Upgraded to fc7, but sendmail submission with TLS no longer works

I'm running fc7 (updated). I updated via yum from fc6.

Oddly, Cyrus continued to work after the upgrade (it usually breaks).

This time it was sendmail that broke, even though I'm running with a
fairly stock system.

The extent of my sendmail.mc edits are below.

I get messages from sendmail saying that my client (Thunderbird on
Windows Vista and FC7), well:

Sep 29 19:21:59 mail sendmail[5288]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 29 19:22:23 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8]: possible SMTP attack: command=AUTH, count=4
Sep 29 19:22:30 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4
Sep 29 19:23:05 mail sendmail[5295]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256


but if I turn off TLS, it seems to work ok (using username/password authentication in the clear, I guess).

Since it's TLS, I couldn't use tcpdump to read the transactions...

Here are the sendmail.mc edits. Nothing too weird:


--- sendmail.mc.orig 2006-09-05 07:27:48.000000000 -0600
+++ sendmail.mc 2007-03-08 21:26:38.000000000 -0700
@@ -41,7 +41,7 @@
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
-dnl define(`confAUTH_OPTIONS', `A p')dnl
+define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
@@ -49,18 +49,18 @@
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
-dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
-dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
-dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
-dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
-dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
-dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
+define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
@@ -71,8 +71,10 @@
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
+dnl # don't apply domain search suffixes...
+define(`confBIND_OPTS', `+AAONLY -DNSRCH -DEFNAMES')dnl
define(`confTO_IDENT', `0')dnl
-dnl FEATURE(delay_checks)dnl
+FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
@@ -100,27 +102,35 @@
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
+dnl # Anti-spam features suggested from ACME.COM
+FEATURE(`greet_pause', `5000')dnl
+define(`confCONNECTION_RATE_WINDOW_SIZE', `60s')dnl
+FEATURE(`conncontrol')dnl
+FEATURE(`ratecontrol', `nodelay', `terminate')dnl
+define(`confBAD_RCPT_THROTTLE', `3')dnl
+define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
+define(`confMAX_DAEMON_CHILDREN', `5')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
-dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
-dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
+define(`confLOCAL_MAILER', `cyrusv2')dnl
+define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
-DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
+dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
-dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
+DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
@@ -141,18 +151,20 @@
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
+DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
-FEATURE(`accept_unresolvable_domains')dnl
+dnl FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
+INPUT_MAIL_FILTER(`mimdefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m')
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
@@ -173,4 +185,4 @@
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
-dnl MAILER(cyrusv2)dnl
+MAILER(cyrusv2)dnl


Anyone seen anything similar to this?



--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Best practice: sendmail and SMTP auth
    ... I am considering setting up SMTP auth on a number of sendmail ... A good solution to this is to use port 587 for Authenticated new mail ... dnl ## Set SASL options ...
    (freebsd-questions)
  • Re: Cant "telnet mail-host 25"
    ... :>:think it is sendmail) serves the port 25, while in the second form, ... :> loopback address, as in this excerpt from sendmail.mc: ... :> dnl # 127.0.0.1 and not on any other network devices. ...
    (linux.redhat.misc)
  • Re: Best practice: sendmail and SMTP auth
    ... I am considering setting up SMTP auth on a number of sendmail ... from ports, or you can install the cyrus-sasl port and then make the ... dnl ## Set SASL options ...
    (freebsd-questions)
  • No AUTH available / No secret found in database
    ... We are using Sendmail 8.13.4/8.13.4 and Cyrus-SASL 2.1.19. ... authentication configuration information to the .mc file, ... Somehow, I managed to add something else to the configuration, either ... dnl # General defines ...
    (comp.mail.sendmail)
  • Re: FC5 boot process, sendmail and sm_client???
    ... The problem occurs when sendmail tries to determine its fully- ... dnl # Uncomment and edit the following line if your outgoing mail needs to ... Since you lied to sendmail about your system's fully-qualified DNS ... Add any other local users (and their ISP mail account user IDs) you ...
    (Fedora)