Re: Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound)
- From: Dave Anderson <r-n-d@xxxxxxxxxxx>
- Date: Fri, 16 May 2008 18:35:46 -0700
OK, I'm the OP, and I dug up AT&T's news server settings.... I'll be posting mostly from this acct. I have to move on to other things, but at least I have decent newsreader set up and will get to browsing other related threads when I have time.
Thanks again all, for the help so far.
D
Dave.Anderson-NOSPAM wrote:
NOTE: This post is condensed from a thread elsewhere where I was.
getting help with som of the basic issues, but we seem to have hit a
wall with SMTP/SSL -- that individual had some good info for me, on
basic sendmail setup so I'm grateful for having made as much progress
as I have.. Hopefully someone here knows how to get me the rest of the
way over the hump.
Also I should mention that I have a bit more than a decade of UNIX
experience, but sendmail is one pice that I don't understand very
well.
I have been happily chugging away for the past 5 years with my Solaris
8 server on my home network, using sendmail 8.11.7+Sun for a variety
of purposes: scraping financial websites and emailing mashups to
myself & friends, developing/testing cgi scripts for websites that
need to email form data, etc.
Recently my ISP decided that I must use SSL/Auth to send mail through
their SMTP server(smtp.att.yahoo.com). In addition to breaking my
sendmail implementation, it has broken a number of important Wintel
utilities, notably my APC Powerchute Business Edition email
notifications, my 3ware RAID controller email notifications, and
others. I have contacted tech support for each of the products that
I'm having this problem with as well as my ISP and the collective
response is a shrug of the shoulders.
What this boils down to is, I have two problems I need to solve:
1) I need to get sendmail working again for non-interactive sessions
as shown in the perl code snippet attached to this post.
2) Contingent on (1), I would like to be able to use the Solaris box
to relay notification emails from the Wintel box. I do not need to
have the Solaris box handle all of my outbound mail(e.g. Thunderbird),
just the outbound email from applications that do not support SSL/
Auth.
Regarding (1), it seems that the obvious starting point would be to
yank the Sun sendmail out by the roots and set up sendmail 8.14.3, but
from my reading on the subject it seems that I will need to install
OpenSSL and possibly BerkelyDB to meet the prerequisites for compiling
sendmail with SSL support. Links to details on this would be much
appreciated, especially any info pertaining to steps I need to take to
pave the way to solving problem (2) above. (UPDATE: *Done*)
Regarding (2), all of the info I've been able to dig up on SMTP/SSL
relay configuration assumes that the user wants the client to make an
SSL connection to the relay. That's not what I want. What I need is to
have my client applications send their mail to the relay on the
Solaris box with NO authentication(I suppose I need to set up an SMTP
server of some flavor) and have that mail relayed to my ISP's SMTP
server using SSL and user/pass authentication (again, this needs to be
non-interactive).
Note that security is not the highest priority here; these machines
all sit behind a router with built-in firewall/NAT and are essentially
invisible to the internet at large(as far as I can tell with grc.com
ShieldsUP). So long as it's reasonably secure, that's fine; I don't
have to worry about port scans, spammers, etc.
1: #!/usr/bin/perl -T
2: .
3: .
4: .
5: open MAIL, "| /usr/lib/sendmail -t -F'$from_name' -
f'$from_email'"
6: or die "Could not open sendmail: $!";
7: print MAIL <<END_OF_HEADER;
8: To: $email
9: Reply-to: $from_email
10: Subject: $sub
11: $type_string
12: END_OF_HEADER
13: open(FILE, "< ./reports/$rpt_file.$type")
14: or die "Couldn't open $rpt_file.$type for reading:
$!\n";
15: while (<FILE>) {
16: chomp($_);
17: print MAIL "$_\n";
18: }
19: close(FILE);
20: if($type_string) {
21: print MAIL end_html();
22: }
23: close MAIL or die "Error closing sendmail: $!";
24: print "<li>Sent $sub.</li><br>\n";
25: }
========================================================================
To reiterate:
1) My clients need to be able to talk to an SMTP server on my local
Solaris box, without authentication/SSL.
2) My Solaris box then needs to be able to forward that mail to my
ISP's SMTP server using SSL, port 465, with user/pass auth. I have no
control over this whatsoever, and it is a hard requirement.
Also, I do not need to control access to sendmail. My firewall is
secure enough that plain old SMTP/Port 25 will not present a security
risk, and this machine will never live in the DMZ. If the machine ever
does get compromised, I can just restore from one of my periodic
backups that I make to a spare drive using dd. It is a development
machine after all, so I tend to be prepared for the worst. :)
===============================================================================
Well, things went pretty smoothly for a while, up until I actually
started trying to compile sendmail. To be more precise, I was fine up
until the "sh ./Build" mentioned in step 3 of the INSTALL file. I am
working with 8.14.2 as you recommended.
First off, when I copy and pasted your site.config.m4 contents into a
terminal window, it replaced some of the quote characters with ^Y and
removed others. I carefully replaced them, always using ` on the left
side of a quoted string and ' on the right side of a quoted string. I
corrected the path to BerkelyDB and the path to openssl. The ssl lines
in this file are seemingly being ignored(see Build output below
site.m4.config below.
I tried modifying sendmail.h line 125 from openssl/ssl.h to /usr/local/
ssl/include/openssl/ssl.h and Build returned page upon page of errors
for my efforts, so I changed it back. Any thoughts as to why my second
confINCDIRS directive is being ignored? I have a hunch that is the
root of the problem.
I have to run off to work soon, at minimum I will back up site config
file, delete everything and untar the source again. I may have run
build from the top level directory before setting up site config and
maybe there is something screwy that Build can't overwrite.
1: APPENDDEF(`confLIBDIRS', `-L/usr/local/BerkeleyDB.4.2/lib')
2: APPENDDEF(`confINCDIRS', `-I/usr/local/BerkeleyDB.4.2/include')
3: APPENDDEF(`confENVDEF', `-DNEWDB')
4: define(`confSTDIO_TYPE', `portable')
5: APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DHASURANDOMDEV')
6: APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib')
7: APPENDDEF(`confINCDIRS'; `-I/usr/local/ssl/include')
8: APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
9: APPENDDEF(`conf_sendmail_ENVDEF',`-DMILTER')
10: APPENDDEF(`conf_libmilter_ENVDEF',`-D_FFR_MILTER_ROOT_UNSAFE')
11: Result -- ssl include path seems to be ignored:
12: # time sh ./Build
13: Configuration: pfx=, os=SunOS, rel=5.8, rbase=5, rroot=5.8,
arch=sun4, sfx=, variant=optimized
14: Making in /export/home/swinst/sendmail.Mar.08/install/
sendmail-8.14.2/obj.SunOS.5.8.sun4/sendmail
15: gcc -O -I. -I../../include -I/usr/local/BerkeleyDB.4.2/include -
DNEWDB -DNDBM -DNIS -DNISPLUS -DMAP
16: _REGEX -DSOLARIS=20800 -DNETINET6 -DNEWDB -DSTARTTLS -
DHASURANDOMDEV -DMILTER -c -o main.o main.
17: c
18: In file included from main.c:15:
19: ./sendmail.h:125:27: openssl/ssl.h: No such file or directory
20: In file included from main.c:15:
21: ./sendmail.h:694: error: syntax error before "SSL"
22: ./sendmail.h:694: warning: no semicolon at end of struct or union
23: ./sendmail.h:697: error: syntax error before '}' token
24: ./sendmail.h:1451: error: field `sv_mci' has incomplete type
25: ./sendmail.h:1876: error: syntax error before '*' token
26: ./sendmail.h:1880: error: syntax error before '*' token
27: ./sendmail.h:1881: error: syntax error before '*' token
28: ./sendmail.h:2614: error: syntax error before '*' token
29: make: *** [main.o] Error 1
30: real 0m3.24s
31: user 0m2.79s
32: sys 0m0.27s
33: #
============================================================================
OK, made some progress. Untarred the release to start from scratch,
ended up adding the following two lines to Makefile to get it to build
without errors:
INCDIRS= -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include
LIBDIRS= -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/ssl/lib
However, I get the following in my Apache error_log when I try to run
a script that uses sendmail as shownin my script example above:
ld.so.1: sendmail: fatal: libssl.so.0.9.8: open failed: No such file
or directory
This is odd, since libssl.so.0.9.8 exists in the lib path mentioned
above, and I did not see any errors about it during the build.
========================================================================
I've also expanded LD_LIBRARY_PATH in /etc/skel with the following:
export LD_LIBRARY_PATH=/usr/lib:/usr/local/ssl/lib
I put the same in S90apachectl at the top of the file.
After trying to restart apache, then rebooting, still no joy.
=====================================================================
1: May 10 08:10:20 ultra sendmail[639]: [ID 801593 mail.info]
m4AFAKOr000639: Authentication-Warning: ultra.myfake.net: nobody set
sender to feedback@xxxxxxxxxxxxxxxxx using -f
2: May 10 08:10:20 ultra sendmail[639]: [ID 801593 mail.info]
m4AFAKOr000639: from=feedback@xxxxxxxxxxxxxxxxx, size=80, class=0,
nrcpts=1, msgid=<200805101510.m4AFAKOr000639@xxxxxxxxxxxxxxxx>,
relay=nobody@localhost
3: May 10 08:10:21 ultra sendmail[640]: [ID 801593 mail.info]
m4AFAKGA000640: from=<feedback@xxxxxxxxxxxxxxxxx>, size=453, class=0,
nrcpts=1, msgid=<200805101510.m4AFAKOr000639@xxxxxxxxxxxxxxxx>,
proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
4: May 10 08:10:21 ultra sendmail[639]: [ID 801593 mail.info]
m4AFAKOr000639: to=sales@xxxxxxxxxxxxxxxxx,
ctladdr=feedback@xxxxxxxxxxxxxxxxx (60001/60001), delay=00:00:01,
xdelay=00:00:01, mailer=relay, pri=30080, relay=[127.0.0.1]
[127.0.0.1], dsn=2.0.0, stat=Sent (m4AFAKGA000640 Message accepted for
delivery)
5: May 10 08:10:21 ultra sendmail[642]: [ID 801593 mail.info]
m4AFAKGA000640: to=<sales@xxxxxxxxxxxxxxxxx>, delay=00:00:00,
xdelay=00:00:00, mailer=relay, pri=120453, relay=smtp.att.yahoo.com
[69.147.64.31], dsn=5.0.0, stat=Service unavailable
6: May 10 08:10:21 ultra sendmail[642]: [ID 801593 mail.info]
m4AFAKGA000640: m4AFALGA000642: DSN: Service unavailable
7: May 10 08:10:21 ultra sendmail[642]: [ID 801593 mail.info]
m4AFALGA000642: to=<feedback@xxxxxxxxxxxxxxxxx>, delay=00:00:00,
xdelay=00:00:00, mailer=relay, pri=31678, relay=smtp.att.yahoo.com,
dsn=4.0.0, stat=Deferred: Connection reset by smtp.att.yahoo.com
8: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.info]
m4AFALGA000642: to=<feedback@xxxxxxxxxxxxxxxxx>, delay=00:00:04,
xdelay=00:00:00, mailer=relay, pri=121678, relay=smtp.att.yahoo.com
[69.147.64.31], dsn=5.0.0, stat=Service unavailable
9: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.crit]
m4AFALGA000642: SYSERR(root): hash map "Alias0": missing map file /etc/
mail/aliases.db: No such file or directory
10: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.info]
m4AFALGA000642: m4AFAPGB000643: return to sender: hash map "Alias0":
missing map file /etc/mail/aliases.db: No such file or directory
11: May 10 08:10:25 ultra sendmail[644]: [ID 801593 mail.info]
m4AFAPGB000643: Warning: program /usr/lib/mail.local unsafe: No such
file or directory
12: May 10 08:10:25 ultra sendmail[644]: [ID 801593 mail.crit]
m4AFAPGB000643: SYSERR(root): Cannot exec /usr/lib/mail.local: No such
file or directory
13: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.error]
m4AFAPGB000643: smtpquit: mailer local exited with exit value 71
14: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.info]
m4AFAPGB000643: to=root, delay=00:00:00, xdelay=00:00:00,
mailer=local, pri=33558, relay=local, dsn=4.4.2, stat=Deferred:
Connection reset by local
15: May 10 08:10:25 ultra sendmail[645]: [ID 801593 mail.info]
m4AEbNB6000389: Warning: program /usr/lib/mail.local unsafe: No such
file or directory
16: May 10 08:10:25 ultra sendmail[645]: [ID 801593 mail.crit]
m4AEbNB6000389: SYSERR(root): Cannot exec /usr/lib/mail.local: No such
file or directory
17: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.error]
m4AEbNB6000389: smtpquit: mailer local exited with exit value 71
18: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.info]
m4AEbNB6000389: to=root, delay=00:33:01, xdelay=00:00:00,
mailer=local, pri=3003558, relay=local, dsn=4.4.2, stat=Deferred:
Connection reset by local
19: May 10 08:10:25 ultra sendmail[646]: [ID 801593 mail.info]
m4AEZdE5000367: Warning: program /usr/lib/mail.local unsafe: No such
file or directory
20: May 10 08:10:25 ultra sendmail[646]: [ID 801593 mail.crit]
m4AEZdE5000367: SYSERR(root): Cannot exec /usr/lib/mail.local: No such
file or directory
21: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.error]
m4AEZdE5000367: smtpquit: mailer local exited with exit value 71
22: May 10 08:10:25 ultra sendmail[643]: [ID 801593 mail.info]
m4AEZdE5000367: to=root, delay=00:34:45, xdelay=00:00:00,
mailer=local, pri=3183555, relay=local, dsn=4.4.2, stat=Deferred:
Connection reset by local
==============================================================================
I have recompiled sendmail with SASL support per the instructions
here:
http://www.brandonhutchinson.com/Installing_Cyrus_SASL_with_sendmail_on_Solaris.html
I have added further entries to sendmail.mc:
divert(0)dnl
VERSIONID(`$Id: sendmail.mc,v 8.13 2008/05/29 11:46:30 Dave Exp $')
OSTYPE(solaris8)dnl
DOMAIN(generic)dnl
define(`LOCAL_MAILER_PATH', `/usr/bin/mail')dnl
FEATURE(`access_db')dnl
MAILER(local)dnl
MAILER(smtp)dnl
define(`SMART_HOST', `smtp.att.yahoo.com')dnl
define(`confPRIVACY_FLAGS', `authwarnings,goaway')dnl
define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`confHOST_STATUS_DIRECTORY', `/etc/mail/host_status')dnl
I have added the following line to /etc/mail/access, and ran "makemap
hash /etc/mail/access.db < /etc/mail/access"
root@xxxxxxxxxxxxxxxx RELAY
I have populated /etc/mail/auhinfo as follows:
# cat authinfo
AuthInfo:smtp.att.yahoo.com "U:<username@xxxxxxxxxxx>"
"P:<MyPassword>" "M:DIGEST-MD5"
#
Here is some verbose output from sendmail:
# /usr/lib/sendmail -v root <local-host-names
root... Connecting to [127.0.0.1] via relay...
220 ultra.myfake.net ESMTP Sendmail 8.14.2/8.14.2; Wed, 14 May 2008
07:09:16 -0700 (PDT)
250-ultra.myfake.net Hello localhost [127.0.0.1], pleased to meet youEHLO ultra.myfake.net
250 ENHANCEDSTATUSCODES
550 5.7.1 Access deniedMAIL From:<root@xxxxxxxxxxxxxxxx>
root... Using cached ESMTP connection to [127.0.0.1] via relay...
250 2.0.0 Reset stateRSET550 5.7.1 Access deniedMAIL From:<>
postmaster... Using cached ESMTP connection to [127.0.0.1] via
relay...
250 2.0.0 Reset stateRSET550 5.7.1 Access deniedMAIL From:<>
May 14 07:09:16 ultra sendmail[5209]: [ID 801593 mail.alert]
m4EE9GmE005209: Losing ./qfm4EE9GmE005209: savemail panic
Closing connection to [127.0.0.1]
221 2.0.0 ultra.myfake.net closing connectionQUIT
I seem to be able to connect to the sendmail/SMTP daemon OK, which is
promising:
220 ultra.myfake.net ESMTP Sendmail 8.14.2/8.14.2; Wed, 14 May 2008
09:12:34 -0700 (PDT)
helo ultra
250 ultra.myfake.net Hello Flash [192.168.69.68], pleased to meet you
quit
221 2.0.0 ultra.myfake.net closing connection
So, I'm learning, bit by bit -- it seems that the local mail problem
needs to be solved first, since local delivery seems to be the first
step in relaying the outbound mail.
Note that I changed LOCAL_MAILER_PATH after following up on the
mail.local messages above and finding that there are a whole list of
caveats if I want to use mail.local -- the README stated that I would
have to perform a whole slew of additional steps to get that to work,
so I'm trying to stick with the existing /etc/mail.
********************************************************
So, apologies if the above seems disjointed. I tried to just pull the
most relevant info from the earlier thread. I will be happy to post
any additional info or run other experiments to aid the process of
troubleshooting this. I can't be the only one that suddenly needs to
relay to an SMTP server that requires SSL.
TIA,
Dave A.
- References:
- Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound)
- From: Dave.Anderson-NOSPAM
- Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound)
- Prev by Date: Re: Sendmail not processing outside mail...
- Next by Date: Re: Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE ?errors (FreeBSD 7.0)
- Previous by thread: Re: Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound)
- Next by thread: Aliases and AIX
- Index(es):
Relevant Pages
|
