DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th February 2011
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default Sendmail TLS

Running OpenBSD 4.8 and trying to setup secure Sendmail. Cyrus SASL is installed and 'sendmail -d0.1 -bv root' returns STARTTLS and SASL2. I added 'WANT_SMTPAUTH=yes" to /etc/mk.conf before doing a build. Running testsaslauthd returns OK. I reconfigured the Sendmail ports for SASL. My certs are self-signed and good.

But when I 'telnet localhost 25' I don't return 250-STARTTLS though I have 250-AUTH. Connection is refused on port 465 when I 'telnet localhost 465'.

What do I need to change to get TLS working?

Here is my .mc
Code:
VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl
OSTYPE(openbsd)dnl
define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl
define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl
define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl
FEATURE(nouucp, `reject')dnl
FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl
FEATURE(always_add_domain)dnl
FEATURE(redirect)dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA, M=A')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=AO')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=465, Name=MTA-TLS, M=a')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=465, Name=MTA6-TLS, M=aO')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=AE')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=AE')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`GSAPPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/CAcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
MAILER(local)dnl
MAILER(smtp)dnl
LOCAL_RULESETS
HMessage-Id: $>CheckMessageId

SCheckMessageId
R< $+ @ $+ >		$@ OK
R$*			$#error $: 553 Header Error
Reply With Quote
  #2   (View Single Post)  
Old 19th February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Does netstat -an -f inet show a LISTEN on port 465?
Code:
netstat -an -f inet     
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  *.6000                 *.*                    LISTEN
tcp          0      0  *.3306                 *.*                    LISTEN
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.515                  *.*                    LISTEN
tcp          0      0  192.168.222.20.22      *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  192.168.222.20.35671   80.85.129.25.123      
udp          0      0  192.168.222.20.10421   85.17.207.62.123      
udp          0      0  192.168.222.20.32014   81.171.44.131.123     
udp          0      0  *.514                  *.*
In my case it does not, so :
Code:
 $ telnet localhost 465   
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying ::1...
telnet: connect to address ::1: Connection refused
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 19th February 2011
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

It isn't listening on port 465.
Code:
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  *.22                   *.*                    LISTEN
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.37                   *.*                    LISTEN
tcp          0      0  *.13                   *.*                    LISTEN
tcp          0      0  *.113                  *.*                    LISTEN
tcp          0      0  127.0.0.1.953          *.*                    LISTEN
tcp          0      0  192.168.1.20.53        *.*                    LISTEN
tcp          0      0  127.0.0.1.53           *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  127.0.0.1.512          *.*                   
udp          0      0  *.1139                 *.*                   
udp          0      0  192.168.1.20.53        *.*                   
udp          0      0  127.0.0.1.53           *.*                   
udp          0      0  *.514                  *.*
Reply With Quote
  #4   (View Single Post)  
Old 19th February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Have seen the OpenBSD man page for starttls? Are the permissons on the certificates OK?
I would first try to get STARTTLS working and then adding in SMTP AUTH.

Some pitfalls are discussed in http://herolsen.org/2009/OpenBSDSMTPS.html
I am afraid I cannot be of much further help
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 19th February 2011
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

Thanks for suggesting the man page!! After re-reading the man page for starttls, I read:
Code:
The global sendmail configuration files, /etc/mail/sendmail.cf and /etc/mail/localhost.cf ...
After adding the CERT options to "localhost.mc" I was able to get 250-STARTTLS.

Another change I made was using 'make' as written in the man page, rather than 'm4 /usr/share/sendmail/m4/cf.m4 my.mc > sendmail.cf'. Using make did make permission changes to files though as noted in stdout.
Reply With Quote
  #6   (View Single Post)  
Old 26th February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

For a howto/tutorial see the reference in http://www.daemonforums.org/showthread.php?t=5716
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail Timmy66 OpenBSD General 11 19th October 2008 03:01 PM
sendmail dont boot dejabu18 FreeBSD Ports and Packages 0 8th October 2008 02:07 PM
sendmail vs qmail vs postfix vs exim graudeejs General software and network 6 22nd July 2008 03:25 PM
Using sendmail in a cron job erehwon OpenBSD General 6 15th May 2008 09:03 PM
Sendmail, issues... pcfxer FreeBSD General 2 8th May 2008 10:07 AM


All times are GMT. The time now is 02:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick