Sendmail TLS

[Eric Dillenseger]

Hello list,

I'm trying to setup a sendmail config using tls to use gmail as a smart-host.

I made a copy of openbsd-proto.mc as follows:
divert(-1)
#
# Default OpenBSD sendmail configuration for systems accepting mail
# from the internet.
#
# Note that lines beginning with "dnl" below are comments.

divert(0)dnl
VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl
OSTYPE(openbsd)dnl
define(`SMART_HOST', `smtp.gmail.com')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl
define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl
define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl
FEATURE(nouucp, `reject')dnl
FEATURE(`access_db', `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl
FEATURE(always_add_domain)dnl
FEATURE(redirect)dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=O')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/CAcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/localsendmailcert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/localsendmailkey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/localsendmailcert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/localsendmailkey.pem')dnl
MAILER(local)dnl
MAILER(smtp)dnl
LOCAL_RULESETS
HMessage-Id: $>CheckMessageId

SCheckMessageId
R< $+ @ $+ >            $@ OK
R$*                     $#error $: 553 Header Error

Followed by:
# make mysendmail.cf
rm -f mysendmail.cf
( cd /usr/share/sendmail/cf && /usr/bin/m4
/usr/share/sendmail/cf/../m4/cf.m4 mysendmail.mc >
/usr/share/sendmail/cf/mysendmail.cf )
echo "### mysendmail.mc ###" >>mysendmail.cf
sed -e 's/^/# /' /usr/share/sendmail/cf/mysendmail.mc >>mysendmail.cf
chmod 444 mysendmail.cf

Then I created the necessary certificates:
$ sudo mkdir /etc/mail/certs

$ sudo openssl dsaparam 1024 -out dsa1024.pem
Generating DSA parameters, 1024 bit long prime
This could take some time
................+..........+................+++++++++++++++++++++++++++++++++++++++++++++++++++*
.........+..........+.......+.+.....+.+....+.+...+...+..............+.+...........+.+.+...............................+..........+.......+.........+++++++++++++++++++++++++++++++++++++++++++++++++++*
$ sudo openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem
  -out /etc/mail/certs/localsendmailcert.pem
  -keyout /etc/mail/certs/localsendmailkey.pem
Generating a 1024 bit DSA private key
writing new private key to '/etc/mail/certs/localsendmailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:FR
State or Province Name (full name) []:Alsace
Locality Name (eg, city) []:Strasbourg
Organization Name (eg, company) []:Me
Organizational Unit Name (eg, section) []:mail
Common Name (eg, fully qualified host name) []:localhost
Email Address []:[EMAIL PROTECTED]

$ sudo ln -s /etc/mail/certs/localsendmailcert.pem /etc/mail/certs/CAcert.pem
$ sudo rm dsa1024.pem

$ sudo chmod -R go-rwx /etc/mail/certs

Then I ran sendmail with -C/etc/mail/mysendmail.cf

When I tried to send an email from mutt, I got the following log:
Oct  6 22:53:04 castor sm-mta[29257]: starting daemon (8.13.4):
[EMAIL PROTECTED]:30:00
Oct  6 22:53:06 castor sm-mta[20830]: STARTTLS=client,
relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL,
cipher=DES-CBC3-SHA, bits=168/168
Oct  6 22:53:06 castor sm-mta[20830]: j95E6r6E009458:
to=<[EMAIL PROTECTED]>, delay=1+06:46:13,
xdelay=00:00:02, mailer=relay, pri=5611353, relay=smtp.gmail.com
[72.14.205.109], dsn=5.0.0, stat=Service unavailable
Oct  6 22:55:14 castor sendmail[17077]: j96KtEQB017077: from=ericd,
size=561, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Oct  6 22:55:14 castor sendmail[17077]: STARTTLS=client,
relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL,
cipher=DHE-DSS-AES256-SHA, bits=256/256
Oct  6 22:55:14 castor sm-mta[721]: STARTTLS=server,
[EMAIL PROTECTED] [127.0.0.1], version=TLSv1/SSLv3, verify=NO,
cipher=DHE-DSS-AES256-SHA, bits=256/256
Oct  6 22:55:14 castor sm-mta[721]: j96KtEx1000721:
from=<[EMAIL PROTECTED]>, size=719, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA, [EMAIL PROTECTED] [127.0.0.1]
Oct  6 22:55:14 castor sendmail[17077]: j96KtEQB017077:
[EMAIL PROTECTED], ctladdr=ericd (1000/1000), delay=00:00:00,
xdelay=00:00:00, mailer=relay, pri=30561, relay=[127.0.0.1]
[127.0.0.1], dsn=2.0.0, stat=Sent (j96KtEx1000721 Message accepted for
delivery)
Oct  6 22:55:16 castor sm-mta[19538]: STARTTLS=client,
relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL,
cipher=DES-CBC3-SHA, bits=168/168
Oct  6 22:55:16 castor sm-mta[19538]: j96KtEx1000721:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (1000/1000),
delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=30719,
relay=smtp.gmail.com [72.14.205.109], dsn=5.0.0, stat=Service
unavailable

After a wile, I got this mail:
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Returned mail: see transcript for details
Date: Thu, 6 Oct 2005 23:05:18 +0200 (CEST)

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]

The original message was received at Thu, 6 Oct 2005 22:55:14 +0200
(CEST)
from [EMAIL PROTECTED] [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
<[EMAIL PROTECTED]>
    (reason: 530 5.7.0 Authentication Required e13sm1175575qbe)

   ----- Transcript of session follows -----
... while talking to smtp.gmail.com:
>>> MAIL From:<[EMAIL PROTECTED]> SIZE=719
<<< 530 5.7.0 Authentication Required e13sm1175575qbe
554 5.0.0 Service unavailable

[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --]

Reporting-MTA: dns; castor.workgroup
Received-From-MTA: DNS; localhost
Arrival-Date: Thu, 6 Oct 2005 22:55:14 +0200 (CEST)

Final-Recipient: RFC822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.0
Diagnostic-Code: SMTP; 530 5.7.0 Authentication Required
e13sm1175575qbe
Last-Attempt-Date: Thu, 6 Oct 2005 22:55:16 +0200 (CEST)

[-- Attachment #3 --]
[-- Type: text/rfc822-headers, Encoding: 8bit, Size: 0.8K --]
Return-Path: <[EMAIL PROTECTED]>
Received: from castor.workgroup ([EMAIL PROTECTED] [127.0.0.1])
        by castor.workgroup (8.13.4/8.13.4) with ESMTP id
j96KtEx1000721
        (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256
verify=NO)
        for <[EMAIL PROTECTED]>; Thu, 6 Oct 2005 22:55:14 +0200
(CEST)
Received: (from [EMAIL PROTECTED])
        by castor.workgroup (8.13.4/8.13.4/Submit) id j96KtEQB017077
        for [EMAIL PROTECTED]; Thu, 6 Oct 2005 22:55:14 +0200 (CEST)
Date: Thu, 6 Oct 2005 22:55:14 +0200
From: Eric Dillenseger <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Test TLS
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15:utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.5.8i

Now I see it successfully connected to gmail smtp, but didn't authenticate.
My question is, how can I make it authenticate?

--
"Any attempt to brew coffee with a teapot should result in the error
code "418 I'm a teapot".
The resulting entity body MAY be short and stout."
-- HTCPCP Spec, RFC 2324