noob ssl sendmail problem

I'm very new to FreeBSD, but I'm using it to run my website, and Michael Lewis' Absolute FreeBSD 2nd edition has been able to step my through the basics and get my website running smoothly the last couple months. Now I want to get mail services running.

I followed his instructions in chapter 16 and thought I had everything working, except I could not send mail outside of my domain. I could send and receive to email addresses within the domain, and receive emails from addresses of another domain (ex. hotmail), but I could not send a message to an address outside my domain (ex. hotmail).

I believed from what I was reading that to accomplish this I needed to implement SASL. The end result is that I can no longer start sendmail. I receive warnings:
Code:
   Warning: Option: CACertPath requires TLS support
   Warning: Option: CACertFile requires TLS support
   Warning: Option: ServerCertFile requires TLS support
   Warning: Option: ServerKeyFile requires TLS support
   Warning: Option: ClientCertFile requires TLS support
   Warning: Option: ClientKeyFile requires TLS support
and sendmail does not appear to start.

To install SASL I went to /usr/ports/sendmail and ran:
[cmd=]make SENDMAIL_WITH_SASL2=YES all install clean[/cmd]
I was not warned that I'd have options, so I accepted the defaults, and don't remember what those were.

I added to /etc/rc.conf
Code:
   saslauthd_enable="YES"

I started saslauthd by running:
[cmd=]/usr/local/etc/rc.d/saslauthd start[/cmd]

I changed /etc/mail/mailer.conf to
Code:
   sendmail    /usr/local/sbin/sendmail
   send-mail   /usr/local/sbin/sendmail
   mailq       /usr/local/sbin/sendmail
   newaliases  /usr/local/sbin/sendmail
   hoststat    /usr/local/sbin/sendmail
   purgestat   /usr/local/sbin/sendmail

I added to my /etc/mail/hostname.mc
Code:
   TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
   define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
   define(`CERT_DIR', `etc/mail/certs')dnl
   define(`confCACERT_PATH', `CERT_DIR')dnl
   define(`confCACERT', `CERT_DIR/csr.pem')dnl
   define(`confSERVER_CERT', `CERT_DIR/selfsigned.crt')dnl
   define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
   define(`confCLIENT_CERT', `CERT_DIR/selfsigned.crt')dnl
   define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
   define(`confAUTH_OPTIONS', `A p y')dnl
   DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
   DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

I installed a new sendmail.cf
[cmd=]cd /etc/mail[/cmd]
[cmd=]make all install[/cmd]

And then tried to restart sendmail
[cmd=]/etc/rd.d/sendmail restart[/cmd]

and get the warnings
Code:
   Warning: Option: CACertPath requires TLS support
   Warning: Option: CACertFile requires TLS support
   Warning: Option: ServerCertFile requires TLS support
   Warning: Option: ServerKeyFile requires TLS support
   Warning: Option: ClientCertFile requires TLS support
   Warning: Option: ClientKeyFile requires TLS support

and sendmail does not start.

I've tried googling and I've tried searching these forums, so forgive me if this is something I should have been able to figure out. I could really use some help. Thanks.
 
I'm pretty sure you started /usr/sbin/sendmail by using /etc/rc.d/sendmail

Code:
command=${sendmail_program:-/usr/sbin/${name}}

Anything in /usr/local/etc/rc.d?
 
Code:
-r-xr-xr-x  1 root  wheel  4000 Sep  8  2008 apache2
-r-xr-xr-x  1 root  wheel  1717 May  4 11:40 dovecot
-r-xr-xr-x  1 root  wheel  1664 Oct 17  2008 mysql-server
-r-xr-xr-x  1 root  wheel  1088 May  5 08:36 saslauthd
-r-xr-xr-x  1 root  wheel  1666 May  5 08:36 sendmail.sh.sample
-r-xr-xr-x  1 root  wheel   639 May  5 08:36 sm-client.sh.sample
You mean I'm not starting the instance of sendmail I should be? Or that its pointing to a directory that doesn't have sendmail? Sorry, this is all very new to me.
 
What is the output of [cmd=]file /usr/sbin/sendmail[/cmd]? Just wondering whether it is Sendmail (the program) or mailwrapper (which would read mailer.conf to get to the Sendmail program you need).
 
Try rebuilding the Sendmail port with this option added (which is also in the Makefile) :

Code:
SENDMAIL_WITH_TLS=yes
 
I did a deinstall and then reinstalled with the SENDMAIL_WITH_TLS=yes but the result is the same.
 
Stepping back a little ..

waiting said:
I followed his instructions in chapter 16 and thought I had everything working, except I could not send mail outside of my domain. I could send and receive to email addresses within the domain, and receive emails from addresses of another domain (ex. hotmail), but I could not send a message to an address outside my domain (ex. hotmail).

I don't see what SASL has to do with this problem. The default install of Sendmail (base system) will mail anywhere you want, as long as you either send mail from 127.0.0.1, or put the IP-address(es) you send mail from in the access database with 'RELAY'.
 
I read that to mean that in order for me to use a remote client to connect and send email, I'd have to hard code each and every IP address I may connect from, and that SASL authentication would essentially log in from any IP.

I've changed mailer.conf back to the original and dnl out the SASL lines in my mc file and run a make all install. Sendmail starts fine now, like it used to. However, if I try sending a test email from a remote client to a hotmail address, I get the following error.

Code:
The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'InsertNameHere@hotmail.com'. Subject 'test', Account: 'FreeBSD', Server: 'smtp.myserver.net', Protocol: SMTP, Server Response: '550 5.7.1 <InsertNameHere@hotmail.com>... Relaying denied', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79
Names changed to protect the innocent.

Was I killing a fly with a hammer?
 
Not necessarily. I didn't know about the 'roaming character' of this mail setup. If you add your current IP address to the access database with RELAY, you should be able to relay through this server without any alteration to Sendmail.

If you also use POP3 on this server, you could look into POP-before-SMTP, which is a much simpler setup (the POP3 login puts your IP address in the relay table for a fixed amount of time).

There's also portforwarding over SSH, or a VPN, or Webmail, of course.
 
What can I look at to help me determine why sendmail isn't starting when I try the SSL setup? There aren't that many pieces that change, but I still don't know what to try.

Thanks
 
Back
Top