RESOLVED: Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound)
- From: Dave Anderson <r-n-d@xxxxxxxxxxx>
- Date: Sat, 07 Jun 2008 07:45:31 -0700
First of all, many heartfelt thanks to Per Hedeland for his patience and expertise helping me though this. Without his aid there is not telling how long I might have been chasing my tail.
====================[Problem]====================
AT&T Yahoo has recently tightened up their SMTP security. If your smtp server is smtp.att.yahoo.com (probably others they control as well) then the default sendmail installed with Solaris 8 will no longer be able to send mail. Their goal is to disallow any email client software that cannot make an SSL connection to smpt.att.yahoo.com port 465.
In addition to killing sendmail for me, this change has broken several utility clients that I have which send emails when certain error or warning condidtions arise -- power outage, RAID system drive failure, etc. since they do not support SSL, let alone port assignment.
Also note, many of the problems that I had are particular to Solaris 8. Solaris 10 should have most of this already installed. As I say below -- if you're not sure, ASK QUESTIONS.
This solution is also specific to AT&T Yahoo, since they do not support STARTTLS and I needed an SMTPS version of SSL that is not a part of sendmail. I am no expert in these matters, but I gather that if they did support STARTTLS a different approach altogether would have been appropriate. I personally chose not to go with Solaris 10 because for my purposes Solaris 8 is entirely adequate. The pain and suffering of getting sendmail to work properly ended up being far less trouble, in my opinion, than installing Solaris 10 and migrating all of my other apps, utilities, KDE, etc. -- your mileage may vary.
DO NOT ATTEMPT TO FOLLOW THESE STEPS VERBATIM UNLESS YOU ARE TRYING TO GET SOLARIS 8 TO SEND/RELAY TO smtp.att.yahoo.com. If you are not trying to solve the exact same problem, read through the rest of this thread where the problem was characterized, e.g. telnet to the mail server and examine the output, make sure you proceed in the correct manner depending on what that tells you. Unless you know EXACTLY what you are doing, ask questions. There is a lot of expertise on comp.mail.sendmail and asking a few questions and doing a little homework before you do anything will save you a lot of grief REGARDLESS of your specific requirements.
====================[Requirements]====================
To recap, here were my requirements:
1) Have the ability to test CGI scripts that I am developing, which
attempt to send emails in a safe manner.*
2) Have the ability to send emails to myself and other interested parties
from utility scripts that I run from cron.**
3) Relay mail from insecure clients such as my APC Powerchute Business
Edition email notifications, my 3ware RAID controller email notifications,
and others to an SMTP server that requires SSL, namely smtp.att.yahoo.com
port 465.
And my non-requirements(I'm behind a good firewall/router/NAT):
1) I am not worried about spammers being able to hijack my relay.
2) I am not worried about any kind of malware taking advantage of my less
than optimal config.
3) I am not worried about users doing nasty things with sendmail. For all
intents and purposes, I am the only user.
* e.g.:
1: #!/usr/bin/perl -T
2: .
3: .
4: .
5: open MAIL, "| /usr/lib/sendmail -t -F'$from_name' -f'$from_email'"
6: or die "Could not open sendmail: $!";
7: print MAIL <<END_OF_HEADER;
8: To: $email
9: Reply-to: $from_email
10: Subject: $sub
11: $type_string
12: END_OF_HEADER
13: open(FILE, "< ./reports/$rpt_file.$type")
14: or die "Couldn't open $rpt_file.$type for reading: $!\n";
15: while (<FILE>) {
16: chomp($_);
17: print MAIL "$_\n";
18: }
19: close(FILE);
20: if($type_string) {
21: print MAIL end_html();
22: }
23: close MAIL or die "Error closing sendmail: $!";
24: print "<li>Sent $sub.</li><br>\n";
25: }
** e.g. "/usr/lib/sendmail -t -F'Daves SplitScanner' -fmy_scanner_email@xxxxxxxxxx < tosend.txt"
====================[Resolution]====================
*NOTES:*
This setup is specific to a Solaris 8 host sitting on a private
NAT'ed network, using a DSL connection which gets it's public
IP via DHCP. The solaris machine is *NOT* in the DMZ; I do not guarantee that any of this is "safe" for a machine that
is exposed to the internet. It *did* work for me in my situation
though.
Part of the problem was getting emails with a "From:" address
other than my primary email address with my ISP to send
properly. That was another issue and I will clearly delineate
where that particular problem was resolved.
uname -a output:
SunOS ultra 5.8 Generic_117350-54 sun4u sparc SUNW,Ultra-5_10
Here are the steps needed to make this work:
1) Removed SUNWsndmr and SUNWsndmu. The reason I pulled these out is because future Sun patch clusters might overwrite parts of my sendmail implementation if these packages were present.
2) Download, compile and install per instructions openssl-0.9.8g. stunnel and SASL will need to be compiled with SSL libs.
3) Download cyrus-sasl-2.1.22 -- this will provide the authentication functionality that sendmail needs in this case.
4) Configure SASL with: "CFLAGS=-DOPENSSL_DISABLE_OLD_DES_SUPPORT=1 ../configure --with-openssl=/usr/local/ssl" to work around the following error:
In file included from auth_getpwent.c:53:
/usr/include/crypt.h:22: parse error before '(' token
/usr/include/crypt.h:22: parse error before "const"
make[3]: *** [auth_getpwent.o] Error 1
5) Run "make" and "make install" in cyrus SASL source dir
6) Download, gunzip & untar BerkeleyDB.4.2; install per the README. I added this because I wanted hash database(NEWDB) support; while I don't think it was strictly necessary for my situation, I wanted BerkeleyDB for other reasons(not related to sendmail). Without these lines I would get a db.h error when building sendmail, and when I found that BerkeleyDB offers one possible solution to this I simply installed it a bit earlier than I had originally planned. If you decide to skip this, you should not add the lines that I indicate below in the "hash database functionality" section of my site.config.m4. You may have to replace those lines with something more appropriate to your situation, or not -- just know that they are tied in with this step.
7) Download, gunzip & untar sendmail-8.14.2; top level of source dir later referred to as <smsrc>
8) Create <smsrc>/devtools/Site/site.config.m4 with following contents(file should not have the indents that I used here for clarity):
# These two lines needed for authentication functionality
#
APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
# These lines enable hash database functionality
#
APPENDDEF(`confENVDEF', `-DNEWDB')
APPENDDEF(`confLIBDIRS', `-L/usr/local/BerkeleyDB.4.2/lib')
APPENDDEF(`confINCDIRS', `-I/usr/local/BerkeleyDB.4.2/include')
# Without the next line, I was getting the following error in my apache
# error_log, even though at that point relaying from insecure clients
# on another host was working:
#
# ld.so.1: sendmail: fatal: libsasl2.so.2: open failed: No such file or directory
#
APPENDDEF(`confLIBDIRS', `-R/usr/local/lib')
9) Compile sendmail. The INSTALL file recommends doing this with "sh ../Build" from <smsrc>/sendmail but I recommend you use "sh ./Build -c" which forces a rebuild of everything. I had to recompile repeatedly as I experimented with the site.config.m4 file; ./Build did not detect changes to this file and would exit without doing anything. Additionally, you will want to install makemap from <smsrc>/makemap. Verify that the new makemap is getting installed in the right place! run "ls -l `which makemap`" before and after to verify the file is replaced.
10) Install sendmail; from <smsrc>/sendmail -- run "sh ./Build install".
11) Verify that SASL compiled in properly(SASLv2 in output):
# /usr/lib/sendmail -d0.1 -bt < /dev/null
Version 8.14.2
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS NISPLUS
PIPELINING SASLv2 SCANF STARTTLS USERDB XDEBUG
NOTE: The above may not work until you build and install your sendmail.cf file, step 15 below.
12) Download, gunzip & untar stunnel-4.24. build and install it per the instructions. stunnel is needed because sendmail simply does not have the capability to use the SMTPS version of SSL that was needed in this particular case.
13) Move /etc/stunnel/stunnel.conf to /usr/local/etc/stunnel/stunnel.conf (If it's not there, copy from stunnel-4.24/tools/stunnel.conf) and edit it as follows(my file had all lines not mentioned below commented out):
---[snip]---
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = stunnel.log
client = yes
[rev-smtps]
accept = 127.0.0.1:2525
connect = smtp.att.yahoo.com:465
---[snip]---
NOTE: The "accept" address is the port sendmail will connect to when trying to send mail -- details in step (15) below. The "connect" address is the smtp server that I want to send my mail to/through. The idea is that when sendmail connects to the "accept" address it is completely unaware that the connection is being tunneled transparently to the "connect" address with SSL encryption. You can test this as follows:
telnet localhost 2525
This should give you "cleartext connectivity" to smtp.att.yahoo.com, i.e. you should see the SMTP greeting, be able to type EHLO and get a response etc. If this doesn't work, you need to debug the stunnel setup.
14) Run "mkdir -p /usr/local/var/run/stunnel" so that stunnel can create its pidfile,
15) Copy the sendmail and stunnel init scripts to /etc/init.d and set up the rc links(you may find different numbers are appropriate for your system; again, this is what worked out for me). Output edited to remove filenames not relevant to this discussion:
# ls -l /etc/rc2.d
lrwxrwxrwx 1 root other 24 May 21 15:25 S87stunnel -> /etc/init.d/stunnel.init
lrwxrwxrwx 1 root other 20 May 10 06:51 S88sendmail -> /etc/init.d/sendmail
# ls -l /etc/rc1.d
lrwxrwxrwx 1 root other 20 May 10 06:53 K36sendmail -> /etc/init.d/sendmail
lrwxrwxrwx 1 root other 24 May 21 15:25 K37stunnel -> /etc/init.d/stunnel.init
#
16) Copy <smsrc>/cf/cf/generic-solaris.mc to <smsrc>/cf/cf/sendmail.mc. Below is the important stuff that I needed in my sendmail.mc. VERY IMPORTANT -- after removing the Sun packages above, you will not have mail.local and you don't want the one that comes with sendmail(unless you do, and you know what you're getting into). To get sendmail to properly interface with /usr/bin/mail be sure you use the same OSTYPE that I did below.
divert(0)dnl
VERSIONID(`$Id: sendmail.mc,v 8.13 2008/05/29 11:46:30 Dave Exp $')
OSTYPE(solaris2.pre5)dnl
DOMAIN(generic)dnl
FEATURE(`access_db')dnl
FEATURE(`authinfo')dnl
define(`SMART_HOST', `smarthost-local.localhost')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 2525')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 2525')dnl
MAILER(local)dnl
MAILER(smtp)dnl
17) Now build and install sendmail.cf and submit.cf:
From <smsrc>/cf/cf:
sh ./Build sendmail.cf
sh ./Build install-cf
18) You will need to tweak /etc/hosts(sendmail resides on ultra):
127.0.0.1 localhost
127.0.0.1 smarthost-local
192.168.1.5 ultra.localhost ultra loghost
NOTE: The .localhost was added to get a proper canonical name; the risk of using anythng that looks like a real domain name is that someone may eventually register that name, even if it seems available today(happened to me...). Again, sendmail provides a mechanism to check this:
# /usr/lib/sendmail -d0.1 -bt < /dev/null
.
.
.
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = ultra
(canonical domain name) $j = ultra.localhost
(subdomain name) $m = localhost
(node name) $k = ultra
========================================================
19) Make sure there is no "domain" line in /etc/resolv.conf
20) Create /etc/mail/access to allow relaying from your subnet:
Connect:192.168.1 RELAY
Now run "makemap hash access < access" from /etc/mail
21) Create /etc/mail/authinfo with an entry to hold your att.yahoo user ID and password(chmod 400 authinfo for security).
AuthInfo: "I:<user@domain>" "P:<password>" "M:PLAIN"
Now run "makemap hash authinfo < authinfo" from /etc/mail
NOTE: the letter after the first double quote in the line above is an uppercase 'i', not a lowercase 'L'.
NOTE: Be careful if you have no hostname after "Authinfo:" -- If you connect to *any* different SMTP server it will send these credentials! I was not able to get sendmail to authenticate with a hostname here.
22) Copy <smsrc>/sendmail/aliases to /etc/mail. Rebuild the aliases.db file with
# /usr/lib/sendmail -bi
/etc/mail/aliases: 25 aliases, longest 10 bytes, 279 bytes total
#
23) Put the following two entries in /etc/relay-domains and /etc/local-host-names:
<hostname>
<hostname>.localhost
So, that's what was needed to get sendmail to work. If you want the gory details of how this solution was arrived at, it's all in this thread. Enjoy!
Dave Anderson
====================[From: Addr. not primary Addr.]====================
There was much gnashing of teeth and tearing of hair on my part due to the fact that smtp.att.yahoo.com wants to make sure that when you send email, the "From:" address is on your list of approved senders. And sendmail was properly providing an email address that should have been "approved". And it wasn't working. o_O
It was returning the following error:
13900 >>> >>> MAIL From:<approved.email@xxxxxxxxxxx>
13900 >>> <<< 553 From: address not verified; see http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html
If you always use your primary address for "From" you probably won't have an issue.
If you have a Yahoo ID, you will be able to view that page. Follow the steps listed on that page, and if it's still acting like your "approved" sender is not "approved", call support and tell them that you need them to look at it. When I called, the first-line support person ran me through the instructions on that page a couple times before escalating the call to second-line support. This person reset something on their end, then asked me to delete and re-submit my info to verify(approve) the secondary email address. After that it worked!
Below are mail logs where my relay successfully relayed from my insecure clients.
=========================[Mail Logs]===============================
These logs are produced by modifying the line in /etc/init.d/sendmail that actually launches sendmail to the following; I recommend commenting the original line and pasting the following line above or below it; restore the original line when you are finished debugging so you don't have an ever-expanding log file that you don't need.
/usr/lib/sendmail -bd -X /var/log/mail.log -oL9 &
01978 >>> 220 ultra.localhost ESMTP Sendmail 8.14.2/8.14.2; Mon, 2 Jun 2008 22:31:38 -0700 (PDT)
01978 <<< EHLO localhost
01978 >>> 250-ultra.localhost Hello Flash [192.168.1.8], pleased to meet you
01978 >>> 250-ENHANCEDSTATUSCODES
01978 >>> 250-PIPELINING
01978 >>> 250-EXPN
01978 >>> 250-VERB
01978 >>> 250-8BITMIME
01978 >>> 250-SIZE
01978 >>> 250-DSN
01978 >>> 250-ETRN
01978 >>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
01978 >>> 250-DELIVERBY
01978 >>> 250 HELP
01978 <<< MAIL FROM:<primary.email@xxxxxxxxxxx>
01978 >>> 250 2.1.0 <primary.email@xxxxxxxxxxx>... Sender ok
01978 <<< RCPT TO:<my.cellphone@xxxxxxxxx>
01978 >>> 250 2.1.5 <my.cellphone@xxxxxxxxx>... Recipient ok
01978 <<< RCPT TO:<primary.email@xxxxxxxxxxx>
01978 >>> 250 2.1.5 <primary.email@xxxxxxxxxxx>... Recipient ok
01978 <<< DATA
01978 >>> 354 Enter mail, end with "." on a line by itself
01978 <<< Message-ID: <18930211.1212471097749.JavaMail.SYSTEM@Flash>
01978 <<< Date: Mon, 2 Jun 2008 22:31:37 -0700 (PDT)
01978 <<< From: primary.email@xxxxxxxxxxx
01978 <<< To: my.cellphone@xxxxxxxxx
01978 <<< To: primary.email@xxxxxxxxxxx
01978 <<< Subject: Flash : Test email from PowerChute Business Edition
01978 <<< Mime-Version: 1.0
01978 <<< Content-Type: text/plain; charset=us-ascii
01978 <<< Content-Transfer-Encoding: 7bit
01978 <<<
01978 <<<
01978 <<< This email was sent to test your configuration settings
01978 <<<
01978 <<< .
01978 >>> 250 2.0.0 m535VcHe001978 Message accepted for delivery
01978 <<< QUIT
01978 >>> 221 2.0.0 ultra.localhost closing connection
01980 === CONNECT smarthost-local.localhost.
01980 <<< 220 smtp120.sbc.mail.sp1.yahoo.com ESMTP
01980 >>> EHLO ultra.localhost
01980 <<< 250-smtp120.sbc.mail.sp1.yahoo.com
01980 <<< 250-AUTH LOGIN PLAIN XYMCOOKIE
01980 <<< 250-PIPELINING
01980 <<< 250 8BITMIME
01980 >>> AUTH PLAIN ci1u...(edited)...F2Mw==
01980 <<< 235 ok, go ahead (#2.0.0)
01980 >>> MAIL From:<primary.email@xxxxxxxxxxx>
01980 <<< 250 ok
01980 >>> RCPT To:<primary.email@xxxxxxxxxxx>
01980 >>> RCPT To:<my.cellphone@xxxxxxxxx>
01980 >>> DATA
01980 <<< 250 ok
01980 <<< 250 ok
01980 <<< 354 go ahead
01980 >>> Received: from localhost (FLASH [192.168.1.8])
01980 >>> by ultra.localhost (8.14.2/8.14.2) with ESMTP id m535VcHe001978;
01980 >>> Mon, 2 Jun 2008 22:31:38 -0700 (PDT)
01980 >>> Message-ID: <18930211.1212471097749.JavaMail.SYSTEM@Flash>
01980 >>> Date: Mon, 2 Jun 2008 22:31:37 -0700 (PDT)
01980 >>> From: primary.email@xxxxxxxxxxx
01980 >>> To: my.cellphone@xxxxxxxxx
01980 >>> To: primary.email@xxxxxxxxxxx
01980 >>> Subject: Flash : Test email from PowerChute Business Edition
01980 >>> Mime-Version: 1.0
01980 >>> Content-Type: text/plain; charset=us-ascii
01980 >>> Content-Transfer-Encoding: 7bit
01980 >>>
01980 >>>
01980 >>> This email was sent to test your configuration settings
01980 >>>
01980 >>> .
01980 <<< 250 ok 1212471100 qp 62087
01980 >>> QUIT
01980 <<< 221 smtp120.sbc.mail.sp1.yahoo.com
01982 >>> 220 ultra.localhost ESMTP Sendmail 8.14.2/8.14.2; Mon, 2 Jun 2008 22:32:01 -0700 (PDT)
01982 <<< EHLO Flash
01982 >>> 250-ultra.localhost Hello Flash [192.168.1.8], pleased to meet you
01982 >>> 250-ENHANCEDSTATUSCODES
01982 >>> 250-PIPELINING
01982 >>> 250-EXPN
01982 >>> 250-VERB
01982 >>> 250-8BITMIME
01982 >>> 250-SIZE
01982 >>> 250-DSN
01982 >>> 250-ETRN
01982 >>> 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
01982 >>> 250-DELIVERBY
01982 >>> 250 HELP
01982 <<< MAIL From:<primary.email@xxxxxxxxxxx>
01982 >>> 250 2.1.0 <primary.email@xxxxxxxxxxx>... Sender ok
01982 <<< RCPT To:<my.cellphone@xxxxxxxxx>
01982 >>> 250 2.1.5 <my.cellphone@xxxxxxxxx>... Recipient ok
01982 <<< RCPT To:<primary.email@xxxxxxxxxxx>
01982 >>> 250 2.1.5 <primary.email@xxxxxxxxxxx>... Recipient ok
01982 <<< DATA
01982 >>> 354 Enter mail, end with "." on a line by itself
01982 <<< Date: Mon, 02 Jun 2008 22:32:00 -0800
01982 <<< From: primary.email@xxxxxxxxxxx
01982 <<< To: my.cellphone@xxxxxxxxx,primary.email@xxxxxxxxxxx
01982 <<< Subject: 3ware 3DM2 alert -- host: Flash
01982 <<<
01982 <<< This is a test e-mail generated by 3ware 3DM2
01982 <<<
01982 <<< .
01982 >>> 250 2.0.0 m535W1DS001982 Message accepted for delivery
01982 <<< QUIT
01982 >>> 221 2.0.0 ultra.localhost closing connection
01984 === CONNECT smarthost-local.localhost.
01984 <<< 220 smtp120.sbc.mail.sp1.yahoo.com ESMTP
01984 >>> EHLO ultra.localhost
01984 <<< 250-smtp120.sbc.mail.sp1.yahoo.com
01984 <<< 250-AUTH LOGIN PLAIN XYMCOOKIE
01984 <<< 250-PIPELINING
01984 <<< 250 8BITMIME
01984 >>> AUTH PLAIN ci1u...(edited)...F2Mw==
01984 <<< 235 ok, go ahead (#2.0.0)
01984 >>> MAIL From:<primary.email@xxxxxxxxxxx>
01984 <<< 250 ok
01984 >>> RCPT To:<primary.email@xxxxxxxxxxx>
01984 >>> RCPT To:<my.cellphone@xxxxxxxxx>
01984 >>> DATA
01984 <<< 250 ok
01984 <<< 250 ok
01984 <<< 354 go ahead
01984 >>> Received: from Flash (Flash [192.168.1.8])
01984 >>> by ultra.localhost (8.14.2/8.14.2) with ESMTP id m535W1DS001982;
01984 >>> Mon, 2 Jun 2008 22:32:01 -0700 (PDT)
01984 >>> Message-Id: <200806030532.m535W1DS001982@xxxxxxxxxxxxxxx>
01984 >>> Date: Mon, 02 Jun 2008 22:32:00 -0800
01984 >>> From: primary.email@xxxxxxxxxxx
01984 >>> To: my.cellphone@xxxxxxxxx, primary.email@xxxxxxxxxxx
01984 >>> Subject: 3ware 3DM2 alert -- host: Flash
01984 >>>
01984 >>> This is a test e-mail generated by 3ware 3DM2
01984 >>>
01984 >>> .
01984 <<< 250 ok 1212471122 qp 62717
01984 >>> QUIT
01984 <<< 221 smtp120.sbc.mail.sp1.yahoo.com
.
- Prev by Date: Re: rewrite sender address when sending mail to user@host
- Next by Date: Re: tab character doesn't ercognize in makemap
- Previous by thread: How Do I
- Next by thread: Mail application parsing files delivered by sendmail - problems with BCC Recipients
- Index(es):
Relevant Pages
|
