|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Sendmail TLS
Running OpenBSD 4.8 and trying to setup secure Sendmail. Cyrus SASL is installed and 'sendmail -d0.1 -bv root' returns STARTTLS and SASL2. I added 'WANT_SMTPAUTH=yes" to /etc/mk.conf before doing a build. Running testsaslauthd returns OK. I reconfigured the Sendmail ports for SASL. My certs are self-signed and good.
But when I 'telnet localhost 25' I don't return 250-STARTTLS though I have 250-AUTH. Connection is refused on port 465 when I 'telnet localhost 465'. What do I need to change to get TLS working? Here is my .mc Code:
VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl OSTYPE(openbsd)dnl define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl FEATURE(nouucp, `reject')dnl FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`use_cw_file')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl FEATURE(`use_ct_file')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl FEATURE(always_add_domain)dnl FEATURE(redirect)dnl FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA, M=A')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=AO')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=465, Name=MTA-TLS, M=a')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Port=465, Name=MTA6-TLS, M=aO')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=AE')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=AE')dnl CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl CLIENT_OPTIONS(`Family=inet6, Address=::')dnl define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`GSAPPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/CAcert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl MAILER(local)dnl MAILER(smtp)dnl LOCAL_RULESETS HMessage-Id: $>CheckMessageId SCheckMessageId R< $+ @ $+ > $@ OK R$* $#error $: 553 Header Error |
|
|||
Does netstat -an -f inet show a LISTEN on port 465?
Code:
netstat -an -f inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.6000 *.* LISTEN tcp 0 0 *.3306 *.* LISTEN tcp 0 0 127.0.0.1.587 *.* LISTEN tcp 0 0 127.0.0.1.25 *.* LISTEN tcp 0 0 *.515 *.* LISTEN tcp 0 0 192.168.222.20.22 *.* LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 192.168.222.20.35671 80.85.129.25.123 udp 0 0 192.168.222.20.10421 85.17.207.62.123 udp 0 0 192.168.222.20.32014 81.171.44.131.123 udp 0 0 *.514 *.* Code:
$ telnet localhost 465 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused Trying ::1... telnet: connect to address ::1: Connection refused
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
It isn't listening on port 465.
Code:
Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.22 *.* LISTEN tcp 0 0 127.0.0.1.587 *.* LISTEN tcp 0 0 127.0.0.1.25 *.* LISTEN tcp 0 0 *.37 *.* LISTEN tcp 0 0 *.13 *.* LISTEN tcp 0 0 *.113 *.* LISTEN tcp 0 0 127.0.0.1.953 *.* LISTEN tcp 0 0 192.168.1.20.53 *.* LISTEN tcp 0 0 127.0.0.1.53 *.* LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 127.0.0.1.512 *.* udp 0 0 *.1139 *.* udp 0 0 192.168.1.20.53 *.* udp 0 0 127.0.0.1.53 *.* udp 0 0 *.514 *.* |
|
|||
Have seen the OpenBSD man page for starttls? Are the permissons on the certificates OK?
I would first try to get STARTTLS working and then adding in SMTP AUTH. Some pitfalls are discussed in http://herolsen.org/2009/OpenBSDSMTPS.html I am afraid I cannot be of much further help
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for suggesting the man page!! After re-reading the man page for starttls, I read:
Code:
The global sendmail configuration files, /etc/mail/sendmail.cf and /etc/mail/localhost.cf ... Another change I made was using 'make' as written in the man page, rather than 'm4 /usr/share/sendmail/m4/cf.m4 my.mc > sendmail.cf'. Using make did make permission changes to files though as noted in stdout. |
|
|||
For a howto/tutorial see the reference in http://www.daemonforums.org/showthread.php?t=5716
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Sendmail | Timmy66 | OpenBSD General | 11 | 19th October 2008 03:01 PM |
sendmail dont boot | dejabu18 | FreeBSD Ports and Packages | 0 | 8th October 2008 02:07 PM |
sendmail vs qmail vs postfix vs exim | graudeejs | General software and network | 6 | 22nd July 2008 03:25 PM |
Using sendmail in a cron job | erehwon | OpenBSD General | 6 | 15th May 2008 09:03 PM |
Sendmail, issues... | pcfxer | FreeBSD General | 2 | 8th May 2008 10:07 AM |