-a<BADMX>
>> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
>> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
>> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
>> ^(127\.|10\.|0\.0\.0\.0)'
>> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
>> seq_map_parse(aliases.files, )
>> openmap()    dequote:dequote NULL: valid
>> openmap()    host:host NULL: valid
>> getcanonname(earthlink.net), trying dns
>> getcanonname(earthlink.net), found
>> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
>> melsonr@earthlink.net... Deferred: Operation timed out with
>> outbound.att.net
>> closemaps: closing host (NULL)
>> closemaps: closing dequote (NULL)
>>
>> Looking at that and considering all the other evidence, it seems to me
>> that the problem is a timeout on the connection.  That suggests that
>> either the port specification is wrong in the authinfo file or that the
>> connection is being refused because it's not SSL/TLS.  So the questions
>> appear to be (1) is the port specification correct; if not where should
>> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
>> I'll have to see what build options for SSL/TLS I have for a new build
>> of sendmail or see how to get them configured into the existing
>> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
> 
> It's a lot easier to use port 587 (submission) than port 465(smtps).  A
> connection on port 587 starts in the clear and immediately uses STARTTLS
> to switch to encrypted if the remote server supports that, and sendmail
> will handle that automagically.  A connection on port 465 must use SSL
> for the initial connection, and sendmail _cannot_ do that by itself.
> 
> If you cannot use port 587 and must use port 465, I can tell you how to
> do that (it's fairly complex -- uses stunnel to carry the connection),
> but it certainly shouldn't be your first choice.
> 
OK, having tried all the variations suggested WRT port 587, I'm still at
the point where I get a timeout on the connect to outbound.att.net, as
shown above
Here's my .mc file:
divert(-1)
include(`/usr/local/share/sendmail/cf/m4/cf.m4')
dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
define(`confDEF_USER_ID',``8:14'')
VERSIONID(`freebsd strider.rgmhome.net')
dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
strider.homeunix.net
OSTYPE(`bsd4.4')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confEBINDIR',`/usr/local/libexec')dnl
dnl define(`confEBINDIR',`/usr/libexec')dnl
FEATURE(virtusertable)
FEATURE(always_add_domain)
dnl FEATURE(use_cw_file)
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
strider.mc: unmodified: line 1
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
FEATURE(`badmx')dnl
FEATURE(`greet_pause',`3000')dnl
FEATURE(`require_rdns')dnl
FEATURE(`local_procmail')dnl
FEATURE(`delay_checks')dnl
FEATURE(blacklist_recipients)
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
FEATURE(redirect)
MASQUERADE_AS(`att.net')
MASQUERADE_DOMAIN(`strider.rgmhome.net')
FEATURE(allmasquerade)
FEATURE(masquerade_entire_domain)
FEATURE(masquerade_envelope)
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
FEATURE(local_lmtp)
FEATURE(`accept_unresolvable_domains')
FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from "
$&{client_addr} " refused. Rejected for bad WHOIS info on IP of your
SMTP server
 - see http://www.rfc-ignorant.org/"')
FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see
http://spamcop.net/bl.shtml?$&{client_addr}')
FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host
"$&{client_addr}" delivery refused -- see
http://njabl.org/"',`',`127.0.0.2',`127.
0.0.4',`127.0.0.8',`127.0.0.9')dnl
FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11
')dnl
FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
MAILER(local)
MAILER(smtp)
Cwlocalhost
Cwrgmhome.net
Dmrgmhome.net
Cwrgmhome.homeunix.net
Dmrgmhome.homeunix.net
Cwstrider.homeunix.net
Dmstrider.homeunix.net
define(`confDOMAIN_NAME',`rgmhome.net')
define(RELAY_HOST, relay:outbound.att.net)
define(SMART_HOST, smtp:outbound.att.net)
dnl define(RELAY_MAILER, TCP)
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
F=, T=C:15m;S:4m;R:4m;E:10m')
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
{if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
---- cut and paste didn't work quite as expected; ignore the line wraps,
please
And my authinfo/client-info file:
AuthInfo:outbound.att.net:587 "U:root""I:melson.r@att.net"  "P:my-password"

I get the same connection timeout for port 465, which I suppose
shouldn't be surprising since I don't have STARTTLS configured into
sendmail.  Whatever, I'm now officially at my wit's end.

I very much appreciate the help you and Andrej have given up to this
point but have to wonder where we go from here as nothing suggested
seems to have worked.

Bob Melson



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/18/2013 9:47:56 PM
On 02/18/2013 03:47 PM, Bob Melson wrote:
[deleted]

You can't just tack things on to the end of sendmail.mc and expect it
to work.  There is a required ordering.  The general rules (from
README.cf) are that the order should be:

	VERSIONID
	OSTYPE
	DOMAIN
	FEATURE
	local macro definitions
	MAILER
	LOCAL_CONFIG
	LOCAL_RULE_*
	LOCAL_RULESETS

But, local macro definitions that affect a FEATURE() should be before
that feature.

Everything you have except the "Cw" and "Dm" local ruleset lines needs
to come _before_ the MAILER declarations,

But, if you really have a sendmail that was built without STARTTLS
support, none of this is going to work.  Note that just because you
don't have the various certs and keys defined to allow sendmail to offer
STARTTLS on incoming connections (I don't) doesn't mean that it can't
utilize that feature on an outgoing connection (Mine does).  You can see
whether "ldd /usr/lib/sendmail" lists "libcrypto.so" as one of the
libraries.

Here is a revision of your sendmail.mc with the lines ordered, I
believe, properly.  Let's see how that works.  (I think I undid all the
extraneous line wraps.)

divert(-1)
include(`/usr/local/share/sendmail/cf/m4/cf.m4')
dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
define(`confDEF_USER_ID',``8:14'')
VERSIONID(`freebsd strider.rgmhome.net')
dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
strider.homeunix.net
OSTYPE(`bsd4.4')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confEBINDIR',`/usr/local/libexec')dnl
dnl define(`confEBINDIR',`/usr/libexec')dnl
define(RELAY_HOST, relay:outbound.att.net)
define(SMART_HOST, smtp:outbound.att.net)
dnl define(RELAY_MAILER, TCP)
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')
FEATURE(virtusertable)
FEATURE(always_add_domain)
dnl FEATURE(use_cw_file)
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
strider.mc: unmodified: line 1
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
FEATURE(nocanonify)
FEATURE(nouucp,`reject')
define(`confTO_QUEUEWARN', `5m')
dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(relay_hosts_only)
FEATURE(`access_db')dnl
FEATURE(`block_bad_helo')dnl
FEATURE(`badmx')dnl
FEATURE(`greet_pause',`3000')dnl
FEATURE(`require_rdns')dnl
FEATURE(`local_procmail')dnl
FEATURE(`delay_checks')dnl
FEATURE(blacklist_recipients)
GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
FEATURE(redirect)
MASQUERADE_AS(`att.net')
MASQUERADE_DOMAIN(`strider.rgmhome.net')
FEATURE(allmasquerade)
FEATURE(masquerade_entire_domain)
FEATURE(masquerade_envelope)
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
FEATURE(local_lmtp)
FEATURE(`accept_unresolvable_domains')
FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from "$&{client_addr} " 
refused. Rejected for bad WHOIS info on IP of your SMTP server - see 
http://www.rfc-ignorant.org/"')
FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see 
http://spamcop.net/bl.shtml?$&{client_addr}')
FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host "$&{client_addr}" 
delivery refused -- see 
http://njabl.org/"',`',`127.0.0.2',`127.0.0.4',`127.0.0.8',`127.0.0.9')dnl
FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11')dnl
FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, 
T=C:15m;S:4m;R:4m;E:10m')
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, 
{if_addr}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
MAILER(local)
MAILER(smtp)
Cwlocalhost
Cwrgmhome.net
Dmrgmhome.net
Cwrgmhome.homeunix.net
Dmrgmhome.homeunix.net
Cwstrider.homeunix.net
Dmstrider.homeunix.net
define(`confDOMAIN_NAME',`rgmhome.net')


-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
2/19/2013 1:01:34 AM
Bob:

Thanks.  Believe it or not, the .mc file worked just fine before this,
tho' I must acknowledge a clean-up was long overdue and was on my list
of things to do.

I chuck it into place and give it a shot.

Bob Melson

Bob wrote:
> On 02/18/2013 03:47 PM, Bob Melson wrote:
> [deleted]
> 
> You can't just tack things on to the end of sendmail.mc and expect it
> to work.  There is a required ordering.  The general rules (from
> README.cf) are that the order should be:
> 
>     VERSIONID
>     OSTYPE
>     DOMAIN
>     FEATURE
>     local macro definitions
>     MAILER
>     LOCAL_CONFIG
>     LOCAL_RULE_*
>     LOCAL_RULESETS
> 
> But, local macro definitions that affect a FEATURE() should be before
> that feature.
> 
> Everything you have except the "Cw" and "Dm" local ruleset lines needs
> to come _before_ the MAILER declarations,
> 
> But, if you really have a sendmail that was built without STARTTLS
> support, none of this is going to work.  Note that just because you
> don't have the various certs and keys defined to allow sendmail to offer
> STARTTLS on incoming connections (I don't) doesn't mean that it can't
> utilize that feature on an outgoing connection (Mine does).  You can see
> whether "ldd /usr/lib/sendmail" lists "libcrypto.so" as one of the
> libraries.
> 
> Here is a revision of your sendmail.mc with the lines ordered, I
> believe, properly.  Let's see how that works.  (I think I undid all the
> extraneous line wraps.)
> 
> divert(-1)
> include(`/usr/local/share/sendmail/cf/m4/cf.m4')
> dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
> define(`confDEF_USER_ID',``8:14'')
> VERSIONID(`freebsd strider.rgmhome.net')
> dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
> strider.homeunix.net
> OSTYPE(`bsd4.4')
> undefine(`UUCP_RELAY')
> undefine(`BITNET_RELAY')
> define(`confEBINDIR',`/usr/local/libexec')dnl
> dnl define(`confEBINDIR',`/usr/libexec')dnl
> define(RELAY_HOST, relay:outbound.att.net)
> define(SMART_HOST, smtp:outbound.att.net)
> dnl define(RELAY_MAILER, TCP)
> define(`RELAY_MAILER_ARGS',`TCP $h 587')
> define(`ESMTP_MAILER_ARGS',`TCP $h 587')
> FEATURE(virtusertable)
> FEATURE(always_add_domain)
> dnl FEATURE(use_cw_file)
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> strider.mc: unmodified: line 1
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> FEATURE(`badmx')dnl
> FEATURE(`greet_pause',`3000')dnl
> FEATURE(`require_rdns')dnl
> FEATURE(`local_procmail')dnl
> FEATURE(`delay_checks')dnl
> FEATURE(blacklist_recipients)
> GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
> FEATURE(redirect)
> MASQUERADE_AS(`att.net')
> MASQUERADE_DOMAIN(`strider.rgmhome.net')
> FEATURE(allmasquerade)
> FEATURE(masquerade_entire_domain)
> FEATURE(masquerade_envelope)
> FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
> FEATURE(local_lmtp)
> FEATURE(`accept_unresolvable_domains')
> FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from
> "$&{client_addr} " refused. Rejected for bad WHOIS info on IP of your
> SMTP server - see http://www.rfc-ignorant.org/"')
> FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see
> http://spamcop.net/bl.shtml?$&{client_addr}')
> FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host
> "$&{client_addr}" delivery refused -- see
> http://njabl.org/"',`',`127.0.0.2',`127.0.0.4',`127.0.0.8',`127.0.0.9')dnl
> FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11')dnl
> 
> FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
> INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
> F=, T=C:15m;S:4m;R:4m;E:10m')
> define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
> {if_name}, {if_addr}')dnl
> define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
> MAILER(local)
> MAILER(smtp)
> Cwlocalhost
> Cwrgmhome.net
> Dmrgmhome.net
> Cwrgmhome.homeunix.net
> Dmrgmhome.homeunix.net
> Cwstrider.homeunix.net
> Dmstrider.homeunix.net
> define(`confDOMAIN_NAME',`rgmhome.net')
> 
> 


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/19/2013 7:16:58 AM
Bob Melson <amia9018@mypacks.net> wrote:
> Robert Nichols wrote:
>> On 02/17/2013 03:20 PM, Bob Melson wrote:
>>> sendmail -d38.20 -Am -v -i -t<<END
>>> ? To: melsonr@earthlink.net
>>> ? Subject: test
>>> ?
>>> ? test
>>> ? END
>>> regex_map_init: mapname 'badmx', args '-a<BADMX>
>>> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
>>> regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
>>> regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
>>> ^(127\.|10\.|0\.0\.0\.0)'
>>> regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
>>> seq_map_parse(aliases.files, )
>>> openmap()    dequote:dequote NULL: valid
>>> openmap()    host:host NULL: valid
>>> getcanonname(earthlink.net), trying dns
>>> getcanonname(earthlink.net), found
>>> melsonr@earthlink.net... Connecting to outbound.att.net via smtp...
>>> melsonr@earthlink.net... Deferred: Operation timed out with
>>> outbound.att.net
>>> closemaps: closing host (NULL)
>>> closemaps: closing dequote (NULL)
>>>
>>> Looking at that and considering all the other evidence, it seems to me
>>> that the problem is a timeout on the connection.  That suggests that
>>> either the port specification is wrong in the authinfo file or that the
>>> connection is being refused because it's not SSL/TLS.  So the questions
>>> appear to be (1) is the port specification correct; if not where should
>>> I specify it: or (2) how to get the SSL/TLS mechanism into sendmail.
>>> I'll have to see what build options for SSL/TLS I have for a new build
>>> of sendmail or see how to get them configured into the existing
>>> sendmail.  BTW, I'm running sendmail 8.14.6 on FreeBSD 8.3/AMD64.
>> 
>> It's a lot easier to use port 587 (submission) than port 465(smtps).  A
>> connection on port 587 starts in the clear and immediately uses STARTTLS
>> to switch to encrypted if the remote server supports that, and sendmail
>> will handle that automagically.  A connection on port 465 must use SSL
>> for the initial connection, and sendmail _cannot_ do that by itself.
>> 
>> If you cannot use port 587 and must use port 465, I can tell you how to
>> do that (it's fairly complex -- uses stunnel to carry the connection),
>> but it certainly shouldn't be your first choice.
>> 
> OK, having tried all the variations suggested WRT port 587, I'm still at
> the point where I get a timeout on the connect to outbound.att.net, as
> shown above
> Here's my .mc file:
> divert(-1)
> include(`/usr/local/share/sendmail/cf/m4/cf.m4')
> dnl include(`/usr/share/sendmail/cf/m4/cf.m4')
> define(`confDEF_USER_ID',``8:14'')
> VERSIONID(`freebsd strider.rgmhome.net')
> dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net
> strider.homeunix.net
> OSTYPE(`bsd4.4')
> undefine(`UUCP_RELAY')
> undefine(`BITNET_RELAY')
> define(`confEBINDIR',`/usr/local/libexec')dnl
> dnl define(`confEBINDIR',`/usr/libexec')dnl
> FEATURE(virtusertable)
> FEATURE(always_add_domain)
> dnl FEATURE(use_cw_file)
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> strider.mc: unmodified: line 1
> dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
> FEATURE(nocanonify)
> FEATURE(nouucp,`reject')
> define(`confTO_QUEUEWARN', `5m')
> dnl define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> FEATURE(relay_hosts_only)
> FEATURE(`access_db')dnl
> FEATURE(`block_bad_helo')dnl
> FEATURE(`badmx')dnl
> FEATURE(`greet_pause',`3000')dnl
> FEATURE(`require_rdns')dnl
> FEATURE(`local_procmail')dnl
> FEATURE(`delay_checks')dnl
> FEATURE(blacklist_recipients)
> GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')
> FEATURE(redirect)
> MASQUERADE_AS(`att.net')
> MASQUERADE_DOMAIN(`strider.rgmhome.net')
> FEATURE(allmasquerade)
> FEATURE(masquerade_entire_domain)
> FEATURE(masquerade_envelope)
> FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
> FEATURE(local_lmtp)
> FEATURE(`accept_unresolvable_domains')
> FEATURE(dnsbl, `ipwhois.rfc-ignorant.org',`"550 Mail from "
> $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your
> SMTP server
>  - see http://www.rfc-ignorant.org/"')
> FEATURE(`enhdnsbl',`bl.spamcop.net',`554 SPAM Blocked; see
> http://spamcop.net/bl.shtml?$&{client_addr}')
> FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"550 Mail from host
> "$&{client_addr}" delivery refused -- see
> http://njabl.org/"',`',`127.0.0.2',`127.
> 0.0.4',`127.0.0.8',`127.0.0.9')dnl
> FEATURE(`enhdnsbl',`zen.spamhaus.org',`',`',`127.0.0.2',`127.0.0.4',`127.0.0.5',`127.0.0.6',`127.0.0.7',`127.0.0.8',`127.0.0.10',`127.0.0.11
> ')dnl
> FEATURE(`enhdnsbl',`cbl.abuseat.org',`',`',`127.0.0.2')dnl
> MAILER(local)
> MAILER(smtp)
> Cwlocalhost
> Cwrgmhome.net
> Dmrgmhome.net
> Cwrgmhome.homeunix.net
> Dmrgmhome.homeunix.net
> Cwstrider.homeunix.net
> Dmstrider.homeunix.net
> define(`confDOMAIN_NAME',`rgmhome.net')
> define(RELAY_HOST, relay:outbound.att.net)
> define(SMART_HOST, smtp:outbound.att.net)
> dnl define(RELAY_MAILER, TCP)
> define(`RELAY_MAILER_ARGS',`TCP $h 587')
> define(`ESMTP_MAILER_ARGS',`TCP $h 587')
> INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
> F=, T=C:15m;S:4m;R:4m;E:10m')
> define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name},
> {if_name}, {if_addr}')dnl
> define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
> ---- cut and paste didn't work quite as expected; ignore the line wraps,
> please
> And my authinfo/client-info file:
> AuthInfo:outbound.att.net:587 "U:root""I:melson.r@att.net"  "P:my-password"
>
> I get the same connection timeout for port 465, which I suppose
> shouldn't be surprising since I don't have STARTTLS configured into
> sendmail.  Whatever, I'm now officially at my wit's end.
>
> I very much appreciate the help you and Andrej have given up to this
> point but have to wonder where we go from here as nothing suggested
> seems to have worked.

Beside correcting sequence of mc lines (as suggested in another reply:

Part to replace:
define(RELAY_HOST, relay:outbound.att.net)
define(SMART_HOST, smtp:outbound.att.net)
dnl define(RELAY_MAILER, TCP)
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')

New Part:
define(`SMART_HOST', `relay:outbound.att.net')
define(`RELAY_MAILER_ARGS',`TCP $h 587')

[You have used unmodified smtp mailer ("smtp" mailer != "esmtp" mailer)]

P.S.
Your mc file does require cleanup anyway.
0
anfi2 (1425)
2/19/2013 8:59:49 AM
Gents,

I really am grateful for your help and interest.  Unfortunately,
however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
file broke the email system completely (nothing in, nothing out).  So,
for the moment, I'm going to shelve this and maybe come back to it at a
later date.

Many sincere thanks for your help.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/19/2013 5:37:45 PM
Bob Melson <amia9018@mypacks.net> wrote:
> I really am grateful for your help and interest.  Unfortunately,
> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
> file broke the email system completely (nothing in, nothing out).  So,
> for the moment, I'm going to shelve this and maybe come back to it at a
> later date.

Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
0
anfi2 (1425)
2/19/2013 6:51:33 PM
On 02/19/2013 11:37 AM, Bob Melson wrote:
> I really am grateful for your help and interest.  Unfortunately,
> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
> file broke the email system completely (nothing in, nothing out).  So,
> for the moment, I'm going to shelve this and maybe come back to it at a
> later date.

Looking back at that file, I find that I missed several places that the
line wrapping in what you had posted incorrectly broke, or in some cases
_joined_ lines.  Sorry about that.  If you can post or send me an
uncorrupted copy of the file, I can try again.

-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
2/19/2013 10:15:43 PM
Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> I really am grateful for your help and interest.  Unfortunately,
>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>> file broke the email system completely (nothing in, nothing out).  So,
>> for the moment, I'm going to shelve this and maybe come back to it at a
>> later date.
> 
> Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
> 
Yes, with no effect.

What seems to be the case is that I can reach the outbound server but am
failing to authenticate.  That's why I went chasing the SASL and STARTLS
rabbit.  From everything I've seen after googling for all possible
combinations of smart_host/client/authentication, it should be a piece
of cake .. except it isn't.  All the setups that work seem to go to port
587, while my provider insists on 465 and, in my innocence, I suspect
that's at the root of the problem.  Their tech support is unable to help
and I refuse to go to the pay-for-support site/service recommended
because it's both expensive and unreliable.

Thank you once again for trying to help.  I genuinely appreciate it.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/19/2013 10:23:51 PM
Robert Nichols wrote:
> On 02/19/2013 11:37 AM, Bob Melson wrote:
>> I really am grateful for your help and interest.  Unfortunately,
>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>> file broke the email system completely (nothing in, nothing out).  So,
>> for the moment, I'm going to shelve this and maybe come back to it at a
>> later date.
> 
> Looking back at that file, I find that I missed several places that the
> line wrapping in what you had posted incorrectly broke, or in some cases
> _joined_ lines.  Sorry about that.  If you can post or send me an
> uncorrupted copy of the file, I can try again.
> 

Bob,

I really do appreciate all the help you've given.  I'll forward a copy
of the .mc to your email address, tho' I expect it'll make little to no
difference.  As I told Andrej in reply to his last, I can get to the
outbound server on the *required* port 465 but am failing to
authenticate.  All the successful solutions I've found by googling for
all combinations of smart_host/authentication/client/sendmail appear to
be going to port 587, which my ISP doesn't seem to accept.  So the
problem would appear to be one of authentication.

After a last swing, I really am going to hang it up and accept what I
have - outbound from seamonkey-mailer, inbound as a pulldown using
fetchmail/sendmail/procmail.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/19/2013 10:46:50 PM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> Bob Melson <amia9018@mypacks.net> wrote:
>>> I really am grateful for your help and interest.  Unfortunately,
>>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>>> file broke the email system completely (nothing in, nothing out).  So,
>>> for the moment, I'm going to shelve this and maybe come back to it at a
>>> later date.
>> 
>> Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
>> 
> Yes, with no effect.
>
> What seems to be the case is that I can reach the outbound server but am
> failing to authenticate.  That's why I went chasing the SASL and STARTLS
> rabbit.  From everything I've seen after googling for all possible
> combinations of smart_host/client/authentication, it should be a piece
> of cake .. except it isn't.  All the setups that work seem to go to port
> 587, while my provider insists on 465 and, in my innocence, I suspect
> that's at the root of the problem.  Their tech support is unable to help
> and I refuse to go to the pay-for-support site/service recommended
> because it's both expensive and unreliable.
>
> Thank you once again for trying to help.  I genuinely appreciate it.

Make sendmail send a test message in verbose mode to port 587 using the
script I have posted already.

Try to locate the next problem. The script should show:
* transcript of SMTP session (before and after STARTTLS)
* authinfo map lookup(s)
0
anfi2 (1425)
2/19/2013 10:47:46 PM
Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> Andrzej Adam Filip wrote:
>>> Bob Melson <amia9018@mypacks.net> wrote:
>>>> I really am grateful for your help and interest.  Unfortunately,
>>>> however, nothing seems to work and, in fact, Bob Nichol's "revised" .mc
>>>> file broke the email system completely (nothing in, nothing out).  So,
>>>> for the moment, I'm going to shelve this and maybe come back to it at a
>>>> later date.
>>>
>>> Have you tried to merely replace smtp mailer with relay mailer in SMART_HOST?
>>>
>> Yes, with no effect.
>>
>> What seems to be the case is that I can reach the outbound server but am
>> failing to authenticate.  That's why I went chasing the SASL and STARTLS
>> rabbit.  From everything I've seen after googling for all possible
>> combinations of smart_host/client/authentication, it should be a piece
>> of cake .. except it isn't.  All the setups that work seem to go to port
>> 587, while my provider insists on 465 and, in my innocence, I suspect
>> that's at the root of the problem.  Their tech support is unable to help
>> and I refuse to go to the pay-for-support site/service recommended
>> because it's both expensive and unreliable.
>>
>> Thank you once again for trying to help.  I genuinely appreciate it.
> 
> Make sendmail send a test message in verbose mode to port 587 using the
> script I have posted already.
> 
> Try to locate the next problem. The script should show:
> * transcript of SMTP session (before and after STARTTLS)
> * authinfo map lookup(s)
> 
OK - here's the session transcript:
sendmail -d38.20 -Am -v -i -t <<END
? To:melsonr@earthlink.net
? Subject:testing
?
? test
? END
regex_map_init: mapname 'badmx', args '-a<BADMX>
^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$'
regex_map_init: compile '^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$' 0x7
regex_map_init: mapname 'BadMXIP', args '-a<BADMXIP>
^(127\.|10\.|0\.0\.0\.0)'
regex_map_init: compile '^(127\.|10\.|0\.0\.0\.0)' 0x7
seq_map_parse(aliases.files, )
openmap()	dequote:dequote NULL: valid
openmap()	host:host NULL: valid
getcanonname(earthlink.net), trying dns
getcanonname(earthlink.net), found
melsonr@earthlink.net... Connecting to outbound.att.net via relay...
220 smtp107.sbc.mail.mud.yahoo.com ESMTP
>>> EHLO rgmhome.net
250-smtp107.sbc.mail.mud.yahoo.com
250-AUTH LOGIN PLAIN XYMCOOKIE
250-PIPELINING
250-SIZE 41697280
250 8BITMIME
openmap()	macro:macro NULL: valid
macro_map_lookup(macro, {TLS_Name})
hash_map_open(access, /etc/mail/access, 0)
openmap()	hash:access /etc/mail/access: valid
db_map_lookup(access, TLS_Srv:outbound.att.net)
db_map_lookup(access, TLS_Srv:att.net)
db_map_lookup(access, TLS_Srv:net)
db_map_lookup(access, TLS_Srv:68.142.198.51)
db_map_lookup(access, TLS_Srv:68.142.198)
db_map_lookup(access, TLS_Srv:68.142)
db_map_lookup(access, TLS_Srv:68)
db_map_lookup(access, TLS_Srv:)
hash_map_open(authinfo, /etc/mail/authinfo, 0)
openmap()	hash:authinfo /etc/mail/authinfo: valid
db_map_lookup(authinfo, AuthInfo:outbound.att.net)
db_map_lookup(authinfo, AuthInfo:68.142.198.51)
db_map_lookup(authinfo, AuthInfo:)
>>> MAIL From:<root@att.net> SIZE=47
530 authentication required - for help go to
http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html
switch_map_open(aliases, aliases, 0)
	switch_map_find => 1
		files
	map_stack[0] = sequence:aliases.files
openmap()	switch:aliases aliases: valid
seq_map_lookup(aliases, root)
openmap()	sequence:aliases.files NULL: valid
seq_map_lookup(aliases.files, root)
impl_map_open(Alias0, /etc/mail/aliases, 0)
hash_map_open(Alias0, /etc/mail/aliases, 0)
impl_map_lookup(Alias0, @)
db_map_lookup(Alias0, @)
openmap()	implicit:Alias0 /etc/mail/aliases: valid
impl_map_lookup(Alias0, root)
db_map_lookup(Alias0, root)
/root/dead.letter... Saved message in /root/dead.letter
Closing connection to outbound.att.net
>>> QUIT
221 Service Closing transmission
closemaps: closing aliases.files (NULL)
closemaps: closing authinfo (/etc/mail/authinfo)
db_map_close(authinfo, /etc/mail/authinfo, 1000321)
closemaps: closing Alias0 (/etc/mail/aliases)
impl_map_close(Alias0, /etc/mail/aliases, 10012a3)
db_map_close(Alias0, /etc/mail/aliases, 10012a3)
closemaps: closing access (/etc/mail/access)
db_map_close(access, /etc/mail/access, 1000321)
closemaps: closing host (NULL)
closemaps: closing aliases (aliases)
closemaps: closing dequote (NULL)
closemaps: closing macro (NULL)



-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/19/2013 11:02:31 PM
Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> melsonr@earthlink.net... Connecting to outbound.att.net via relay...
> 220 smtp107.sbc.mail.mud.yahoo.com ESMTP
> >>> EHLO rgmhome.net
> 250-smtp107.sbc.mail.mud.yahoo.com
> 250-AUTH LOGIN PLAIN XYMCOOKIE
> 250-PIPELINING
> 250-SIZE 41697280
> 250 8BITMIME
> [...]
> >>> MAIL From:<root@att.net> SIZE=47
> 530 authentication required - for help go to
> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html
> [...]

The remote host:
a) does not offer STARTTLS (switching to encrypted connection)
b) offers SMTP AUTH methods [LOGIN PLAIN] sendmail it unwilling 
   (in default configurations) to use over not encrypted connections

You can force sendmail to send password in "plain text" but trying SMTPS
based sending would be a better choice in this case.

How many messages per day do you expect to send out?

BTW att.net in "MAIL From:<root@att.net>" is the right domain?
0
anfi2 (1425)
2/19/2013 11:57:22 PM
Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> melsonr@earthlink.net... Connecting to outbound.att.net via relay...
> 220 smtp107.sbc.mail.mud.yahoo.com ESMTP
>>>> EHLO rgmhome.net
> 250-smtp107.sbc.mail.mud.yahoo.com
> 250-AUTH LOGIN PLAIN XYMCOOKIE
> 250-PIPELINING
> 250-SIZE 41697280
> 250 8BITMIME
> [...]
> db_map_lookup(authinfo, AuthInfo:outbound.att.net)
> db_map_lookup(authinfo, AuthInfo:68.142.198.51)
> db_map_lookup(authinfo, AuthInfo:)
>>>> MAIL From:<root@att.net> SIZE=47
> 530 authentication required - for help go to
> http://help.yahoo.com/sbc/dsl/mail/pop/pop-11.html
> [...]

Remove :465 from your authinfo entry (as reported in the opening post):
outbound.mail.ISP:465 "I:my-id" "P:password"
0
anfi2 (1425)
2/20/2013 1:05:52 AM
Andrzej Adam Filip wrote:

> The remote host:
> a) does not offer STARTTLS (switching to encrypted connection)
> b) offers SMTP AUTH methods [LOGIN PLAIN] sendmail it unwilling 
>    (in default configurations) to use over not encrypted connections
> 
> You can force sendmail to send password in "plain text" but trying SMTPS
> based sending would be a better choice in this case.
> 
> How many messages per day do you expect to send out?
> 
> BTW att.net in "MAIL From:<root@att.net>" is the right domain?
> 

How many emails?  Probably somewhere between 20-40 on a heavy day.  This
is a home account and traffic is really variable but on the low side.

SMTPS?  Huh?  Seems this is deprecated, from what I just read.

In reply to your later message (remove 465 from authinfo), I did so,
with no effect when sending a message.  The remote system either
complains because of no authentication or just resets the connection.


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/20/2013 1:50:38 AM
Bob Melson <amia9018@mypacks.net> wrote:
> [...]
> In reply to your later message (remove 465 from authinfo), I did so,
> with no effect when sending a message.  The remote system either
> complains because of no authentication or just resets the connection.

<quote>
db_map_lookup(authinfo, AuthInfo:outbound.att.net)
db_map_lookup(authinfo, AuthInfo:68.142.198.51)
db_map_lookup(authinfo, AuthInfo:)
</quote>

1) Sendmail looks for "AuthInfo:outbound.att.net" key in authinfo map
2) It does not find the value/entry because it asks later for
   "AuthInfo:68.142.198.51" and  "AuthInfo:"
=> correct the authinfo entry
0
anfi2 (1425)
2/20/2013 10:08:20 AM
Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> [...]
>> In reply to your later message (remove 465 from authinfo), I did so,
>> with no effect when sending a message.  The remote system either
>> complains because of no authentication or just resets the connection.
> 
> <quote>
> db_map_lookup(authinfo, AuthInfo:outbound.att.net)
> db_map_lookup(authinfo, AuthInfo:68.142.198.51)
> db_map_lookup(authinfo, AuthInfo:)
> </quote>
> 
> 1) Sendmail looks for "AuthInfo:outbound.att.net" key in authinfo map
> 2) It does not find the value/entry because it asks later for
>    "AuthInfo:68.142.198.51" and  "AuthInfo:"
> => correct the authinfo entry
> 

That's the address AT&T specified.

The problem, I think, is twofold:  first, that port 587 doesn't offer
STARTTLS authentication and, second, that they (AT&T) are relying on the
use of XYMCOOKIE on port 465 - and that's a Yahoo "special" feature for
mail security.

This is not, as it turns out, a problem with a simple solution.

With my most sincere thanks to you and Bob Nichols, I'm going to drop it
for now and take the issue up with AT&T and, if I fail to get what I
consider an acceptable resolution, will return to my previous ISP.

Thanks very much once again.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/20/2013 4:44:58 PM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> Bob Melson <amia9018@mypacks.net> wrote:
>>> [...]
>>> In reply to your later message (remove 465 from authinfo), I did so,
>>> with no effect when sending a message.  The remote system either
>>> complains because of no authentication or just resets the connection.
>> 
>> <quote>
>> db_map_lookup(authinfo, AuthInfo:outbound.att.net)
>> db_map_lookup(authinfo, AuthInfo:68.142.198.51)
>> db_map_lookup(authinfo, AuthInfo:)
>> </quote>
>> 
>> 1) Sendmail looks for "AuthInfo:outbound.att.net" key in authinfo map
>> 2) It does not find the value/entry because it asks later for
>>    "AuthInfo:68.142.198.51" and  "AuthInfo:"
>> => correct the authinfo entry
>> 
>
> That's the address AT&T specified.
>
> The problem, I think, is twofold:  
> first, that port 587 doesn't offer STARTTLS authentication 

STARTTLS is not authentication, it is encryption.

> and, second, that they (AT&T) are relying on the use of XYMCOOKIE on
> port 465 - and that's a Yahoo "special" feature for mail security.
>
> This is not, as it turns out, a problem with a simple solution.
>
> With my most sincere thanks to you and Bob Nichols, I'm going to drop it
> for now and take the issue up with AT&T and, if I fail to get what I
> consider an acceptable resolution, will return to my previous ISP.

As I understand the debug output you provided:
Your sendmail 
1) makes connection to outbound.att.net:587
2) searches for authinfo data to use in PLAIN or LOGIN authentications
3) does not try to authenticate because it finds no appropriate entry
0
anfi2 (1425)
2/20/2013 6:05:01 PM
Andrzej Adam Filip wrote:

> As I understand the debug output you provided:
> Your sendmail 
> 1) makes connection to outbound.att.net:587
> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
> 3) does not try to authenticate because it finds no appropriate entry
> 
That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
outbound:465 just sits there and does nothing (this on a telnet session
to outbound on each of the ports.  Since AT?&T *requires* use of 465,
anything further would appear to be pretty much a case of spinning
my/our wheels.  I don't like it - it seems far too restrictive at the
very least - but I also don't like to go tilting at windmills, either.
(I do understand that STARTTLS is an encryption method - X.509, IIRC -
but its absence on outbound hints that there can be no secure password
exchange and, by extension, no connect.)

Once again, thanks for your help.  I've learned a lot (and relearned
much I had forgotten!).  I'll just have to be satisfied with what I have.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/20/2013 6:23:23 PM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>
>> As I understand the debug output you provided:
>> Your sendmail 
>> 1) makes connection to outbound.att.net:587
>> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
>> 3) does not try to authenticate because it finds no appropriate entry
>> 
> That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
> outbound:465 just sits there and does nothing (this on a telnet session
> to outbound on each of the ports.  

Outbound:465 wants you to start SSL negotiation/session.

On Linux/Debian there is telnet-ssl package providing telnet client
implementation capable to (also) establish SSL session. 

> Since AT?&T *requires* use of 465, anything further would appear to be
> pretty much a case of spinning my/our wheels.
>  I don't like it - it seems far too restrictive at the very least -
> but I also don't like to go tilting at windmills, either.  (I do
> understand that STARTTLS is an encryption method - X.509, IIRC - but
> its absence on outbound hints that there can be no secure password
> exchange and, by extension, no connect.)
> Once again, thanks for your help.  I've learned a lot (and relearned
> much I had forgotten!).  I'll just have to be satisfied with what I have.

Do you have openssl program installed?
YES=> you can make sendail use openssl in new custom mailer definition
to handle smtps connection. [It seems to be acceptable solution for <100
outgoing messages per day].
Test command:
openssl s_client -verify 2 -ssl3 -quiet -connect outbound.att.net:465

Another option may be (transparent) stunnel proxy.

0
anfi2 (1425)
2/20/2013 7:40:35 PM
Andrzej Adam Filip wrote:
> Bob Melson <amia9018@mypacks.net> wrote:
>> Andrzej Adam Filip wrote:
>>
>>> As I understand the debug output you provided:
>>> Your sendmail 
>>> 1) makes connection to outbound.att.net:587
>>> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
>>> 3) does not try to authenticate because it finds no appropriate entry
>>>
>> That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
>> outbound:465 just sits there and does nothing (this on a telnet session
>> to outbound on each of the ports.  
> 
> Outbound:465 wants you to start SSL negotiation/session.
> 
> On Linux/Debian there is telnet-ssl package providing telnet client
> implementation capable to (also) establish SSL session. 
> 
>> Since AT?&T *requires* use of 465, anything further would appear to be
>> pretty much a case of spinning my/our wheels.
>>  I don't like it - it seems far too restrictive at the very least -
>> but I also don't like to go tilting at windmills, either.  (I do
>> understand that STARTTLS is an encryption method - X.509, IIRC - but
>> its absence on outbound hints that there can be no secure password
>> exchange and, by extension, no connect.)
>> Once again, thanks for your help.  I've learned a lot (and relearned
>> much I had forgotten!).  I'll just have to be satisfied with what I have.
> 
> Do you have openssl program installed?
> YES=> you can make sendail use openssl in new custom mailer definition
> to handle smtps connection. [It seems to be acceptable solution for <100
> outgoing messages per day].
> Test command:
> openssl s_client -verify 2 -ssl3 -quiet -connect outbound.att.net:465
> 
> Another option may be (transparent) stunnel proxy.
> 
openssl is installed but not configured, i.e., no local certificate.

strider# openssl s_client -verify 2 -ssl3 -quiet -connect
outbound.att.net:465
verify depth is 2
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
verify error:num=27:certificate not trusted
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
CA - G3
verify return:1
depth=0 /C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net
Mail/CN=outbound.att.net
verify return:1
220 smtp111.sbc.mail.mud.yahoo.com ESMTP


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/20/2013 8:01:33 PM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>> Bob Melson <amia9018@mypacks.net> wrote:
>>> Andrzej Adam Filip wrote:
>>>
>>>> As I understand the debug output you provided:
>>>> Your sendmail 
>>>> 1) makes connection to outbound.att.net:587
>>>> 2) searches for authinfo data to use in PLAIN or LOGIN authentications
>>>> 3) does not try to authenticate because it finds no appropriate entry
>>>>
>>> That's pretty much it.  outbound:587 provides LOGIN PLAIN and XYMCOOKIE,
>>> outbound:465 just sits there and does nothing (this on a telnet session
>>> to outbound on each of the ports.  
>> 
>> Outbound:465 wants you to start SSL negotiation/session.
>> 
>> On Linux/Debian there is telnet-ssl package providing telnet client
>> implementation capable to (also) establish SSL session. 
>> 
>>> Since AT?&T *requires* use of 465, anything further would appear to be
>>> pretty much a case of spinning my/our wheels.
>>>  I don't like it - it seems far too restrictive at the very least -
>>> but I also don't like to go tilting at windmills, either.  (I do
>>> understand that STARTTLS is an encryption method - X.509, IIRC - but
>>> its absence on outbound hints that there can be no secure password
>>> exchange and, by extension, no connect.)
>>> Once again, thanks for your help.  I've learned a lot (and relearned
>>> much I had forgotten!).  I'll just have to be satisfied with what I have.
>> 
>> Do you have openssl program installed?
>> YES=> you can make sendail use openssl in new custom mailer definition
>> to handle smtps connection. [It seems to be acceptable solution for <100
>> outgoing messages per day].
>> Test command:
>> openssl s_client -verify 2 -ssl3 -quiet -connect outbound.att.net:465
>> 
>> Another option may be (transparent) stunnel proxy.
>> 
> openssl is installed but not configured, i.e., no local certificate.
>
> strider# openssl s_client -verify 2 -ssl3 -quiet -connect
> outbound.att.net:465
> verify depth is 2
> depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5
> verify error:num=27:certificate not trusted
> verify return:1
> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
> CA - G3
> verify return:1
> depth=0 /C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net
> Mail/CN=outbound.att.net
> verify return:1
> 220 smtp111.sbc.mail.mud.yahoo.com ESMTP

1) create openssl wrapper script named e.g. /usr/local/bin/smtps
It is needed to ignore STDERR output and change exit codes as sendail likes

#!/bin/sh
/usr/bin/openssl  s_client -verify 2 -ssl3 -quiet -connect $1:465 2>/dev/null || exit 75

2) Get esmtp mailer definition from your sendail.cf

echo =M | sendail -bt | grep esmtp

3) Insert it after MAILER_DEFINITIONS line in your sendail.mc with the
following changes
3a) change mailer name to smtps 
Mesmtp -> Msmtps
3b) change mailer part to you openssl wrapper script
P=[IPC] -> P=/usr/local/bin/smtps
3c) change arguments
A=TCP $h -> A=smtps $h

4) make SMART_HOST use smtps mailer
define(`SMART_HOST',`smtps:outbound.att.net')

P.S.
A) Check elsewhere if openssl option are right/safe.
   I am not openssl expert.
B) It is a quick&dirty initial implementation [working prototype]
   [I may write clean cf/mailer/smtps.m4 in a few weeks]
0
anfi2 (1425)
2/20/2013 9:18:43 PM
Andrzej Adam Filip wrote:

> 1) create openssl wrapper script named e.g. /usr/local/bin/smtps
> It is needed to ignore STDERR output and change exit codes as sendail likes
> 
> #!/bin/sh
> /usr/bin/openssl  s_client -verify 2 -ssl3 -quiet -connect $1:465 2>/dev/null || exit 75
> 
> 2) Get esmtp mailer definition from your sendail.cf
> 
> echo =M | sendail -bt | grep esmtp
> 
> 3) Insert it after MAILER_DEFINITIONS line in your sendail.mc with the
> following changes
> 3a) change mailer name to smtps 
> Mesmtp -> Msmtps
> 3b) change mailer part to you openssl wrapper script
> P=[IPC] -> P=/usr/local/bin/smtps
> 3c) change arguments
> A=TCP $h -> A=smtps $h
> 
> 4) make SMART_HOST use smtps mailer
> define(`SMART_HOST',`smtps:outbound.att.net')
> 
> P.S.
> A) Check elsewhere if openssl option are right/safe.
>    I am not openssl expert.
> B) It is a quick&dirty initial implementation [working prototype]
>    [I may write clean cf/mailer/smtps.m4 in a few weeks]
> 

I'll give it a try in a couple of days.  I've had issues with AT&T as a
result of all the previous "playing", so want to let it rest for just a
bit.  I *will* give it a try, though, and let you know.

Bob Melson


-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/21/2013 2:10:06 AM
Bob Melson <amia9018@mypacks.net> wrote:
> Andrzej Adam Filip wrote:
>
>> 1) create openssl wrapper script named e.g. /usr/local/bin/smtps
>> It is needed to ignore STDERR output and change exit codes as sendail likes
>> 
>> #!/bin/sh
>> /usr/bin/openssl  s_client -verify 2 -ssl3 -quiet -connect $1:465 2>/dev/null || exit 75
>> 
>> 2) Get esmtp mailer definition from your sendail.cf
>> 
>> echo =M | sendail -bt | grep esmtp
>> 
>> 3) Insert it after MAILER_DEFINITIONS line in your sendail.mc with the
>> following changes
>> 3a) change mailer name to smtps 
>> Mesmtp -> Msmtps
>> 3b) change mailer part to you openssl wrapper script
>> P=[IPC] -> P=/usr/local/bin/smtps
>> 3c) change arguments
>> A=TCP $h -> A=smtps $h
>> 
>> 4) make SMART_HOST use smtps mailer
>> define(`SMART_HOST',`smtps:outbound.att.net')
>> 
>> P.S.
>> A) Check elsewhere if openssl option are right/safe.
>>    I am not openssl expert.
>> B) It is a quick&dirty initial implementation [working prototype]
>>    [I may write clean cf/mailer/smtps.m4 in a few weeks]
>> 
>
> I'll give it a try in a couple of days.  I've had issues with AT&T as a
> result of all the previous "playing", so want to let it rest for just a
> bit.  I *will* give it a try, though, and let you know.

IHO it would be safer to use outgoing stunnel proxy
[ 127.0.0.1:X -> outbound.att.net:smtps ]. I have not 
tested smtps-openssl mailer in practice, some small/"small"
problems are possible.

Required stunnel configuration is described in Postfix FAQ:
  http://www.postfix.org/TLS_README.html#client_smtps
0
anfi2 (1425)
2/21/2013 9:36:52 AM
On 02/21/2013 03:36 AM, Andrzej Adam Filip wrote:
> Required stunnel configuration is described in Postfix FAQ:
>    http://www.postfix.org/TLS_README.html#client_smtps

The description in that README is basically what I used to use to make
port 465 work with smtp.comcast.net as my smart host.  If you like, I
can dig out my backups from 2007 and send the relevant files, but I
think the only thing not in that README was the init.d script to start
an stunnel daemon listening on a local port (I used 127.0.0.25 port
465), and I'm not sure how relevant that would be on the BSD 4.4 that
you list as OSTYPE in your sendmail.mc.

-- 
Bob Nichols         AT comcast.net I am "RNichols42"
0
2/22/2013 9:24:24 PM
Robert Nichols wrote:
> On 02/21/2013 03:36 AM, Andrzej Adam Filip wrote:
>> Required stunnel configuration is described in Postfix FAQ:
>>    http://www.postfix.org/TLS_README.html#client_smtps
> 
> The description in that README is basically what I used to use to make
> port 465 work with smtp.comcast.net as my smart host.  If you like, I
> can dig out my backups from 2007 and send the relevant files, but I
> think the only thing not in that README was the init.d script to start
> an stunnel daemon listening on a local port (I used 127.0.0.25 port
> 465), and I'm not sure how relevant that would be on the BSD 4.4 that
> you list as OSTYPE in your sendmail.mc.
> 
Thanks to you both for the hint/hand-holding.  I'm going to let it rest
for a bit:  all the previous "playing" with test mails, etc., caused my
email, both in- and out-bound, to be blocked and I don't want to cause
the same thing to happen a 2d time.  That said, I *will* try it out in
the not distant future, just not in the next few days.

Again, my sincere thanks to you both for all the help you've given.

Bob Melson

-- 
Robert G. Melson | Rio Grande Microsolutions | El Paso, Texas
-----
Any man who thinks he can be happy and prosperous by letting the
Government take care of him, better take a closer look at the
American Indian. -- Henry Ford
0
amia9018 (43)
2/22/2013 10:01:08 PM
Reply:
Similar Artilces:

help needed with predict function
Hello! I wrote the following code: date=csvread('date.csv'); %the data variable contains 9356 lines and 2 columns %the first column contains the time the measurement took place %the second column contains the measured value a=size(date); y=iddata(date(1:fix(a(1)/2),2)); %i use the 1st half of the data to estimate the model using the ar function mod=ar(y,2); pred=predict(mod,iddata(date(:,2))); %end code Is pred(fix(a(1)/2)+1:end) really the prediction of my second half of data using the model estimated or it's just a simulation of the model? I want to predict the next 100 values...

I need ...
Hi. It is my first post on this list. I can't find (in network) some program (code) writed in assembler (16bit). This program writed some guy who was in army , and had to many free time. Program used bootsector of disc. When somebody forgot your disc from floppy disc , and restart your Pc , that on monitor was a amination (fire), and text: (I don't know exactly )."Idiot !! In floppy disc is a disc " . I remember that in bootsector was jump to last sector of disc where was a program with animation. Sorry for my English , and mistakes. ...

Need Bondi Rev A iMac motherboard swap advice
I just started using our daughter's "hand-me-down" rev A iMac and I am surprised at how well it works with OS X (192 MB RAM, 20 GB HD). However, as you probably know, the graphics chip in the Rev A (Rage IIC) is pretty slow so I started thinking about swapping in a motherboard from a Rev B, C, or D. I had the impression that the Rev A, B, C and D motherboards could be swapped interchangibly, but an ebay seller of an Rev D motherboard stated in his ad that it was only compatible with the Rev B, C or D machines. Can someone enlighten me on this issue? Can later model moth...

Data Dictionary Tool Needed
I'm looking for a tool (hopefully inexpensive or freeware) that can accept an XML format and produce an HTML, hyperlinked data dictionary. The content of the XML is class/attribute (or table/column) information. Any ideas out there? Thanks! Quinn ...

need LDA / PCA matlab code and tutorials
hello PCA(principal component analysis) and LDA(linear discriminate analysis) processes are used to reduce dimensionality of a vector. can anyone provide tutorials and matlab code of these techniques. thanks mahesh Have you tried searching online? There is a large amount of high-quality material available for free on the World Wide Web. Try some combination of terms such as: "dicriminant analysis" (note the correct spelling) "source code" MATLAB I have found these search engines to be especially useful: A9 (www.a9.com) AlltheWeb (www.alltheweb.com) Alta Vista (www.alt...

configure command
Hi!!I've a problem:when I configure Mplayer with command ./configure the system gives me the following error: bash: ./configure: /bin/sh: bad interpreter: Permission denied Why?Is there somebody that can help me? I thank you in advance!! Pasquale Antonino <paki.antonino@libero.it> wrote: > Hi!!I've a problem:when I configure Mplayer with command ./configure > the system gives me the following error: > bash: ./configure: /bin/sh: bad interpreter: Permission denied Does /bin/sh exist? Is it executable? Des the line in the configure script really say &quo...

!!!ASSISTANCE NEEDED!!!
Dear Friend, After deliberation with my children, I decided to contact you for your assistance in standing as a beneficiary to the sum of US$15.5M(Fifteen Million,Five hundred Thousand United States Dollars Only). First, let me start by introducing myself as MRS SUSAN SHABANGU, a mother of three children and the Deputy Minister of Minerals and Energy since 1s= t April 1996 to date under the auspices of the President of South Africa MR THABO MBEKI. You can view my profile at my website www.gov.za/profiles/shabangu.htm THE PROPOSAL: After the swearing in ceremony making me the D...

Freeform database needed
I am not sure that "freeform" is the right term, but I need a database that does not use the standard table/record/field structure. I want to be able to just dump stuff into the program - text, images, URLs, etc - and then be able to locate/organize information based on keywords and logical concepts. Can anyone suggest something? -- Peter Aitken Remove the crap from my email address before using. On Tue, 06 Apr 2004 20:33:34 +0000, Peter Aitken wrote: > I am not sure that "freeform" is the right term, but I need a database > that does not use the...

Triple DES Bad Data Error Please Help!!!!
I'm working on decypting Java encrypted text using TripleDES in VB.NET. Below is the algorithm submitted by the producer of the ciher text: Things needed for the consumer (vendor) 1) String used to generate the key and also the algorithm used to generate the key Algorithm for generating the key -- Take a string which you choose to be secure (known to you and the recieving party), do a MD5 of the string and take the first 24 charactrers of this as the KEY 2) Post Parameter field name used to carry the SAML assertion - SAMLPost 3) IV used in the TripleDES algortithm - curren...

3.1.1 chm help file idem
still the same with 3.1.1 ! hello, the chm help file is a great idea, thanks to those who worked on it. I just noticed (I run win xp sp2) that when you start this help file, clicking on chapters in the right frame leads to an error msg (page not found). It works fine when accessing via the left frame. cheers Pak, France > the chm help file is a great idea, thanks to those who worked on it. > I just noticed (I run win xp sp2) that when you start this help file, > clicking on chapters in the right frame leads to an error msg (page not > found). > It works fine ...

Do I need TSIG for zone transfer on an intranet env?
is it too much? ACL should do the job? ...

Re: Newbie needs your help! #3
Avinash, I am not total sure why you want a data structure so abnormal as what you desribe. It seems to me that it will provide more trouble than it is worth. However, if you are insistant on such a structure here ya go: data oneb ; if eof then do ; Sex = 'Race' ; Dose1 = . ; Dose2 = . ; output ; end ; set one end = eof ; output ; run ; data three ; set oneb two (rename = (Race = sex)) ; run ; HTH Toby Dunn -----Original Message----- From: SAS(r) Discussion [mailto:SAS-L@LISTSERV.UGA.EDU] On Behalf Of Avinash Sent: Tuesday, November 23, 2004 12:03 PM To: SAS...

Help with Sorting
Hello Everyone, I have a sorting problem that I hope someone can help me with. I am setting up a data base of books -sounded simple- I want to sort a list of Books I want to look for when I am in the Used Book Store. I have a 'Status' field where I put a 'W' (for Want)... I then would like to sort and print a list to take with me: 1) on Author 2) If a book is part of a series, then sort on the Series 3) then sort by the Series # (keeping the series together) by Author Now, I know how I'd write in Basic; but, I can't right with Filemaker Pro 6... Can anyone help...

models needed
does anyone have a decent model of a laptop and / or docking station suitable for renderings? any help would be greatly appreciated. -mr. brown ...

Need Computer Help?
PC Dude computer Help and Discussion forums offer professional help for all your computer problems. Check us out at http://pcdude.proboards86.com Gary335 napisal(a): > PC Dude computer Help and Discussion forums offer professional help for > all your computer problems. Check us out at > http://pcdude.proboards86.com bleh ... Regards -- A=2EB - http://www.dzialkanadmorzem.pl/ http://www.realestate1.eu campingpl=E4tze in Polen urlaub in polen wetter polen Ostsee Polen dzialkanadmor...@onet.eu wrote: > Gary335 napisal(a): > > PC Dude computer Help...

Administrator Needs Help!!!!!!!!!!! #2
I administor a small isp with about 1000 customers. We have sun ultra 10 300 mhz with 512mb memory. I have solaris 2.6 running, with apache, dns, sendmail, tacacs-plus running also. My problem is that this server gets really slow at times. I think we have too much running on one server. What I need to know is if I can put some of these things, like sendmail and maybe tacacs-plus on another server. I have 3 more sun ultra 10's 300's. My other problem is I only have one domain name for the isp. All mail is routed to this domain name. If I put sendmail on another server, I will h...

Urgent:help needed
Hello All, I am using Fsh,it has Python Dependecy.It uses several moduels from Python.The problem is"Select" module in missing in the list of modules available in python.So I can't import it.But the library file needed for select module ,select.sl is there in the python(I guess).If anyone has come across such problem before,if do help me.Help me in knowing how to import the select module (from python). With Advance Thanks, Prabu.S --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.712 / Virus Database: 468 -...

Pricing Needed
Hi Julie, Please help! I need HP maintenance costs on a C7145RA-DLT Thanks ATS Chris Modenbach Phone: 800-231-5500F2skZGHV * To join/leave the list, search archives, change list settings, * * etc., please visit http://raven.utc.edu/archives/hp3000-l.html * ...

Immediate Need - Jira or Informatica Admin - Nashville, TN
Hi, I have an urgent opening for Jira or Informatica Admin, kindly send the upd= ated resume ASAP. Job Title: Jira or Informatica Admin Location: Nashville, TN Duration: 12 month+ Job Description: Must Have Skills: JIRA or Informatica ( ETL ) Admin with UNIX Support Servi= ces and Application Support experience Junior to Mid-level Technologist with knowledge of tools shall provide Oper= ational support L1, L2, and evolve to engineering function for WMA shared s= ervice platforms working in concert with WMA IT senior Architects and UBS G= lobal core engineering team suppor...

Help Need on Macro
Hi, I am getting an error in the following code. Please have a look on this code. =20 In data set cluster_stats there are variables with name: clusterP_10 clusterP_20 clusterP_30=20 clusterP_40 clusterP_50 clusterP_60 clusterP_70 clusterP_80.=20 Along with mean_error_clusterP_10 mean_error_clusterP_20 mean_error_clusterP_30 and so on till mean_error_clusterP_80 =20 The objective is, among=20 mean_error_clusterP_10 mean_error_clusterP_20 mean_error_clusterP_30..... till mean_error_clusterP_80 =20 which-ever is minimum (mean_error_clusterP_XX), the corresponding value of variable clu...

needs help
hi friends i m new to this group.i m a student of net working any one can help me.second can we use this foroum for help the people .if u want to help swat victims of pakistan visite www.nfk75.blogspot.com. ...

Re: help on Proc Mixed: get random effects distribution #10 648881
Chunling Lu <chunling_lu@YAHOO.COM> wrote: > Sorry I didn't know it will be such a huge file, it is only one page > in word and I just simply copied it... > > What I want is the covariance matrix of random effects G which is > the variance of gamma, which according to my understanding is the > first 6 number of the following output: > > > Cov Parm Subject Estimate > > > > UN(1,1) ID 0.8453 > > UN(2,1) ID 0.08938 > > ...

Help with Cartoon Style Word Balloons
I am working with a series of jpgs and want to learn an easy way to create cartoon style word balloons in those jpgs. Any hints would be greatly appreciated. The Eye wrote: > Another quick question... Sigh. The censor deleted my reply to you. Here it is: You have seen the new features, then. Only you can decide whether they are worth the money. Owning either version will qualify you for the upgrade price on the next version if Corel continues the Jasc policy. Consider also that Corel will be correcting defects in version 9 but not in 8. -- Fred Hiltz, fhiltz at yahoo dot com &qu...

Need NNSAMPLE Help #2
I'm trying to convert NNSAMPLE to be used for stock price analysis for my qualifier exam. I have a few questions does anyone have any experience with NNSAMPLE that I can ask some questions too? ...

[News] Stricter Police State in the UK
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Names of innocent people will stay on police database ,----[ Quote ] | The names of nearly a million people who | have not been convicted or cautioned for any | crime will continue to be stored on the | police national computer, even though the | government is changing the law so that their | DNA profiles are deleted. | | The revelation has provoked outrage among | human rights groups who warn that it could | affect the job prospects of the innocent. | They fear that whenever an employer carries | out an "enhanced ...