Facebook   Twitter    YouTube    RSS Feed    Android App    iPhone and iPad App     BlackBerry App    
Subscribe to Newsletter



Results 1 to 15 of 15

Thread: Suses 10.1 : Setting up as a SMTP server

  1. #1
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default Suses 10.1 : Setting up as a SMTP server

    I've been battling with this for quite some time now and still can't seem to get any external e-mail relayed through my Suse 10.1 mail server.

    Keep getting a 550 Relaying Denied error. When sending to local accounts from an external site, it works but when sending external mail I get Relaying Denied.

    I'm using EasyDNS to relay my mails and Domain names: mail.mydomain.co.za ---> works for POP as well as SMTP but only for local accounts.

    If any one can suggest anything to get my mail box setup as 'n SMTP server it would be much appreciated.
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  2. #2

    Default

    Quote Originally Posted by Lord-Nikon View Post
    I've been battling with this for quite some time now and still can't seem to get any external e-mail relayed through my Suse 10.1 mail server.
    Which MTA are you using? sendmail? exim? postfix? ..?

  3. #3
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    Quote Originally Posted by leakybucket View Post
    Which MTA are you using? sendmail? exim? postfix? ..?
    I'm using SENDMAIL.
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  4. #4

    Default

    Kewl. I'm more familiar with CentOS, but the basic idea should be the same. You might just have to adjust for your situation.

    I'm going to assume your sendmail is configured to use the access database (not the one from MS...) You should see something like this:

    FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
    in your /etc/mail/sendmail.mc (or similar) or failing that, something like:

    Kaccess hash -T<TMPF> -o /etc/mail/access.db
    in /etc/mail/sendmail.cf (or similar)

    If that's good so far, then let's move on to the actual contents of the db.

    It (/etc/mail/access or similar) will likely contain something like the following at present:

    localhost.localdomain RELAY
    localhost RELAY
    Now let's assume that your inside network is 192.168.3.0/24. If so, you need to add:

    192.168.3 RELAY
    to the file (still /etc/mail/access or similar)

    After adding, you should run the following command in /etc/mail or similar:

    make access.db
    If that replies with something like "no rule to make target", then try

    makemap hash access.db < access
    It should not be necessary to restart sendmail. Just try to relay from the subnet you've just added.

    If all that fails, holler, and we'll see what we can do.

  5. #5
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    Thanks for the help. All is fine if sending from the local network, so I don't have a problem there.

    We have different offices around SA but only one mail server. So basically we're getting our mail from that server using DynDNS. What I'm trying to do is to get us to use the mail server as an SMTP server as well instead of using lets say, Vodacom when using 3G or SAIX when connected via Telkom etc. What I want to do is let mail from across the globe be relayed through our mail server (if possible).

    Ex.:

    POP: mail.company.co.za (company being my domain name and able to forward e-mails via EasyDNS)
    SMTP: mail.company.co.za

    POP works like a charm! SMTP fails with this error:

    Your message did not reach some or all of the intended recipients.

    Subject: Testing sendmail via loalhost
    Sent: 9/3/2008 8:44 AM

    The following recipient(s) cannot be reached:

    'email@email.com' on 9/3/2008 8:44 AM
    550 5.7.1 <email@email.com>... Relaying denied
    This was done using mail.company.co.za as an SMTP server...
    *removed real email address for security reasons...

    On my mail server the SMTP we're using is SMTP.SAIX.NET and it works great, now all I want to do is have it relay external e-mails from anywhere, any connection, any time via my mailbox.

    Is that even possible?
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  6. #6

    Default

    Have you searched the SuSE wiki? I could point you to the Gentoo WIKI solution, but it is best to stay distro specific.

  7. #7

    Default

    Quote Originally Posted by Lord-Nikon View Post
    We have different offices around SA but only one mail server. So basically we're getting our mail from that server using DynDNS. What I'm trying to do is to get us to use the mail server as an SMTP server as well instead of using lets say, Vodacom when using 3G or SAIX when connected via Telkom etc. What I want to do is let mail from across the globe be relayed through our mail server (if possible).

    [...]

    On my mail server the SMTP we're using is SMTP.SAIX.NET and it works great, now all I want to do is have it relay external e-mails from anywhere, any connection, any time via my mailbox.

    Is that even possible?
    Before I misunderstand you again:

    You have a central office, with a mail server. It accepts mail for @example.com, via a dynamically updated MX record, done through EasyDNS. This mail server uses smtp.saix.net to relay outgoing mails. It also serves POP, via a hostname that's dynamically updated via EasyDNS.

    Users at the central site use this mail server to send and receive mail. This part works fine.

    You then have a number of remote offices, without any mail servers as such. Users here are able to receive mail via POP from the mail server at the central site. You want these users to be able to send mail via the mail server at the central site to anywhere in the world. Currently, they can only send to other users @example.com. Any other addresses get a "Relay denied" message.

    Does that fit the situation?

    If so, then what you're likely going to have to do is enable SMTP AUTH on the mail server, and on all the clients. Because the SMTP transaction is authenticated, the server knows it's a trusted client, and can be configured to relay mail for that specific session.

    This (SMTP AUTH) can also be used for road warriors, since the authentication is not tied to a specific network address.

    Does that sound like a suitable solution? If so, I can try and give you some pointers. Otherwise, please clarify.

  8. #8
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    That is exactly what I want! :-)

    Thanx for the feedback on the SMTP AUTH. I've tried enabling SMTP AUTH on the client side using my mail.domain.co.za as an SMTP server and enabling the username and password same as POP, this however failed, then I tried using my root username and password for the mail server, also without any success. The last thing I've tried was to log into the incoming mail server before sending e-mails (an option under Outlook's SMTP AUTH options), also this revealed only failure.

    If you don't mind, can you please point me in the right direction for enable SMTP authentication either on the mailbox or on the client side or how to get this process working.

    What you said about the AUTH makes sense and I feel silly for not thinking of that in the first place :-)

    If we can only now get the AUTH to work then my solution is around the corner. Again, thank you for all your help...
    Last edited by Lord-Nikon; 04-09-2008 at 08:59 AM.
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  9. #9
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    Quote Originally Posted by MyWorld View Post
    Have you searched the SuSE wiki? I could point you to the Gentoo WIKI solution, but it is best to stay distro specific.
    I haven't no, I'll go have a look there today!

    Thanks for the input
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  10. #10

    Default

    Quote Originally Posted by Lord-Nikon View Post
    That is exactly what I want! :-)
    Splendid!


    Thanx for the feedback on the SMTP AUTH. I've tried enabling SMTP AUTH on the client side using my mail.domain.co.za as an SMTP server and enabling the username and password same as POP, this however failed, then I tried using my root username and password for the mail server, also without any success.
    I don't think SMTP AUTH is generally enabled by default on boxen. It's a potential hole, in a way.

    The last thing I've tried was to log into the incoming mail server before sending e-mails (an option under Outlook's SMTP AUTH options), also this revealed only failure.
    Yeah, that's known as POP-before-SMTP. It generally requires a daemon watching the POP logs, and modifying the MTA config to temporarily allow relay from the IP seen in the POP session. Also unlikely to be enabled by default, and IMHO a hack at best.

    If you don't mind, can you please point me in the right direction for enable SMTP authentication either on the mailbox or on the client side or how to get this process working.
    Note that it needs to be enabled on both sides: client and server.

    What you said about the AUTH makes sense and I feel silly for not thinking of that in the first place :-)
    It's impossible for us to know things before we know them. At least in a Newtonian universe. The jury is still out on the whole new Quantum thing

    If we can only now get the AUTH to work then my solution is around the corner. Again, thank you for all your help...
    OK, let's give it a try.

    Again, note that I'm more from a CentOS background. YMMV on SuSE, but it should be roughly the same.

    You need to find the sendmail.mc for your system. It could be in /etc/mail/sendmail.mc. Then, find your sendmail.cf. Likely in the same directory as the sendmail.mc.

    For safety, make a copy of the sendmail.cf. Now, it we're lucky, you should be able to do a 'make sendmail.cf' in the directory that contains the sendmail.mc and sendmail.cf. This should regenerate the sendmail.cf, or it might come back with something like "sendmail.cf up to date". If it's the latter, then try 'touch sendmail.mc' and then repeat the 'make sendmail.cf'. This time it should rebuild the sendmail.cf.

    If it failed in some other spectacular way, then you might not have the sendmail configuration package installed. On CentOS (3 & 5) it's called sendmail-cf. Try installing it if that's the case, and retry. If not, we'll need to explore other avenues.

    Now that we have a sendmail.cf that's built from the sendmail.mc (with any luck), it's a good time to do a diff on the newly built sendmail.cf and the sendmail.cf you copied away in an earlier step. You should see no functional differences. There will be changes regarding when the file was built and so, but it should all be comments. If there's no serious functional changes, then we've established that we've got a baseline config from which to take things further.

    Try adding the following to the sendmail.mc:

    Code:
    dnl #
    dnl # The following allows relaying if the user authenticates, and disallows
    dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
    dnl #
    define(`confAUTH_OPTIONS', `A p')dnl
    dnl #
    dnl # PLAIN is the preferred plaintext authentication method and used by
    dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
    dnl # use LOGIN. Other mechanisms should be used if the connection is not
    dnl # guaranteed secure.
    dnl #
    TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
    It might already be in your .mc, and just need to be un-commented. (SIDENOTE: the .mc is an m4 macro file, which treats the characters 'dnl' as a comment indicator. It's read as "delete-until-end-of-line," or something like that. The same does not apply to sendmail.cf)

    Rebuild your sendmail.cf ('make sendmail.cf') and restart/reload sendmail if it was successful. Check the log for errors, if none, try to SMTP AUTH. Note that as per the comments, if your MUA uses AUTH PLAIN, it won't succeed unless you also use SSL/TLS.

    Let us know how it goes, and we can take it further (if need be).

  11. #11
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    Ok, I've done as instructed. Did the make and touch for the sendmail.cf file, didn't add anything to the sendmail.mc file as it already contained what you mentioned. Restarted sendmail, and tried to send an e-mail using Authentication with my username and password for the account that I have on our mail server. This is what Outlook had to say:

    Sending reported error (0x800CCC80) : None of the authentication methods supported by this client are supported by your server.
    So what I then did was to change to the various encryption types to see if one of them might perhaps work and this is what Outlook had to say:

    Your server does not support the connection encryption type you have selected. Try changing the encryption method.
    Am I still doing something wrong elsewhere?
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  12. #12

    Default

    Quote Originally Posted by Lord-Nikon View Post
    Am I still doing something wrong elsewhere?
    Please try the following, input in bold:

    Code:
    $ telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    220 mx01.example.com ESMTP Sendmail 8.12.11.20060308/8.12.11; Mon, 8 Sep 2008 21:03:28 +0200
    EHLO localhost
    250-mx01.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE 25000000
    250-DSN
    250-ETRN
    250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
    250-STARTTLS
    250-DELIVERBY
    250 HELP
    QUIT
    221 2.0.0 mx01.example.com closing connection
    Connection closed by foreign host.
    $
    And similarly:

    Code:
    $ openssl s_client -quiet -starttls smtp -host localhost -port 25
    depth=1 /CN=Test CA/C=ZA/ST=Western Cape/L=Cape Town/O=example.com/emailAddress=ca@example.com
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    220 mx01.example.com ESMTP Sendmail 8.12.11.20060308/8.12.11; Mon, 8 Sep 2008 21:03:16 +0200
    EHLO localhost
    250-mx01.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE 25000000
    250-DSN
    250-ETRN
    250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    250-DELIVERBY
    250 HELP
    QUIT
    221 2.0.0 mx01.example.com closing connection
    $
    Note the difference in the AUTH replies, the bits in italics.

    Did you use SSL/TLS when you tested? If you're not using SSL/TLS, then try changing:

    Code:
    define(`confAUTH_OPTIONS', `A p')dnl
    in /etc/mail/sendmail.mc to:

    Code:
    define(`confAUTH_OPTIONS', `A')dnl
    and rebuilding /etc/mail/sendmail.cf, restart sendmail, and retry.

    I'd suggest that you only test from within your LAN, if you're not using SSL/TLS. Remote branches should really use SSL/TLS, IMHO.

    Let us know how it goes.

  13. #13
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    I've done as instructed:

    define(`confAUTH_OPTIONS', `A')dnl
    I've checked "My server requires Authentication" and left the rest default. Authentication method is on "Auto" so that it will select SSL / TLS automatically (I've tried them each on their own as well) and this is what my log file had to say when trying to send via my mailbox from a local account:

    Sep 9 09:08:43 mail sendmail[11606]: m8978hJv011606: SERVER [192.168.0.254] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    Outlook said the following:

    Unable to send e-mail. Please verify e-mail address
    It also asks for a username and password and not even my root username and password seems to authenticate, which leads me to believe that this might have something to do with user rights? I've tried and tested each and every possible Authentication method and all of them exactly the same errors. When you cancel the e-mail Outlook says :
    Unable to send your e-mail. Please verify e-mail address. Your server did not accept your username and password
    The good news now is that my log files are showing activity regarding the Authentication which means (and this is good news for me) that we are a step closer to success...

    If at any time you feel like giving up, I will understand completely, if not, I kind thank you enough for all your efforts leakybucket! :-)
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

  14. #14

    Default

    Quote Originally Posted by Lord-Nikon View Post
    If at any time you feel like giving up, I will understand completely, if not, I kind thank you enough for all your efforts leakybucket! :-)
    I'm a bit too stubborn to give up just yet Just a bit busy, apologies for the delay.

    Let's keep Outlook out of the picture first. We'll try from the command line. My examples are from the server itself, but you should be able to test over the network if need be. Adjust localhost where applicable if you do.

    Note that I'm using an SSL certificate on the mail server that's signed by an internal Certificate Authority. Your SSL bits shouldn't look the same.

    Input is the bits in bold. I'm assuming a username of username and a password of password.

    Let's try an SMTP AUTH PLAIN session first:

    Code:
    $ printf "\000username\000password" | openssl enc -a
    AHVzZXJuYW1lAHBhc3N3b3Jk
    $ openssl s_client -connect localhost:25 -starttls smtp -quiet -CApath /usr/share/ssl
    depth=1 /CN=Internal CA/C=ZA/ST=Western Cape/L=Cape Town/O=example.com/emailAddress=ca@example.com
    verify return:1
    depth=0 /C=ZA/ST=Western Cape/O=example.com/OU=System Administration/CN=mail.example.com/emailAddress=sysadmin@example.com
    verify return:1
    220 mail.example.com ESMTP Sendmail 8.12.11.20060308/8.12.11; Wed, 10 Sep 2008 20:44:41 +0200
    EHLO localhost
    250-mail.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE 25000000
    250-DSN
    250-ETRN
    250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    250-DELIVERBY
    250 HELP
    AUTH PLAIN
    334
    AHVzZXJuYW1lAHBhc3N3b3Jk
    235 2.0.0 OK Authenticated
    QUIT
    221 2.0.0 mail.example.com closing connection
    My /var/log/maillog shows the following:

    Code:
    Sep 10 20:44:41 mail sendmail[25926]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
    Sep 10 20:45:19 mail sendmail[25926]: AUTH=server, relay=localhost.localdomain [127.0.0.1], authid=username, mech=PLAIN, bits=0
    Sep 10 20:45:21 mail sendmail[25926]: m8AIifp4025926: localhost.localdomain [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    Now let's try an SMTP AUTH LOGIN session. Same username, same password:

    Code:
    $ echo -n username | openssl enc -a
    dXNlcm5hbWU=
    $ echo -n password | openssl enc -a
    cGFzc3dvcmQ=
    $ openssl s_client -connect localhost:25 -starttls smtp -quiet -CApath /usr/share/ssl
    depth=1 /CN=Internal CA/C=ZA/ST=Western Cape/L=Cape Town/O=example.com/emailAddress=ca@example.com
    verify return:1
    depth=0 /C=ZA/ST=Western Cape/O=example.com/OU=System Administration/CN=mail.example.com/emailAddress=sysadmin@example.com
    verify return:1
    220 mail.example.com ESMTP Sendmail 8.12.11.20060308/8.12.11; Wed, 10 Sep 2008 20:55:05 +0200
    EHLO localhost
    250-mail.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE 25000000
    250-DSN
    250-ETRN
    250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    250-DELIVERBY
    250 HELP
    AUTH LOGIN
    334 VXNlcm5hbWU6
    dXNlcm5hbWU=
    334 UGFzc3dvcmQ6
    cGFzc3dvcmQ=
    235 2.0.0 OK Authenticated
    QUIT
    221 2.0.0 mail.example.com closing connection
    $
    The log this time around shows:

    Code:
    Sep 10 20:55:05 mail sendmail[26742]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
    Sep 10 20:55:23 mail sendmail[26742]: AUTH=server, relay=localhost.localdomain [127.0.0.1], authid=username, mech=LOGIN, bits=0
    Sep 10 20:55:25 mail sendmail[26742]: m8AIt54G026742: localhost.localdomain [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    Let me know how it goes. If this works, the you might have to trim the confAUTH_MECHANISMS to only list LOGIN and PLAIN, so that Outlook doesn't have an option but to select one of them. There might be other better solutions though, so let's see how it goes.

  15. #15
    Grandmaster Lord-Nikon's Avatar
    Join Date
    Jul 2008
    Location
    Around the corner from KFC
    Posts
    2,511

    Default

    Sorry for the delay.

    I've managed to find where my problem is. The way that my sendmail.mc files rebuilds the sendmail.cf is completely wrong. I ended up doing it via my Webmin module and SHAZAM!

    I am now able to use TSL / SSL for authentication and my mailbox now acts as a global SMTP server!

    I can't begin to thank you enough for all your help and efforts!
    ------------------------------------
    <((...::: ((L-N)) :::...))>
    --------------------------

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •