SMTP cannot Auth

fullauto2012

Active Member

Thanks: 25
Messages: 168

#1
Setting up an email server for my work. mail.domain.com for the sake of this thread... I can send email out from the non-root accounts from within alpine while logged into the machine. I can send emails from my other domain to accounts on the server (mail.domain.com), and can even reply. But, when ever I try and relay mail through the server from outside the domain it will not accept my login and password they way I was told it would to allow relaying after authenticating username and password. It does ask me for my password (thunderbird), but it never accepts my password which I KNOW is right. I'm really stumped here! Any help would be appreciated.

This is what I see in /var/log/mailog after I attempt to send mail.


Jul 12 18:05:58 rocky sm-mta[14964]: STARTTLS=server, relay=x-x-x-x-static.hfc.comcastbusiness.net [x.x.x.x], version=TLSv1.2, verify=NOT, cipher=DHE-RSA-AES128-SHA, bits=128/128
Jul 12 18:06:10 rocky sm-mta[14964]: w6CM5w6j014964: x-x-x-x-static.hfc.comcastbusiness.net [s.s.s.s] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4



root@rocky:/etc/mail # cat rocky.mc
divert(-1)
divert(0)
VERSIONID(`$FreeBSD: releng/11.1/etc/sendmail/freebsd.mc 285230 2015-07-07 03:00:57Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

MASQUERADE_AS(domain.com)dnl
MASQUERADE_DOMAIN(domain.comm)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl

dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/cacert.pem')
define(`confSERVER_CERT', `CERT_DIR/mail.domain.com-cert.pem')
define(`confSERVER_KEY', `CERT_DIR/mail.domain.com.pem')
define(`confCLIENT_CERT', `CERT_DIR/mail.domain.com-cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/mail.domain.com.pem')

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN ')dnl
define(`confAUTH_OPTIONS',`A,p,y')
define(`confTLS_SRV_OPTIONS', `V')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv4, Family=inet', Name=MTA-v4, Port=25, Modifiers=a)
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
root@rocky:/etc/mail #




root@rocky:/etc/mail # cat access
# $FreeBSD: releng/11.1/etc/mail/access.sample 176353 2008-02-17 05:22:08Z gshapiro $
#
# Mail relay access control list. Default is to reject mail unless the
# destination is local, or listed in /etc/mail/local-host-names
#

## Examples (commented out for safety)
#From:cyberspammer.com ERROR:"550 We don't accept mail from spammers"
#From:okay.cyberspammer.com OK
#Connect:sendmail.org RELAY
#To:sendmail.org RELAY
#Connect:128.32 RELAY
#Connect:128.32.2 SKIP
#Connect:IPv6:1:2:3:4:5:6:7 RELAY
#Connect:suspicious.example.com QUARANTINE:Mail from suspicious host
#Connect:[127.0.0.3] OK
#Connect:[IPv6:1:2:3:4:5:6:7:8] OK

Connect:127.0.0.1 RELAY
Connect: 192.168 RELAY
To:domain.com OK
domain.com RELAY


Certs are installed:

root@rocky:/etc/mail/certs # ls -la
total 39
drwxr-xr-x 3 root wheel 6 Jul 8 06:56 .
drwxr-xr-x 3 root wheel 25 Jul 12 17:43 ..
-r-------- 1 root wheel 1541 Jul 8 06:56 cacert.pem
-r-------- 1 root wheel 4873 Jul 8 06:56 mail.domain.com-cert.pem
-r-------- 1 root wheel 3253 Jul 8 06:56 mail.domain.com.pem
dr-------- 2 root wheel 6 Jul 8 06:55 old.d



TLS working (I think):


root@rocky:/etc/mail # openssl s_client -starttls smtp -connect localhost:25
CONNECTED(00000003)
depth=1 C = US, ST = Tennessee, L = Greeneville, O = OrganizationName, OU = IT, CN = mail.domain.com, emailAddress = admin.domain.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName.com/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
i:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
1 s:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
i:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com

Server certificate
-----BEGIN CERTIFICATE-----
|
|
<Cert here>
|
|
-----END CERTIFICATE-----
subject=/C=US/ST=Tennessee/L=Greeneville/O=domain.com/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
issuer=/C=US/ST=Tennessee/L=Greeneville/O=ORganization/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3706 bytes and written 660 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: A3D704FA4DD62D68DDA5DA885CC47D45A9905543300BADB7E92106AD2D79788C
Session-ID-ctx:
Master-Key: <Key here>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1 (seconds)
TLS session ticket:
0000 - 54 15 92 f3 bc 0c 87 68-ea b1 c0 92 a2 9b 18 e4 T......h........
0010 - 44 e8 08 a4 29 48 24 4d-e1 a0 5c a9 64 66 fe fd D...)H$M..\.df..
0020 - 92 88 cf 17 45 c1 d8 61-e9 47 d5 c9 9b 17 b2 ac ....E..a.G......
0030 - a1 ec a1 a2 da 04 14 08-2e 84 c9 b6 3f ac cd 9a ............?...
0040 - b5 0c ac 67 54 f4 f2 a6-7a ff ec c7 56 cf 57 b0 ...gT...z...V.W.
0050 - a1 b0 ae 7b 0f 03 7c 3e-e1 9f 3d 0d ae 0f 55 00 ...{..|>..=...U.
0060 - 01 de a7 df 90 b3 d7 c7-5c aa 3f db f2 f9 91 3f ........\.?....?
0070 - 96 88 1a 3e 24 db 16 5a-4e 5b 34 65 e7 31 79 1e ...>$..ZN[4e.1y.
0080 - e0 4a 11 3e 57 53 2e 1e-0c 12 c7 98 db 8b ef bf .J.>WS..........
0090 - 45 c8 99 1f e8 d1 82 cb-a9 94 93 d7 91 06 a2 de E...............

Start Time: 1531432216
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
 
OP
OP
fullauto2012

fullauto2012

Active Member

Thanks: 25
Messages: 168

#2
UPDATE!
It works so long as I send the password unencrypted!
However, I would like to use encrypted passwords...
Can anyone tell me what I am doing wrong here?
 

ShelLuser

Son of Beastie

Thanks: 1,590
Messages: 3,460

#3
What do you see if you try to connect manually (using telnet localhost 25) and then issueing an EHLO command? Does it mention STARTTLS? On that same subject: does it mention AUTH, and if so: what methods does it mention?

My guess right now (from mind) is that confAUTH_MECHANISMS (edit): skip that, this should be: TrustAuthMech could be set too lenient thus allowing plain text logins.

This might be a good read, I just discovered it:
http://www.sendmail.org/~ca/email/auth.html
 
OP
OP
fullauto2012

fullauto2012

Active Member

Thanks: 25
Messages: 168

#4

root@kif:/usr/home/tim.falardeau # telnet mail.domain.com 25
Trying 96.82.237.89...
Connected to mail.domain.com.
Escape character is '^]'.
220 rocky.domain.com ESMTP Sendmail 8.15.2/8.15.2; Thu, 12 Jul 2018 19:38:52 -0400 (EDT)
ehlo good_domain.com
250-rocky.domain.com Hello x-x-x-x-static.hfc.comcastbusiness.net [x.x.x.x], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 rocky.domain.com closing connection
Connection closed by foreign host.
root@kif:/usr/home/tim.falardeau #




dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN ')dnl
define(`confAUTH_OPTIONS',`A,p,y')
define(`confTLS_SRV_OPTIONS', `V')
 
Top