SMTP cannot Auth

Setting up an email server for my work. mail.domain.com for the sake of this thread... I can send email out from the non-root accounts from within alpine while logged into the machine. I can send emails from my other domain to accounts on the server (mail.domain.com), and can even reply. But, when ever I try and relay mail through the server from outside the domain it will not accept my login and password they way I was told it would to allow relaying after authenticating username and password. It does ask me for my password (thunderbird), but it never accepts my password which I KNOW is right. I'm really stumped here! Any help would be appreciated.

This is what I see in /var/log/mailog after I attempt to send mail.


Jul 12 18:05:58 rocky sm-mta[14964]: STARTTLS=server, relay=x-x-x-x-static.hfc.comcastbusiness.net [x.x.x.x], version=TLSv1.2, verify=NOT, cipher=DHE-RSA-AES128-SHA, bits=128/128
Jul 12 18:06:10 rocky sm-mta[14964]: w6CM5w6j014964: x-x-x-x-static.hfc.comcastbusiness.net [s.s.s.s] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4



root@rocky:/etc/mail # cat rocky.mc
divert(-1)
divert(0)
VERSIONID(`$FreeBSD: releng/11.1/etc/sendmail/freebsd.mc 285230 2015-07-07 03:00:57Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

MASQUERADE_AS(domain.com)dnl
MASQUERADE_DOMAIN(domain.comm)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl

dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/cacert.pem')
define(`confSERVER_CERT', `CERT_DIR/mail.domain.com-cert.pem')
define(`confSERVER_KEY', `CERT_DIR/mail.domain.com.pem')
define(`confCLIENT_CERT', `CERT_DIR/mail.domain.com-cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/mail.domain.com.pem')

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN ')dnl
define(`confAUTH_OPTIONS',`A,p,y')
define(`confTLS_SRV_OPTIONS', `V')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv4, Family=inet', Name=MTA-v4, Port=25, Modifiers=a)
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
root@rocky:/etc/mail #




root@rocky:/etc/mail # cat access
# $FreeBSD: releng/11.1/etc/mail/access.sample 176353 2008-02-17 05:22:08Z gshapiro $
#
# Mail relay access control list. Default is to reject mail unless the
# destination is local, or listed in /etc/mail/local-host-names
#

## Examples (commented out for safety)
#From:cyberspammer.com ERROR:"550 We don't accept mail from spammers"
#From:okay.cyberspammer.com OK
#Connect:sendmail.org RELAY
#To:sendmail.org RELAY
#Connect:128.32 RELAY
#Connect:128.32.2 SKIP
#Connect:IPv6:1:2:3:4:5:6:7 RELAY
#Connect:suspicious.example.com QUARANTINE:Mail from suspicious host
#Connect:[127.0.0.3] OK
#Connect:[IPv6:1:2:3:4:5:6:7:8] OK

Connect:127.0.0.1 RELAY
Connect: 192.168 RELAY
To:domain.com OK
domain.com RELAY


Certs are installed:

root@rocky:/etc/mail/certs # ls -la
total 39
drwxr-xr-x 3 root wheel 6 Jul 8 06:56 .
drwxr-xr-x 3 root wheel 25 Jul 12 17:43 ..
-r-------- 1 root wheel 1541 Jul 8 06:56 cacert.pem
-r-------- 1 root wheel 4873 Jul 8 06:56 mail.domain.com-cert.pem
-r-------- 1 root wheel 3253 Jul 8 06:56 mail.domain.com.pem
dr-------- 2 root wheel 6 Jul 8 06:55 old.d



TLS working (I think):


root@rocky:/etc/mail # openssl s_client -starttls smtp -connect localhost:25
CONNECTED(00000003)
depth=1 C = US, ST = Tennessee, L = Greeneville, O = OrganizationName, OU = IT, CN = mail.domain.com, emailAddress = admin.domain.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName.com/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
i:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
1 s:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
i:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com

Server certificate
-----BEGIN CERTIFICATE-----
|
|
<Cert here>
|
|
-----END CERTIFICATE-----
subject=/C=US/ST=Tennessee/L=Greeneville/O=domain.com/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
issuer=/C=US/ST=Tennessee/L=Greeneville/O=ORganization/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3706 bytes and written 660 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: A3D704FA4DD62D68DDA5DA885CC47D45A9905543300BADB7E92106AD2D79788C
Session-ID-ctx:
Master-Key: <Key here>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1 (seconds)
TLS session ticket:
0000 - 54 15 92 f3 bc 0c 87 68-ea b1 c0 92 a2 9b 18 e4 T......h........
0010 - 44 e8 08 a4 29 48 24 4d-e1 a0 5c a9 64 66 fe fd D...)H$M..\.df..
0020 - 92 88 cf 17 45 c1 d8 61-e9 47 d5 c9 9b 17 b2 ac ....E..a.G......
0030 - a1 ec a1 a2 da 04 14 08-2e 84 c9 b6 3f ac cd 9a ............?...
0040 - b5 0c ac 67 54 f4 f2 a6-7a ff ec c7 56 cf 57 b0 ...gT...z...V.W.
0050 - a1 b0 ae 7b 0f 03 7c 3e-e1 9f 3d 0d ae 0f 55 00 ...{..|>..=...U.
0060 - 01 de a7 df 90 b3 d7 c7-5c aa 3f db f2 f9 91 3f ........\.?....?
0070 - 96 88 1a 3e 24 db 16 5a-4e 5b 34 65 e7 31 79 1e ...>$..ZN[4e.1y.
0080 - e0 4a 11 3e 57 53 2e 1e-0c 12 c7 98 db 8b ef bf .J.>WS..........
0090 - 45 c8 99 1f e8 d1 82 cb-a9 94 93 d7 91 06 a2 de E...............

Start Time: 1531432216
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
 
UPDATE!
It works so long as I send the password unencrypted!
However, I would like to use encrypted passwords...
Can anyone tell me what I am doing wrong here?
 
What do you see if you try to connect manually (using telnet localhost 25) and then issueing an EHLO command? Does it mention STARTTLS? On that same subject: does it mention AUTH, and if so: what methods does it mention?

My guess right now (from mind) is that confAUTH_MECHANISMS (edit): skip that, this should be: TrustAuthMech could be set too lenient thus allowing plain text logins.

This might be a good read, I just discovered it:
http://www.sendmail.org/~ca/email/auth.html
 

root@kif:/usr/home/tim.falardeau # telnet mail.domain.com 25
Trying 96.82.237.89...
Connected to mail.domain.com.
Escape character is '^]'.
220 rocky.domain.com ESMTP Sendmail 8.15.2/8.15.2; Thu, 12 Jul 2018 19:38:52 -0400 (EDT)
ehlo good_domain.com
250-rocky.domain.com Hello x-x-x-x-static.hfc.comcastbusiness.net [x.x.x.x], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 rocky.domain.com closing connection
Connection closed by foreign host.
root@kif:/usr/home/tim.falardeau #




dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `[COLOR=rgb(184, 49, 47)]GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN[/COLOR] ')dnl
define(`confAUTH_OPTIONS',`A,p,y')
define(`confTLS_SRV_OPTIONS', `V')
 
Back
Top