Re: sendmail without DNS

[Tim Woodall]

On Sun, 21 Jul 2024, Adam Weremczuk wrote:


This is in a way a continuation of my recently "purely local DNS" thread.

To recap: my objective is to send emails to a single domain with both DNS and 
any other email traffic being disabled.


A simple working solution that I've found for Postfix is:

/etc/hosts
1.2.3.4example.com

/etc/postfix/main.cf
smtp_dns_support_level = disabled
smtp_host_lookup = native

Now I'm trying to achieve the same thing for Sendmail to no avail.

So far I've tried:

- the above /etc/hosts entry

- DEAMON_OPTIONS(`Port-smtp,Addr=127.0.0.1, Name=MTA')dnl in sendmail.mc 
followed by m4 sendmail.mc > sendmail.cf


You can just type make in /etc/mail and dbs will be rebuilt and it will
tell you if you need to reload.



- /etc/mail/mailertable
example.com esmtp:[1.2.3.4]



I use this. Are you missing FEATURE(mailertable)

sendmail.mc:FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl

Re: [Sendmail] Apparition de l'authentification sur 127.0.0.1 depuis une mise à jour récente

[BERTRAND Joël]

Je me réponds à moi-même.

J'ai trouvé au fin fond du bouquin O'Reilly (Sendmail, 4th edition) une
solution :

GreetPause:192.168 0
# Pas d'authentification pour 127.0.0.1
Srv_Features:127.0.0.1  ALS

Je demande donc à sendmail de ne pas proposer AUTH (A), de ne pas
nécessiter une authentification (L) et de ne pas proposer STARTTLS AUTH.
A était suffisant jusqu'à récemment, il faut maintenant ALS (AL n'est
pas suffisant).

Je ne pense pas que le responsable soit sendmail, mais le client qui
essaie de s'authentifier dès qu'il voit STARTTLS ou AUTH.

Désolé pour le bruit,

JB



signature.asc
Description: OpenPGP digital signature

[Sendmail] Apparition de l'authentification sur 127.0.0.1 depuis une mise à jour récente

[BERTRAND Joël]

Bonjour à tous,

J'ai un petit souci avec une grosse configuration sendmail (merci de ne
pas commencer par me dire qu'il faut passer à autre chose).

Cette configuration fonctionne correctement depuis des années avec
toutes les grouilles nécessaires (dmarc, dkim, clamav, spamassassin,
greylist...) et traite plusieurs dizaines de mails par jours.

Ce serveur demande une authentification sur le port submission depuis
les IP externes, et ne demandait pas d'authentification sur les deux
interfaces loopback (v4 et v6).

Depuis une mise à jour récente (mais je n'arrive pas à trouver
laquelle), une authentification est arrivée sur le loopback, ce qui
empêche par exemple root de recevoir les messages d'alerte des
différents daemons (dont smartctl, je me suis aperçu du truc après un
plantage disque de week-end).

Root rayleigh:[/etc/mail] > sendmail -v root@localhost
test
root@localhost... Connecting to [127.0.0.1] port 587 via relay...
220 rayleigh.systella.fr ESMTP Sendmail 8.18.1/8.18.1/Debian-5; Mon, 22
Jul 2024 11:12:21 +0200; (No UCE/UBE) logging access from:
localhost(OK)-smmsp@localhost [127.0.0.1]
>>> EHLO rayleigh.systella.fr
250-rayleigh.systella.fr Hello smmsp@localhost [127.0.0.1], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-STARTTLS
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> STARTTLS
220 2.0.0 Ready to start TLS
>>> EHLO rayleigh.systella.fr
250-rayleigh.systella.fr Hello smmsp@localhost [127.0.0.1], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From: SIZE=5
530 5.7.0 Authentication required
bertrand... Using cached ESMTP connection to [127.0.0.1] via relay...
>>> RSET
250 2.0.0 Reset state
>>> MAIL From:<> SIZE=1029
530 5.7.0 Authentication required
postmaster... Using cached ESMTP connection to [127.0.0.1] via relay...
>>> RSET
250 2.0.0 Reset state
>>> MAIL From:<> SIZE=2053
530 5.7.0 Authentication required
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 rayleigh.systella.fr closing connection
Root rayleigh:[/etc/mail] >

Je précise que rien n'a changé dans cette configuration (j'ai même
ressorti une archive de l'an passé pour être sûr). Dans access, j'ai bien :

Root rayleigh:[/etc/mail] > cat access
GreetPause:192.168 0
# Pas d'authentification pour 127.0.0.1
SRV_Features:127.0.0.1 A

mais qui semble être ignoré.

Mon sendmail.mc ne semble rien contenir de particulier :

divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
define(`CERT_DIR',`/etc/letsencrypt/live/systella.fr')dnl
define(`confTLS_FALLBACK_TO_CLEAR', `true')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.12.3-6.6 2003-09-17 22:44:06 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
FEATURE(`masquerade_envelope')dnl
MASQUERADE_AS(`systella.fr')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
VIRTUSER_DOMAIN_FILE(`-o /etc/mail/virtuserdomains')dnl
FEATURE(`access_db',`hash -o -T /etc/mail/access')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`smrsh')dnl
FEATURE(`mailertable')dnl
FEATURE(`greet_pause',1000)dnl
FEATURE(`local_procmail')dnl

LOCAL_CONFIG
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/milter-greylist.m4')dnl
INPUT_MAIL_FILTER(`spamassassin',
`S=local:/var/run/spamass/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl,
F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`opendkim', `S=inet:8892@localhost')dnl
INPUT_MAIL_FILTER(`pyspffilter',
`S=local:/var/run/spf-milter-python/spfmiltersock')dnl
INPUT_MAIL_FILTER(`opendmarc', `S=local:/run/opendmarc/opendmarc.sock')dnl
define(`confINPUT_MAIL_FILTERS',
`pyspffilter,opendkim,opendmarc,greylist,spamassassin,clamav')dnl
define(`STATUS_FILE', `/var/lib/sendmail/sendmail.st')dnl
define(`STATUS_FILE', `/var/lib/sendmail/sm-client.st')dnl

FEATURE(`no_default_msa', `dnl')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA, Family=inet')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTAv6, Family=inet6')dnl
DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet')dnl
DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet6')dnl

MAILER_DEFINITIONS
MAILER(local)dnl
MAILER(smtp)dnl

Si quelqu'un avait un début d'explication...

Bien cordialement,

JB






signature.asc
Description: OpenPGP digital signature

Re: sendmail without DNS

[Adam Weremczuk]

Thanks for pointing that out.

I've noticed that installing sendmail package was removing postfix and 
vice versa.


That made me think these two were mutually exclusive.

After reinstalling postfix, logwatch suddenly started sending emails so 
everything is now working as expected.


---
Adam


On 21/07/2024 14:23, Greg Wooledge wrote:


Blimey.  You are COMPLETELY confused, aren't you.

If postfix (the package named "postfix") is installed, and if sendmail
(the package named "sendmail") is NOT installed, then you are using
Postfix to send mail.

Part of the postfix package is a /usr/sbin/sendmail program which
implements the command line interface for local programs to send mail.

EVERY MTA has to implement the /usr/sbin/sendmail program.

Including Postfix.

If you're running Postfix (*not* Sendmail) as your MTA, and if you've
got it configured how you want it, then you are DONE.  You don't need
to ask us how to configure Sendmail to do the same thing, because you're
not USING Sendmail.

Re: sendmail without DNS

[Joe]

On Sun, 21 Jul 2024 18:36:30 +1000
George at Clug  wrote:

> Adam,
> 
> I dislike people to reply to my questions but do not answer the
> question, instead suggest I do something totally different.

Yes, but sometimes:

a) that's the right answer anyway

b) it may not answer the OP's question. but may answer someone else's
question much later

c) it may inform the OP that there may be a better way of doing it that
the OP was not aware of

d) it may be that the OP is asking the wrong question, but will get
information from your answer as to what the right question should be

> 
> Please forgive me, as that is what I am about to do.


> 
> I have had, what seems to me to be similar issue, my solution was to
> set up an authoritative BIND9 server on the email/web server in
> question, and have the server first use its own BIND9 server's DNS
> service first. 
> 
> Admittedly I did not care if my authoritative BIND9 server went out
> the the Internet for any queries for which it was not authoritative.
> 
> It did allow me to run the server isolated either from the Internet
> and/or connected to the Internet.
> 
Indeed. If you do run a DNS server for general network use, you will
always want to put in local information. If there is also an Internet
DNS server authoritative for the same domain, you need to put in copies
of relevant information that server contains, which will otherwise not
be found.

BIND9 is a bit of a nuisance, especially when you miss a bit of
punctuation in a zone file and it won't start, but as far as I can
tell, it's the only DNS solution that will access root hints. I would
prefer something a bit lighter. I would rather not trust Net DNS servers
since I turned up this company
https://uk.linkedin.com/company/barefruit
(one of many such) in logs. Advertising is easy to ignore, but the idea
of tampering with DNS does not impress me.

-- 
Joe

Re: sendmail without DNS

[Greg Wooledge]

On Sun, Jul 21, 2024 at 08:24:06 +0100, Adam Weremczuk wrote:
> Let me rephrase my question, which should be easier to answer.
> 
> What exactly shall I substitute:
> 
> mailer = "/usr/sbin/sendmail -t"
> 
> with in /usr/share/logwatch/default.conf/logwatch.conf
> 
> to make logwatch use postfix (already working without DNS) instead of
> sendmail?

Blimey.  You are COMPLETELY confused, aren't you.

If postfix (the package named "postfix") is installed, and if sendmail
(the package named "sendmail") is NOT installed, then you are using
Postfix to send mail.

Part of the postfix package is a /usr/sbin/sendmail program which
implements the command line interface for local programs to send mail.

EVERY MTA has to implement the /usr/sbin/sendmail program.

Including Postfix.

If you're running Postfix (*not* Sendmail) as your MTA, and if you've
got it configured how you want it, then you are DONE.  You don't need
to ask us how to configure Sendmail to do the same thing, because you're
not USING Sendmail.

Re: sendmail without DNS

[Anssi Saari]

Adam Weremczuk  writes:

> Let me rephrase my question, which should be easier to answer.
>
> What exactly shall I substitute:
>
> mailer = "/usr/sbin/sendmail -t"
>
> with in /usr/share/logwatch/default.conf/logwatch.conf
>
> to make logwatch use postfix (already working without DNS) instead of
> sendmail?

With a quick look, the postfix package includes /usr/sbin/sendmail. So
if your /usr/sbin/sendmail isn't the one provided by postfix then likely
you have more than one and that situation is probably managed by
update-alternatives?

So, run update-alternatives --list sendmail and maybe also
ls -l /usr/sbin/sendmail to see what the what is.

Re: sendmail without DNS

[George at Clug]

Adam,

I dislike people to reply to my questions but do not answer the question, 
instead suggest I do something totally different.

Please forgive me, as that is what I am about to do.

I have had, what seems to me to be similar issue, my solution was to set up an 
authoritative BIND9 server on the email/web server in question, and have the 
server first use its own BIND9 server's DNS service first. 

Admittedly I did not care if my authoritative BIND9 server went out the the 
Internet for any queries for which it was not authoritative.

It did allow me to run the server isolated either from the Internet and/or 
connected to the Internet.

George.
 

On Sunday, 21-07-2024 at 16:58 Adam Weremczuk wrote:
> This is in a way a continuation of my recently "purely local DNS" thread.
> 
> To recap: my objective is to send emails to a single domain with both 
> DNS and any other email traffic being disabled.
> 
> A simple working solution that I've found for Postfix is:
> 
> /etc/hosts
> 1.2.3.4example.com
> 
> /etc/postfix/main.cf
> smtp_dns_support_level = disabled
> smtp_host_lookup = native
> 
> Now I'm trying to achieve the same thing for Sendmail to no avail.
> 
> So far I've tried:
> 
> - the above /etc/hosts entry
> 
> - DEAMON_OPTIONS(`Port-smtp,Addr=127.0.0.1, Name=MTA')dnl in sendmail.mc 
> followed by m4 sendmail.mc > sendmail.cf
> 
> - /etc/mail/mailertable
> example.com esmtp:[1.2.3.4]
> 
> 1. Has anybody tried and got it working?
> 
> 2. What's the best way to engage with Sendmail forums / mailing list?
> 
> Both comp.mail.sendmail and newscomp.mail.sendmail usenet groups appear 
> to be dead.
> 
> ---
> Adam
> 
> 

Re: sendmail without DNS

[Kamil Jońca]

Adam Weremczuk  writes:

> Let me rephrase my question, which should be easier to answer.
>
> What exactly shall I substitute:
>
> mailer = "/usr/sbin/sendmail -t"
>

Eee. Nothing?
--8<---cut here---start->8---
dpkg -L postfix|grep send 
/usr/sbin/sendmail
/usr/share/man/man1/sendmail.1.gz
/usr/lib/sendmail
--8<---cut here---end--->8---

Man sendmail says that:
--8<---cut here---start->8---
  -t Extract recipients from message headers. These are added to any 
recipients specified on the command line.
--8<---cut here---end--->8---
(I do not that 'original' sendmail has the same meaning, but I supposed
so.)
KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/
Make me look like LINDA RONSTADT again!!

Re: sendmail without DNS

[Adam Weremczuk]

Let me rephrase my question, which should be easier to answer.

What exactly shall I substitute:

mailer = "/usr/sbin/sendmail -t"

with in /usr/share/logwatch/default.conf/logwatch.conf

to make logwatch use postfix (already working without DNS) instead of 
sendmail?



On 21/07/2024 08:08, Jeff Pang wrote:

Sendmail is too old to be supported.
You may use postfix and exim instead. They are main stream MTA software 
today.

Re: sendmail without DNS

[Jeff Pang]

Sendmail is too old to be supported.
You may use postfix and exim instead. They are main stream MTA software 
today.



On 2024-07-21 14:58, Adam Weremczuk wrote:
This is in a way a continuation of my recently "purely local DNS" 
thread.


To recap: my objective is to send emails to a single domain with both 
DNS and any other email traffic being disabled.


A simple working solution that I've found for Postfix is:

/etc/hosts
1.2.3.4example.com

/etc/postfix/main.cf
smtp_dns_support_level = disabled
smtp_host_lookup = native

Now I'm trying to achieve the same thing for Sendmail to no avail.

So far I've tried:

- the above /etc/hosts entry

- DEAMON_OPTIONS(`Port-smtp,Addr=127.0.0.1, Name=MTA')dnl in 
sendmail.mc followed by m4 sendmail.mc > sendmail.cf


- /etc/mail/mailertable
example.com esmtp:[1.2.3.4]

1. Has anybody tried and got it working?

2. What's the best way to engage with Sendmail forums / mailing list?

Both comp.mail.sendmail and newscomp.mail.sendmail usenet groups appear 
to be dead.


---
Adam


--
Jeff Pang
jeffp...@aol.com

sendmail without DNS

[Adam Weremczuk]

This is in a way a continuation of my recently "purely local DNS" thread.

To recap: my objective is to send emails to a single domain with both 
DNS and any other email traffic being disabled.


A simple working solution that I've found for Postfix is:

/etc/hosts
1.2.3.4example.com

/etc/postfix/main.cf
smtp_dns_support_level = disabled
smtp_host_lookup = native

Now I'm trying to achieve the same thing for Sendmail to no avail.

So far I've tried:

- the above /etc/hosts entry

- DEAMON_OPTIONS(`Port-smtp,Addr=127.0.0.1, Name=MTA')dnl in sendmail.mc 
followed by m4 sendmail.mc > sendmail.cf


- /etc/mail/mailertable
example.com esmtp:[1.2.3.4]

1. Has anybody tried and got it working?

2. What's the best way to engage with Sendmail forums / mailing list?

Both comp.mail.sendmail and newscomp.mail.sendmail usenet groups appear 
to be dead.


---
Adam

Re: sendmail and starttls failing

[Tim Woodall]

On Mon, 1 Jul 2024, Tim Woodall wrote:


On Sun, 30 Jun 2024, Tim Woodall wrote:


On Sun, 30 Jun 2024, Michael Grant wrote:


Yeah I'm seeing this too!  Identical in fact.  This is what I did to
fix this:  I added this to my /etc/mail/access file for my local
server that sends this messages to me:

   SRV_Features:127.0.0.1  L U G

Specifically, I added the U and G features, (I already had the L
feature disabled for localhost).  Uppercase letter disables the
feature, lowercase enables it.

I found the U and G mentioned here:

https://forums.oracle.com/ords/apexds/post/solaris-11-4-sendmail-issue-after-sendmail-8-18-1-update-7312

I did not try this suggestion to use U2 and G2 that he mentioned.  If
you do let me know.



Thanks!

I've just added u2 g2 and it seems to work. My quick test had bare LF
removed and bare CR replaced by space which isn't what I expected but is
good enough...




Actually, in bookworm this only seems to work with cr. mail wasn't
sending a lf and my email client was not displaying ^f

This works for testing cr and lf.
echo -ne 'Subject: test\n\ncr\rcr/lf\nlf' | /usr/sbin/sendmail -i -- root



This is what I see in sendmail logs:
Jul  1 17:06:55 dirac sm-mta[21391]: 461G6tQr021391: collect: relay=localhost, 
from=, info=Bare carriage return (CR) not 
allowed, where=body, status=replaced

I don't think bare LF are a problem for sendmail which is why I suspect
they're not being replaced.

Re: sendmail and starttls failing

[Greg Wooledge]

On Mon, Jul 01, 2024 at 09:34:39 +0100, Mark Fletcher wrote:
> cron isn’t a mail sending tool — not the right place to police something
> like this. Seems to me that sendmail is.

There are two possible layers here.  First, a cron job (typically a
shell command, or a shell script) might invoke mailx(1) or mail(1)
directly.  In this case, it's the responsibility of mailx or mail to
format and transmit the message correctly when it invokes the
/usr/sbin/sendmail program.

The second case, which is much more common, is that cron(8) itself
invokes /usr/sbin/sendmail to inject a message whenever a job writes
output to either stdout or stderr.  This output is captured by cron,
and then emailed to the job's owner.

hobbit:~$ strings /usr/sbin/cron | grep sendmail
/usr/sbin/sendmail

Looks like cron is doing what I would expect.  In this case, it's cron's
responsibility to make sure the message is correctly formatted.

If cron is injecting mail that /usr/sbin/sendmail is rejecting due to
bare LF or bare CR (for whichever implementation of /usr/sbin/sendmail
is installed), then this is a bug in cron.

If your cron job is calling mailx or mail directly, and one of those
tools is injecting a message that gets rejected due to bare LF or bare CR,
then this is a bug in mailx or mail, and should be reported as such.
The same applies to any CLI MUA -- mutt, nail, s-nail, Mail, etc.  Also,
note that mailx has multiple implementing packages in Debian, at least
two that I know of: bsd-mailx and mailutils.  Make sure you file your
bug reports against the correct packages.

Re: sendmail and starttls failing

[Tim Woodall]

On Sun, 30 Jun 2024, Tim Woodall wrote:


On Sun, 30 Jun 2024, Michael Grant wrote:


Yeah I'm seeing this too!  Identical in fact.  This is what I did to
fix this:  I added this to my /etc/mail/access file for my local
server that sends this messages to me:

   SRV_Features:127.0.0.1  L U G

Specifically, I added the U and G features, (I already had the L
feature disabled for localhost).  Uppercase letter disables the
feature, lowercase enables it.

I found the U and G mentioned here:

https://forums.oracle.com/ords/apexds/post/solaris-11-4-sendmail-issue-after-sendmail-8-18-1-update-7312

I did not try this suggestion to use U2 and G2 that he mentioned.  If
you do let me know.



Thanks!

I've just added u2 g2 and it seems to work. My quick test had bare LF
removed and bare CR replaced by space which isn't what I expected but is
good enough...




Actually, in bookworm this only seems to work with cr. mail wasn't
sending a lf and my email client was not displaying ^f

This works for testing cr and lf.
echo -ne 'Subject: test\n\ncr\rcr/lf\nlf' | /usr/sbin/sendmail -i -- root

Re: sendmail and starttls failing

[Tim Woodall]

On Mon, 1 Jul 2024, Mark Fletcher wrote:


On Sun, 30 Jun 2024 at 23:21, Tim Woodall  wrote:




The thing I'm seeing is  in the body of the email - I had no idea
this was illegal - and I'm surprised that tools like cron don't do
something to avoid sending "illegal" emails. Indeed, even mail will do
so happily.

cron isn?t a mail sending tool ? not the right place to police something

like this. Seems to me that sendmail is.

Mark



Sendmail now polices it - so cron emails get stuck if they contain a
bare cr. Presumably every mta is now doing something similar.

There may be a cron setting that I'm missing to avoid this, I haven't
looked yet.

It is, of course, possible to run the output of every cron job through a
filter too.

my sendmail is now replacing bare cr with space so cron emails are
delivered.

Re: sendmail and starttls failing

[Mark Fletcher]

On Sun, 30 Jun 2024 at 23:21, Tim Woodall  wrote:

>
>
> The thing I'm seeing is  in the body of the email - I had no idea
> this was illegal - and I'm surprised that tools like cron don't do
> something to avoid sending "illegal" emails. Indeed, even mail will do
> so happily.
>
> cron isn’t a mail sending tool — not the right place to police something
like this. Seems to me that sendmail is.

Mark

Re: sendmail and starttls failing

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 6:13 PM Greg Wooledge  wrote:
>
> On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:
> > According to this
> > https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
> >
> > bare CRs aren't allowed in emails but this has always worked.
> >
> > I'm only likely to have cron generating emails like this.
> >
> > Strange that this would have been changed in a stable release. It
> > doesn't seem to have been a security update.
>
> It looks like it's coming from this change:
>
> https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog
>
>   * Fix CVE-2023-51765 (Closes: #1059386):
> sendmail allowed SMTP smuggling in certain configurations.
> Remote attackers can use a published exploitation
> technique to inject e-mail messages with a spoofed
> MAIL FROM address, allowing bypass of an SPF protection
> mechanism. This occurs because sendmail supports
> . but some other popular e-mail servers
> do not. This is resolved with 'o' in srv_features.
>
> I don't know the details of how this leads to a security hole.

Take a look at the blog at
<https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/>.

Jeff

Re: sendmail and starttls failing

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 6:08 PM Tim Woodall  wrote:
>
> On Sun, 30 Jun 2024, Tim Woodall wrote:
>
> > On Sun, 30 Jun 2024, Michael Grant wrote:
> >
> >> After an update today, sendmail is refusing to accept mail.  I'm
> >> seeing this in the logs:
> >>
> >
> > Hmmm, this update seems to have done a lot of odd things.
> >
>
> root@dirac:~# mail root
> Cc:
> Subject: test cr
> this
> is^Ma test
> .
> root@dirac:~# mailq
> MSP Queue status...
>  /var/spool/mqueue-client (1 request)
> -Q-ID- --Size-- -Q-Time- 
> Sender/Recipient---
> 45ULV1xk014043   15 Sun Jun 30 22:31 r...@dirac.home.woodall.me.uk
>   (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
>   root
>  Total requests: 1
> MTA Queue status...
> /var/spool/mqueue is empty
>  Total requests: 0
>
> According to this
> https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
>
> bare CRs aren't allowed in emails but this has always worked.
>
> I'm only likely to have cron generating emails like this.
>
> Strange that this would have been changed in a stable release. It
> doesn't seem to have been a security update.

New SMTP smuggling attack,
<https://www.openwall.com/lists/oss-security/2023/12/21/6>.

The short of it is, non-conforming emails and sloppy parsing have led
to a litany of problems including mail spoofing. It has been going on
for years, but now things are changing.

Jeff

Re: sendmail and starttls failing

[Tim Woodall]

On Sun, 30 Jun 2024, Michael Grant wrote:


Yeah I'm seeing this too!  Identical in fact.  This is what I did to
fix this:  I added this to my /etc/mail/access file for my local
server that sends this messages to me:

   SRV_Features:127.0.0.1  L U G

Specifically, I added the U and G features, (I already had the L
feature disabled for localhost).  Uppercase letter disables the
feature, lowercase enables it.

I found the U and G mentioned here:

https://forums.oracle.com/ords/apexds/post/solaris-11-4-sendmail-issue-after-sendmail-8-18-1-update-7312

I did not try this suggestion to use U2 and G2 that he mentioned.  If
you do let me know.



Thanks!

I've just added u2 g2 and it seems to work. My quick test had bare LF
removed and bare CR replaced by space which isn't what I expected but is
good enough...

Re: sendmail and starttls failing

[Tim Woodall]

On Sun, 30 Jun 2024, Greg Wooledge wrote:


On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:

According to this
https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx

bare CRs aren't allowed in emails but this has always worked.

I'm only likely to have cron generating emails like this.

Strange that this would have been changed in a stable release. It
doesn't seem to have been a security update.


It looks like it's coming from this change:

https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog

 * Fix CVE-2023-51765 (Closes: #1059386):
   sendmail allowed SMTP smuggling in certain configurations.
   Remote attackers can use a published exploitation
   technique to inject e-mail messages with a spoofed
   MAIL FROM address, allowing bypass of an SPF protection
   mechanism. This occurs because sendmail supports
   . but some other popular e-mail servers
   do not. This is resolved with 'o' in srv_features.

I don't know the details of how this leads to a security hole.




It might be - but the wording suggested that this is blocking bare 
which isn't my problem - and also I'd assume this is header related.

The thing I'm seeing is  in the body of the email - I had no idea
this was illegal - and I'm surprised that tools like cron don't do
something to avoid sending "illegal" emails. Indeed, even mail will do
so happily.

Re: sendmail and starttls failing

[Greg Wooledge]

On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:
> According to this
> https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
> 
> bare CRs aren't allowed in emails but this has always worked.
> 
> I'm only likely to have cron generating emails like this.
> 
> Strange that this would have been changed in a stable release. It
> doesn't seem to have been a security update.

It looks like it's coming from this change:

https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog

  * Fix CVE-2023-51765 (Closes: #1059386):
sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation
technique to inject e-mail messages with a spoofed
MAIL FROM address, allowing bypass of an SPF protection
mechanism. This occurs because sendmail supports
. but some other popular e-mail servers
do not. This is resolved with 'o' in srv_features.

I don't know the details of how this leads to a security hole.

Re: sendmail and starttls failing

[Tim Woodall]

On Sun, 30 Jun 2024, Tim Woodall wrote:


On Sun, 30 Jun 2024, Michael Grant wrote:


After an update today, sendmail is refusing to accept mail.  I'm
seeing this in the logs:



Hmmm, this update seems to have done a lot of odd things.



root@dirac:~# mail root
Cc: 
Subject: test cr

this
is^Ma test
.
root@dirac:~# mailq
MSP Queue status...
/var/spool/mqueue-client (1 request)
-Q-ID- --Size-- -Q-Time- Sender/Recipient---
45ULV1xk014043   15 Sun Jun 30 22:31 r...@dirac.home.woodall.me.uk
 (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
 root
Total requests: 1
MTA Queue status...
/var/spool/mqueue is empty
Total requests: 0



According to this
https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx

bare CRs aren't allowed in emails but this has always worked.

I'm only likely to have cron generating emails like this.

Strange that this would have been changed in a stable release. It
doesn't seem to have been a security update.

Re: sendmail and starttls failing

[Michael Grant]

On Sun, Jun 30, 2024 at 10:20:24PM +0100, Tim Woodall wrote:
> On Sun, 30 Jun 2024, Michael Grant wrote:
> 
> > After an update today, sendmail is refusing to accept mail.  I'm
> > seeing this in the logs:
> > 
> 
> Hmmm, this update seems to have done a lot of odd things.
> 
> MSP Queue status...
> /var/spool/mqueue-client (2 requests)
> -Q-ID- --Size-- -Q-Time- 
> Sender/Recipient---
> 45U9e1iI01814530770 Sun Jun 30 10:40 MAILER-DAEMON
>  (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
>  root
> 45U5Qnln00888528799 Sun Jun 30 06:26 root
>   7BIT   (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
>  root
> Total requests: 2
> MTA Queue status...
> /var/spool/mqueue is empty
> Total requests: 0
> 
> 
> 
> That's the cron email telling me about the update.
> 
> It's not at all clear to me what it's complaining about.
> root@dirac:/var/spool/mqueue-client# od -t x1 qf45U* | grep 0d
> root@dirac:/var/spool/mqueue-client#
> 
> Unless it's the bare CR in the body of the email - which should be fine!
> 
> Moving the queue files from mqueue-client to mqueue and fixing up the
> owner and perms and they delivered fine.
> 
> 

Yeah I'm seeing this too!  Identical in fact.  This is what I did to
fix this:  I added this to my /etc/mail/access file for my local
server that sends this messages to me:

SRV_Features:127.0.0.1  L U G

Specifically, I added the U and G features, (I already had the L
feature disabled for localhost).  Uppercase letter disables the
feature, lowercase enables it.

I found the U and G mentioned here:

https://forums.oracle.com/ords/apexds/post/solaris-11-4-sendmail-issue-after-sendmail-8-18-1-update-7312

I did not try this suggestion to use U2 and G2 that he mentioned.  If
you do let me know.



signature.asc
Description: PGP signature

Re: sendmail and starttls failing

[Tim Woodall]

On Sun, 30 Jun 2024, Michael Grant wrote:


After an update today, sendmail is refusing to accept mail.  I'm
seeing this in the logs:



Hmmm, this update seems to have done a lot of odd things.

MSP Queue status...
/var/spool/mqueue-client (2 requests)
-Q-ID- --Size-- -Q-Time- Sender/Recipient---
45U9e1iI01814530770 Sun Jun 30 10:40 MAILER-DAEMON
 (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
 root
45U5Qnln00888528799 Sun Jun 30 06:26 root
  7BIT   (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
 root
Total requests: 2
MTA Queue status...
/var/spool/mqueue is empty
Total requests: 0



That's the cron email telling me about the update.

It's not at all clear to me what it's complaining about.
root@dirac:/var/spool/mqueue-client# od -t x1 qf45U* | grep 0d
root@dirac:/var/spool/mqueue-client#

Unless it's the bare CR in the body of the email - which should be fine!

Moving the queue files from mqueue-client to mqueue and fixing up the
owner and perms and they delivered fine.

Re: sendmail and starttls failing

[Tim Woodall]

On Sun, 30 Jun 2024, Michael Grant wrote:


Jun 30 11:43:00 bottom sm-mta[18852]: AUTH: available mech=DIGEST-MD5 CRAM-MD5 
LOGIN PLAIN, allowed mech=EXTERNAL


Update here, it's not apparently an STARTTLS error, it's an AUTH
error.  Something in the update last night altered my list of
available AUTH mechanisms.

I manually updated sendmail.cf and updated this line:

O AuthMechanisms=EXTERNAL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN

by adding "DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN" and now it accepts
mail from my desktop.

I don't see where this is configured.  /etc/sasl2/Sendmail.conf which
is a link to /etc/mail/sasl/Sendmail.conf.2, but this file looks good,
I don't know where it's getting the AuthMechanisms from (yet).



I think this is configured in sasl.m4

and I suspect it's something to do with the "sm_version_math" stuff but
exactly what has changed to break this for you I don't know

ifelse(eval(sm_version_math >= 526848), `1', `dnl
ifelse(sm_enable_auth, `yes', `dnl
dnl #
dnl # Set a more reasonable timeout on negotiation
dnl #
define(`confTO_AUTH',  `2m')dnl  #   , def=10m
dnl #
dnl # Do not touch anything above this line...
dnl #
dnl # Available Authentication methods
dnl #
define(`confAUTH_MECHANISMS',dnl
`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')dnl
dnl #
dnl # These, we will trust for relaying
dnl #
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 PLAIN LOGIN')
dnl #
dnl # for 8.12.0+, add EXTERNAL as an available & trusted mech (w/STARTTLS)
dnl # and allow sharing of /etc/sasldb(2) file, allow group read/write
dnl #
ifelse(eval(sm_version_math >= 527360), `1', `dnl
define(`confAUTH_MECHANISMS',dnl
`EXTERNAL 'defn(`confAUTH_MECHANISMS'))dnl
TRUST_AUTH_MECH(`EXTERNAL')
define(`confDONT_BLAME_SENDMAIL',dnl
defn(`confDONT_BLAME_SENDMAIL')`,GroupReadableSASLDBFile,GroupWritableSASLDBFile')dnl
')dnl

Re: sendmail and starttls failing

[Michael Grant]

> Jun 30 11:43:00 bottom sm-mta[18852]: AUTH: available mech=DIGEST-MD5 
> CRAM-MD5 LOGIN PLAIN, allowed mech=EXTERNAL

Update here, it's not apparently an STARTTLS error, it's an AUTH
error.  Something in the update last night altered my list of
available AUTH mechanisms.

I manually updated sendmail.cf and updated this line:

O AuthMechanisms=EXTERNAL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN

by adding "DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN" and now it accepts
mail from my desktop.

I don't see where this is configured.  /etc/sasl2/Sendmail.conf which
is a link to /etc/mail/sasl/Sendmail.conf.2, but this file looks good,
I don't know where it's getting the AuthMechanisms from (yet).


signature.asc
Description: PGP signature

sendmail and starttls failing

[Michael Grant]

After an update today, sendmail is refusing to accept mail.  I'm
seeing this in the logs:

STARTTLS=read, info: fds=9/4, err=2

Here's the full log from when I try to send a message through my
server with authentication:

Jun 30 11:42:59 bottom sm-mta[18852]: NOQUEUE: connect from [1.2.3.4]
Jun 30 11:42:59 bottom sm-mta[18852]: AUTH: available mech=DIGEST-MD5 CRAM-MD5, 
allowed mech=EXTERNAL
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: Milter (clamav): init 
success to negotiate
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: Milter (spamassassin): 
init success to negotiate
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: Milter (opendkim): init 
success to negotiate
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: Milter: connect to filters
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: milter=clamav, 
action=connect, continue
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: milter=spamassassin, 
action=connect, continue
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: milter=opendkim, 
action=connect, continue
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 220 
bottom.networkguild.org ESMTP Sendmail 8.17.1.9/8.17.1.9/Debian-2+deb12u2; Sun, 
30 Jun 2024 11:42:59 -0400; (No UCE/UBE) logging access from: 
[1.2.3.4](FAIL)-[1.2.3.4]
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: <-- EHLO [1.2.3.4]
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: milter=spamassassin, 
action=helo, continue
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 
250-bottom.networkguild.org Hello [1.2.3.4], pleased to meet you
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 
250-ENHANCEDSTATUSCODES
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-PIPELINING
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-EXPN
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-VERB
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-8BITMIME
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-SIZE
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-STARTTLS
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250-DELIVERBY
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 250 HELP
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: <-- STARTTLS
Jun 30 11:42:59 bottom sm-mta[18852]: engine=(null), path=(null), ispre=0, 
pre=0, initialized=0
Jun 30 11:42:59 bottom sm-mta[18852]: tls_srv_features=(null), relay=[1.2.3.4] 
[1.2.3.4]
Jun 30 11:42:59 bottom sm-mta[18852]: tls_srv_features=empty, stat=0, 
relay=[1.2.3.4] [1.2.3.4]
Jun 30 11:42:59 bottom sm-mta[18852]: 45UFgx2h018852: --- 220 2.0.0 Ready to 
start TLS
Jun 30 11:42:59 bottom sm-mta[18852]: STARTTLS=server, info: fds=9/4, err=2
Jun 30 11:43:00 bottom sm-mta[18852]: STARTTLS=server, get_verify: 0 get_peer: 
0x0
Jun 30 11:43:00 bottom sm-mta[18852]: STARTTLS=server, relay=[1.2.3.4], 
version=TLSv1.2, verify=NOT, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 30 11:43:00 bottom sm-mta[18852]: STARTTLS=server, cert-subject=, 
cert-issuer=, verifymsg=ok
Jun 30 11:43:00 bottom sm-mta[18852]: AUTH: available mech=DIGEST-MD5 CRAM-MD5 
LOGIN PLAIN, allowed mech=EXTERNAL
Jun 30 11:43:00 bottom sm-mta[18852]: STARTTLS=read, info: fds=9/4, err=2
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2h018852: <-- EHLO [1.2.3.4]
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: milter=spamassassin, 
action=helo, continue
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 
250-bottom.networkguild.org Hello [1.2.3.4], pleased to meet you
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 
250-ENHANCEDSTATUSCODES
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250-PIPELINING
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250-EXPN
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250-VERB
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250-8BITMIME
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250-SIZE
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250-DELIVERBY
Jun 30 11:43:00 bottom sm-mta[18852]: 45UFgx2i018852: --- 250 HELP
Jun 30 11:43:00 bottom sm-mta[18852]: STARTTLS=read, info: fds=9/4, err=2

My cert for bottom.networkguild.org is still valid.  Err=2 is generaly
some sort of file-not-found error, but what file or file descriptor
went bad?



signature.asc
Description: PGP signature

Re: configurer sendmail/exim4 pour utiliser smtp tiers

[didier gaumet]

Bonjour,

Il y a un article du wiki Debian sur Exim:
https://wiki.debian.org/Exim
Dans un scénario qui a l'air proche du tien, on y parle de relai 
smarthost, de macro TLS et de réécriture d'adresse e-mail de l'émetteur.
(Je ne sais pas si ça joue mais je suis chez Free aussi et il me semble 
que j'utilise TLS plutôt que STARTTLS)

Re: configurer sendmail/exim4 pour utiliser smtp tiers

[NoSpam]

Le 02/01/2023 à 14:01, roger.tar...@free.fr a écrit :

Bonjour

Cette syntaxe à double ':' avant le n° de port (ex : 
|smtp.example.com::587|) se retrouve à de nombreux endroits :

ex : https://www.pontikis.net/blog/gmail-smarthost-exim4-debian
https://alexander.holbreich.org/exim-mail-google/

Quel outil utiles-tu pour envoyer des e-mails depuis un programme avec 
un service smtp tiers ?
postfix. Comme annoncé par un autre intervenant, ssmtp est une bonne 
alternative

Evnoi programmatique de courriel: Re: configurer sendmail/exim4 pour utiliser smtp tiers

[Basile Starynkevitch]

On 02/01/2023 14:01, roger.tar...@free.fr wrote:

Bonjour

Cette syntaxe à double ':' avant le n° de port (ex : 
|smtp.example.com::587|) se retrouve à de nombreux endroits :

ex : https://www.pontikis.net/blog/gmail-smarthost-exim4-debian
https://alexander.holbreich.org/exim-mail-google/

Quel outil utiles-tu pour envoyer des e-mails depuis un programme avec 
un service smtp tiers ?



Une bibliothèque en C++ pour ce faire existe: https://www.vmime.org/


En plus, je découvre qu'elle est développée en France.


(et on pourrait imaginer que le logiciel RefPerSys 
 en http://refpersys.org/ soit 
étendu pour l'utiliser; si vous êtes intéressés, contactez moi - Basile 
Starynkevitch - par courriel).



Librement.


--
Basile Starynkevitch
(only mine opinions / les opinions sont miennes uniquement)
92340 Bourg-la-Reine, France
web page: starynkevitch.net/Basile/

Re: configurer sendmail/exim4 pour utiliser smtp tiers

[roger . tarani]

Bonjour 

Cette syntaxe à double ':' avant le n° de port (ex : smtp.example.com::587 ) se 
retrouve à de nombreux endroits : 
ex : [ https://www.pontikis.net/blog/gmail-smarthost-exim4-debian | 
https://www.pontikis.net/blog/gmail-smarthost-exim4-debian ] 
[ https://alexander.holbreich.org/exim-mail-google/ | 
https://alexander.holbreich.org/exim-mail-google/ ] 

Quel outil utiles-tu pour envoyer des e-mails depuis un programme avec un 
service smtp tiers ? 


De: "NoSpam"  
À: "Liste Debian"  
Envoyé: Lundi 2 Janvier 2023 13:33:05 
Objet: Re: configurer sendmail/exim4 pour utiliser smtp tiers 



Bonjour 
Le 02/01/2023 à 02:49, [ mailto:roger.tar...@free.fr | roger.tar...@free.fr ] a 
écrit : 



Bonjour la liste, et bonne année 2023, 

Sur un serveur debian11, j'ai besoin d'activer un service de messagerie. 
J'ai déjà réussi par le passé et un programme utilisait fiablement une commande 
sendmail (comme on peut le faire en CLI : echo "Subject: hello" | sendmail [ 
mailto:t...@example.com |  toto@ ] freefr ). 

Déjà, je souhaite pouvoir exploiter un serveur de messagerie tiers (free.fr 
ici, par exemple). 
On verra ensuite pour configurer un serveur de messagerie envoi/réception sur 
cette machine. 


[...] 

BQ_BEGIN


dc_smarthost='smtp.free.fr::465' 

BQ_END


Je n'utilise pas exim mais cette configuration m'interpelle. Ne seraitce pas 
plutôt 

dc_smarthost='smtp.free.fr:465' 

Re: configurer sendmail/exim4 pour utiliser smtp tiers

[NoSpam]

Bonjour

Le 02/01/2023 à 02:49, roger.tar...@free.fr a écrit :

Bonjour la liste, et bonne année 2023,

Sur un serveur debian11, j'ai besoin d'activer un service de messagerie.
J'ai déjà réussi par le passé et un programme utilisait fiablement une 
commande sendmail (comme on peut le faire en CLI : echo "Subject: 
hello" | sendmail toto@ <mailto:t...@example.com>freefr ).


Déjà, je souhaite pouvoir exploiter un serveur de messagerie tiers 
(free.fr ici, par exemple).
On verra ensuite pour configurer un serveur de messagerie 
envoi/réception sur cette machine.

[...]


dc_smarthost='smtp.free.fr::465'


Je n'utilise pas exim mais cette configuration m'interpelle. Ne seraitce 
pas plutôt


dc_smarthost='smtp.free.fr:465'

Re: configurer sendmail/exim4 pour utiliser smtp tiers

[Belaïd]

Bonjour et bonne année à tous !

Pour tes besoins qui sont simples (utilisation d'un relais) je te conseil
d'utiliser ssmtp, c'est vraiment hyper simple et rapide !

Le lun. 2 janv. 2023 à 02:50,  a écrit :

> Bonjour la liste, et bonne année 2023,
>
> Sur un serveur debian11, j'ai besoin d'activer un service de messagerie.
> J'ai déjà réussi par le passé et un programme utilisait fiablement une
> commande sendmail (comme on peut le faire en CLI : echo "Subject: hello" |
> sendmail toto@ freefr ).
>
> Déjà, je souhaite pouvoir exploiter un serveur de messagerie tiers (
> free.fr ici, par exemple).
> On verra ensuite pour configurer un serveur de messagerie envoi/réception
> sur cette machine.
>
> Après utilisation de dpkg-reconfigure exim4-config :
> $ cat update-exim4.conf.conf
> dc_eximconfig_configtype='smarthost'
> dc_other_hostnames=''
> dc_local_interfaces='127.0.0.1'
> dc_readhost='localhost'
> dc_relay_domains=''
> dc_minimaldns='false'
> dc_relay_nets=''
> dc_smarthost='smtp.free.fr::465'
> CFILEMODE='644'
> dc_use_split_config='false'
> dc_hide_mailname='false'
> dc_mailname_in_oh='true'
> dc_localdelivery='mail_spool'
>
> J'ai trouvé une tonne d'articles sur sendmail/exim4 qui ne m'ont pas
> permis de faire marcher cette simple configuration.
>
> De mémoire, j'avais réussi à faire marcher exim4 avec un serveur SMTP
> tiers en trifouillant dans exim4.conf.template , un peu comme expliqué dans
> ce site devenu injoignable (web archive) :
>
> https://web.archive.org/web/20220611061029/https://manu-j.com/blog/wordpress-exim4-ubuntu-gmail-smtp/75/
>
> J'avais aussi utilisé cette page et me souviens avoir pu faire tourner
> exim avec : https://debian-facile.org/doc:reseau:exim4-pour-les-nulls
>
> Après un :
> $ echo "Subject: hello" | sendmail t...@free.fr
>
> A présent, le service exim4 dit :
>
> $ tail -20 /var/log/exim4/mainlog
> ...
> 2023-01-02 02:39:20 1pC9nM-00D83H-4D <= r...@truc.com U=root P=local S=282
> 2023-01-02 02:39:20 1pC9nM-00D83H-4D ** t...@free.fr: Unrouteable address
> 2023-01-02 02:39:20 1pC9nM-00D83K-7x <= <> R=1pC9nM-00D83H-4D
> U=Debian-exim P=local S=1467
> 2023-01-02 02:39:20 1pC9nM-00D83K-7x ** r...@truc.com: Unrouteable address
> 2023-01-02 02:39:20 1pC9nM-00D83K-7x Frozen (delivery error message)
> 2023-01-02 02:39:20 1pC9nM-00D83H-4D Completed
>
> J'ai commenté les modifications faites dans exim4.conf.template , ce qui
> m'a permis d'éliminer les erreurs d'authentification smtp.
>
> Je suis sec.
> Comment procéder pour simplement faire tourner exim4 afin d'utiliser un
> service smtp tiers :
> à partir de mon serveur ?
> à partir d'un serveur debian tout neuf ?
>
> Merci.
>
>

Re: configurer sendmail/exim4 pour utiliser smtp tiers

[Basile Starynkevitch]

Bonjour et bonne année


On 02/01/2023 02:49, roger.tar...@free.fr wrote:

Bonjour la liste, et bonne année 2023,

Sur un serveur debian11, j'ai besoin d'activer un service de messagerie.


SMTP et EXIM sont complexes. Je conseille la lecture (à tête reposée) 
d'un livre entier sur la question, par exemple (en anglais)


/Exim. The mail transfer agent/. par Philip Hazel.  ed. OReilly ISBN 
9780596000981


Il y a aussi la problématique de la fiabilité d'un serveur de courriel, 
du volume à traiter (traiter cent mille méls par jour, c'est différent 
de traiter cent méls par jour), des stratégies de ré-emission et 
stockage (spool) des méls, etc.


On peut aussi envisager d'utiliser et de configurer https://www.postfix.org/

Ensuite, free a comme mauvaise habitude de parfois restreindre le trafic 
SMTP qui passe chez eux. (Il peut y avoir des raisons légales à ça : 
lutte antispam; articles 323-1 et suivant du code pénal en France, etc..).


On peut enfin envoyer un mél programmatiquement par une librarie telle 
que https://www.vmime.org/


Dans tous les cas, c'est complexe, car le courriel est complexe (voir 
les spécifications de SMTP 
 
et IMAP  pour commencer)



Pour ma part, je cherche des partenaires intéressés par RefPerSys en 
http://refpersys.org/




Librement et bonne année 2023


--
Basile Starynkevitch
(only mine opinions / les opinions sont miennes uniquement)
92340 Bourg-la-Reine, France
web page: starynkevitch.net/Basile/

configurer sendmail/exim4 pour utiliser smtp tiers

[roger . tarani]

Bonjour la liste, et bonne année 2023, 

Sur un serveur debian11, j'ai besoin d'activer un service de messagerie. 
J'ai déjà réussi par le passé et un programme utilisait fiablement une commande 
sendmail (comme on peut le faire en CLI : echo "Subject: hello" | sendmail [ 
mailto:t...@example.com |  toto@ ] freefr ). 

Déjà, je souhaite pouvoir exploiter un serveur de messagerie tiers (free.fr 
ici, par exemple). 
On verra ensuite pour configurer un serveur de messagerie envoi/réception sur 
cette machine. 

Après utilisation de dpkg-reconfigure exim4-config : 
$ cat update-exim4.conf.conf 
dc_eximconfig_configtype='smarthost' 
dc_other_hostnames='' 
dc_local_interfaces='127.0.0.1' 
dc_readhost='localhost' 
dc_relay_domains='' 
dc_minimaldns='false' 
dc_relay_nets='' 
dc_smarthost='smtp.free.fr::465' 
CFILEMODE='644' 
dc_use_split_config='false' 
dc_hide_mailname='false' 
dc_mailname_in_oh='true' 
dc_localdelivery='mail_spool' 

J'ai trouvé une tonne d'articles sur sendmail/exim4 qui ne m'ont pas permis de 
faire marcher cette simple configuration. 

De mémoire, j'avais réussi à faire marcher exim4 avec un serveur SMTP tiers en 
trifouillant dans exim4.conf.template , un peu comme expliqué dans ce site 
devenu injoignable (web archive) : 
[ 
https://web.archive.org/web/20220611061029/https://manu-j.com/blog/wordpress-exim4-ubuntu-gmail-smtp/75/
 | 
https://web.archive.org/web/20220611061029/https://manu-j.com/blog/wordpress-exim4-ubuntu-gmail-smtp/75/
 ] 

J'avais aussi utilisé cette page et me souviens avoir pu faire tourner exim 
avec : [ https://debian-facile.org/doc:reseau:exim4-pour-les-nulls | 
https://debian-facile.org/doc:reseau:exim4-pour-les-nulls ] 

Après un : 
$ echo "Subject: hello" | sendmail t...@free.fr 

A présent, le service exim4 dit : 

$ tail -20 /var/log/exim4/mainlog 
... 
2023-01-02 02:39:20 1pC9nM-00D83H-4D <= r...@truc.com U=root P=local S=282 
2023-01-02 02:39:20 1pC9nM-00D83H-4D ** t...@free.fr: Unrouteable address 
2023-01-02 02:39:20 1pC9nM-00D83K-7x <= <> R=1pC9nM-00D83H-4D U=Debian-exim 
P=local S=1467 
2023-01-02 02:39:20 1pC9nM-00D83K-7x ** r...@truc.com: Unrouteable address 
2023-01-02 02:39:20 1pC9nM-00D83K-7x Frozen (delivery error message) 
2023-01-02 02:39:20 1pC9nM-00D83H-4D Completed 

J'ai commenté les modifications faites dans exim4.conf.template , ce qui m'a 
permis d'éliminer les erreurs d'authentification smtp. 

Je suis sec. 
Comment procéder pour simplement faire tourner exim4 afin d'utiliser un service 
smtp tiers : 
à partir de mon serveur ? 
à partir d'un serveur debian tout neuf ? 

Merci. 

Re: Sendmail SASL Auth on Debian 11

[Dave Parker]

On Tue, Sep 13, 2022 at 6:41 AM Henning Follmann 
wrote:

>
> >
> > So I guess my question is, do I need one now on the Bullseye server, if
> > saslauthd always worked for this before?
> >
>
> OK, that's an option too.
>
> Now I would check if sasl works. There is an little helper program; try:
> testsaslauthd -u  -p 
>
> you might have to specify the location (-f path) of the unix socket if it
> is located
> somewhere uncommon.
>
> If your authentication works then the communication between sendmail and
> saslauthd
> is not working.
>

Hello,

The testsaslauthd utility was also working, so the break was between
Sendmail and SASL.  I finally got it working, though.  A Google search led
me to these three commands, and running them indeed fixed gthe issue:

/usr/share/sendmail/update_tls
/usr/share/sendmail/update_sendmail
sendmailconfig

All of the config and .m4 files involved here still look the same between
the old and new server, with the exception of some updated comments.  So,
I'm not exactly sure what this did to fix the underlying problem, but it's
fixed nonetheless.

Thanks!
Dave

-- 
Dave Parker '11
Database & Systems Administrator
Utica University
Integrated Information Technology Services
315-792-3229
He/Him

Re: Sendmail SASL Auth on Debian 11

[Henning Follmann]

On Mon, Sep 12, 2022 at 12:42:00PM -0400, Dave Parker wrote:
> On Mon, Sep 12, 2022 at 10:37 AM Henning Follmann 
> wrote:
> 
> >
> > First, please do not top post.
> >
> > On Mon, Sep 12, 2022 at 09:00:00AM -0400, Dave Parker wrote:
> > > Thanks for the advice.  Just to clarify, this is an enterprise SMTP
> > server
> > > for a university, and we have used Sendmail for at least 25 years now.  I
> > > have deployed and configured Sendmail on probably hundreds of servers
> > over
> > > the years, but most of them are on internal networks and relay mail
> > > through this SMTP server.  This is a high traffic SMTP server and its
> > > uptime is critical, so I would prefer to stay with Sendmail because it
> > has
> > > always been rock solid in the past.
> >
> > Understood. And I apologize. I assumed because of the old version of your
> > existing installation a less actively maintained situation and made a snap
> > judgement about your experience.
> > I also never said sendmail is not a  solid MTA. I stated it is extremely
> > difficult to maintain.
> > Also other MTA are well suited for high traffic servers. Exim is used
> > by ISPs with extremely high traffic.
> >
> > >
> > > The issue here is that Sendmail with SASL auth doesn't seem to work the
> > > same way in Bullseye as it did in Wheezy, which is probably to be
> > expected,
> > > given the large gap between versions.  I'm just trying to track down
> > > anything I may have missed in my new Bullseye configuration, since the
> > > exact same config works fine in Wheezy.
> > >
> >
> > Well, in my previous post I might hinted at your issue.
> >
> > Please check if courier-authdaemon or dovecot-core is installed.
> > Both provide an sasl authdaemon.
> > I do not know anything about your old installation so you have to
> > figure out, how and where the unix socket of the daemon is located.
> > If you use a chroot environment you must make sure the socket is accessible
> > to sendmail.
> >
> >
> My apologies for the top post.  We use Google for our institutional email,
> and the Gmail interface defaults to that when I reply to a message.
> 
> Looking at the existing Wheezy server which works correctly, I do not see
> anything providing an auth daemon besides saslauthd:
> 
> # dpkg-query -W | egrep 'sendmail|sasl|courier|dovecot'
> libsasl2-2:amd64 2.1.25.dfsg1-6+deb7u1
> libsasl2-modules:amd64 2.1.25.dfsg1-6+deb7u1
> sasl2-bin 2.1.25.dfsg1-6+deb7u1
> sendmail 8.14.4-4
> sendmail-base 8.14.4-4
> sendmail-bin 8.14.4-4
> sendmail-cf 8.14.4-4
> 
> So I guess my question is, do I need one now on the Bullseye server, if
> saslauthd always worked for this before?
> 

OK, that's an option too.

Now I would check if sasl works. There is an little helper program; try:
testsaslauthd -u  -p 

you might have to specify the location (-f path) of the unix socket if it is 
located 
somewhere uncommon.

If your authentication works then the communication between sendmail and 
saslauthd
is not working.



-H

-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Sendmail SASL Auth on Debian 11

[Dave Parker]

On Mon, Sep 12, 2022 at 10:37 AM Henning Follmann 
wrote:

>
> First, please do not top post.
>
> On Mon, Sep 12, 2022 at 09:00:00AM -0400, Dave Parker wrote:
> > Thanks for the advice.  Just to clarify, this is an enterprise SMTP
> server
> > for a university, and we have used Sendmail for at least 25 years now.  I
> > have deployed and configured Sendmail on probably hundreds of servers
> over
> > the years, but most of them are on internal networks and relay mail
> > through this SMTP server.  This is a high traffic SMTP server and its
> > uptime is critical, so I would prefer to stay with Sendmail because it
> has
> > always been rock solid in the past.
>
> Understood. And I apologize. I assumed because of the old version of your
> existing installation a less actively maintained situation and made a snap
> judgement about your experience.
> I also never said sendmail is not a  solid MTA. I stated it is extremely
> difficult to maintain.
> Also other MTA are well suited for high traffic servers. Exim is used
> by ISPs with extremely high traffic.
>
> >
> > The issue here is that Sendmail with SASL auth doesn't seem to work the
> > same way in Bullseye as it did in Wheezy, which is probably to be
> expected,
> > given the large gap between versions.  I'm just trying to track down
> > anything I may have missed in my new Bullseye configuration, since the
> > exact same config works fine in Wheezy.
> >
>
> Well, in my previous post I might hinted at your issue.
>
> Please check if courier-authdaemon or dovecot-core is installed.
> Both provide an sasl authdaemon.
> I do not know anything about your old installation so you have to
> figure out, how and where the unix socket of the daemon is located.
> If you use a chroot environment you must make sure the socket is accessible
> to sendmail.
>
>
My apologies for the top post.  We use Google for our institutional email,
and the Gmail interface defaults to that when I reply to a message.

Looking at the existing Wheezy server which works correctly, I do not see
anything providing an auth daemon besides saslauthd:

# dpkg-query -W | egrep 'sendmail|sasl|courier|dovecot'
libsasl2-2:amd64 2.1.25.dfsg1-6+deb7u1
libsasl2-modules:amd64 2.1.25.dfsg1-6+deb7u1
sasl2-bin 2.1.25.dfsg1-6+deb7u1
sendmail 8.14.4-4
sendmail-base 8.14.4-4
sendmail-bin 8.14.4-4
sendmail-cf 8.14.4-4

So I guess my question is, do I need one now on the Bullseye server, if
saslauthd always worked for this before?

Thanks,
Dave

-- 
Dave Parker '11
Database & Systems Administrator
Utica University
Integrated Information Technology Services
315-792-3229
He/Him

Re: Sendmail SASL Auth on Debian 11

[Henning Follmann]

First, please do not top post.

On Mon, Sep 12, 2022 at 09:00:00AM -0400, Dave Parker wrote:
> Thanks for the advice.  Just to clarify, this is an enterprise SMTP server
> for a university, and we have used Sendmail for at least 25 years now.  I
> have deployed and configured Sendmail on probably hundreds of servers over
> the years, but most of them are on internal networks and relay mail
> through this SMTP server.  This is a high traffic SMTP server and its
> uptime is critical, so I would prefer to stay with Sendmail because it has
> always been rock solid in the past.

Understood. And I apologize. I assumed because of the old version of your
existing installation a less actively maintained situation and made a snap
judgement about your experience.
I also never said sendmail is not a  solid MTA. I stated it is extremely
difficult to maintain.
Also other MTA are well suited for high traffic servers. Exim is used
by ISPs with extremely high traffic.

> 
> The issue here is that Sendmail with SASL auth doesn't seem to work the
> same way in Bullseye as it did in Wheezy, which is probably to be expected,
> given the large gap between versions.  I'm just trying to track down
> anything I may have missed in my new Bullseye configuration, since the
> exact same config works fine in Wheezy.
>

Well, in my previous post I might hinted at your issue.

Please check if courier-authdaemon or dovecot-core is installed.
Both provide an sasl authdaemon.
I do not know anything about your old installation so you have to
figure out, how and where the unix socket of the daemon is located.
If you use a chroot environment you must make sure the socket is accessible
to sendmail.

Cheers,

-H

[...]

-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Sendmail SASL Auth on Debian 11

[Dave Parker]

Thanks for the advice.  Just to clarify, this is an enterprise SMTP server
for a university, and we have used Sendmail for at least 25 years now.  I
have deployed and configured Sendmail on probably hundreds of servers over
the years, but most of them are on internal networks and relay mail
through this SMTP server.  This is a high traffic SMTP server and its
uptime is critical, so I would prefer to stay with Sendmail because it has
always been rock solid in the past.

The issue here is that Sendmail with SASL auth doesn't seem to work the
same way in Bullseye as it did in Wheezy, which is probably to be expected,
given the large gap between versions.  I'm just trying to track down
anything I may have missed in my new Bullseye configuration, since the
exact same config works fine in Wheezy.

Thanks!

On Mon, Sep 12, 2022 at 3:17 AM Henning Follmann 
wrote:

> On Fri, Sep 09, 2022 at 11:55:06AM -0400, Dave Parker wrote:
> > Hello,
> >
> > Years ago, I set up an SMTP server on Debian 7.5, running Sendmail
> > configured for SASL authentication using an LDAP directory.  I am now
> > trying to set up a new one on Debian 11.5 in pretty much the same
> > configuration, but SMTP auth does not work.  I have verified that nslcd
> and
>
> You have not "used" sendmail for several years. You should not use it.
> Sendmail is very complex and extremely difficult to maintain, definetely
> not
> suitable for a "casual" user.
> You should either use
> 1) Exim (I do not like it, because it does not use standard logging. But
> that
>  is personal taste) Its debians default.
>
> 2) Postfix
>
> I used sendmail for a decade but I switched over to Postfix  years ago.
> It is too hard to maintain.
>
>
> > saslauthd are running, the sendmail, PAM and NSS configurations all look
> > good, and ldapsearch returns a result using the settings from
> > pam_ldap.conf.  When I open a connection to the old server and issue AUTH
> > PLAIN or AUTH LOGIN, I can authenticate with my base64 LDAP credentials
> as
> > expected.  But when I do the same on the new server, I get a "535 5.7.0
> > authentication failed" response.
> >
> > I ran a tcpdump on this SMTP server during an auth attempt, and there was
> > no traffic to or from the LDAP server.
> >
> > I literally copied all of the configs over from the old server and
> Sendmail
> > starts up fine, but still no auth.  Does anyone know where I might look
> for
> > the breakage?
> >
> > Old server (works):
> > - Sendmail 8.14.4
> > - SASL (libs/modules/bin) 2.1.25
> > - libnss-ldap 264
> > - libpam-ldap 184
> >
> > New server (doesn't work):
> > - Sendmail 8.15.2
> > - SASL (lib/modules/bin) 2.1.27
> > - libnss-ldapd 0.9.11 (because libnss-ldap is deprecated)
> > - libpam-ldap 186
>
> You need an external authentication daemon for sasl to work.
> I guess based on the age of your old system, it was courier in your case.
>
> Today I would prefer dovecot.
>
>
>
> >
> > Thanks!
> > Dave
> >
> > --
> > Dave Parker '11
> > Database & Systems Administrator
> > Utica University
> > Integrated Information Technology Services
> > 315-792-3229
> > He/Him
>
> --
> Henning Follmann   | hfollm...@itcfollmann.com
>
>

-- 
Dave Parker '11
Database & Systems Administrator
Utica University
Integrated Information Technology Services
315-792-3229
He/Him

Re: Sendmail SASL Auth on Debian 11

[Henning Follmann]

On Fri, Sep 09, 2022 at 11:55:06AM -0400, Dave Parker wrote:
> Hello,
> 
> Years ago, I set up an SMTP server on Debian 7.5, running Sendmail
> configured for SASL authentication using an LDAP directory.  I am now
> trying to set up a new one on Debian 11.5 in pretty much the same
> configuration, but SMTP auth does not work.  I have verified that nslcd and

You have not "used" sendmail for several years. You should not use it.
Sendmail is very complex and extremely difficult to maintain, definetely not
suitable for a "casual" user.
You should either use
1) Exim (I do not like it, because it does not use standard logging. But that
 is personal taste) Its debians default.

2) Postfix

I used sendmail for a decade but I switched over to Postfix  years ago.
It is too hard to maintain.


> saslauthd are running, the sendmail, PAM and NSS configurations all look
> good, and ldapsearch returns a result using the settings from
> pam_ldap.conf.  When I open a connection to the old server and issue AUTH
> PLAIN or AUTH LOGIN, I can authenticate with my base64 LDAP credentials as
> expected.  But when I do the same on the new server, I get a "535 5.7.0
> authentication failed" response.
> 
> I ran a tcpdump on this SMTP server during an auth attempt, and there was
> no traffic to or from the LDAP server.
> 
> I literally copied all of the configs over from the old server and Sendmail
> starts up fine, but still no auth.  Does anyone know where I might look for
> the breakage?
> 
> Old server (works):
> - Sendmail 8.14.4
> - SASL (libs/modules/bin) 2.1.25
> - libnss-ldap 264
> - libpam-ldap 184
> 
> New server (doesn't work):
> - Sendmail 8.15.2
> - SASL (lib/modules/bin) 2.1.27
> - libnss-ldapd 0.9.11 (because libnss-ldap is deprecated)
> - libpam-ldap 186

You need an external authentication daemon for sasl to work.
I guess based on the age of your old system, it was courier in your case.

Today I would prefer dovecot.



> 
> Thanks!
> Dave
> 
> -- 
> Dave Parker '11
> Database & Systems Administrator
> Utica University
> Integrated Information Technology Services
> 315-792-3229
> He/Him

-- 
Henning Follmann   | hfollm...@itcfollmann.com

Sendmail SASL Auth on Debian 11

[Dave Parker]

Hello,

Years ago, I set up an SMTP server on Debian 7.5, running Sendmail
configured for SASL authentication using an LDAP directory.  I am now
trying to set up a new one on Debian 11.5 in pretty much the same
configuration, but SMTP auth does not work.  I have verified that nslcd and
saslauthd are running, the sendmail, PAM and NSS configurations all look
good, and ldapsearch returns a result using the settings from
pam_ldap.conf.  When I open a connection to the old server and issue AUTH
PLAIN or AUTH LOGIN, I can authenticate with my base64 LDAP credentials as
expected.  But when I do the same on the new server, I get a "535 5.7.0
authentication failed" response.

I ran a tcpdump on this SMTP server during an auth attempt, and there was
no traffic to or from the LDAP server.

I literally copied all of the configs over from the old server and Sendmail
starts up fine, but still no auth.  Does anyone know where I might look for
the breakage?

Old server (works):
- Sendmail 8.14.4
- SASL (libs/modules/bin) 2.1.25
- libnss-ldap 264
- libpam-ldap 184

New server (doesn't work):
- Sendmail 8.15.2
- SASL (lib/modules/bin) 2.1.27
- libnss-ldapd 0.9.11 (because libnss-ldap is deprecated)
- libpam-ldap 186

Thanks!
Dave

-- 
Dave Parker '11
Database & Systems Administrator
Utica University
Integrated Information Technology Services
315-792-3229
He/Him

Re: Postfix comme MX2 d'un Sendmail

[Roberto C . Sánchez]

On Mon, Jun 20, 2022 at 05:25:39PM +0200, BERTRAND Joël wrote:
>   Je viens de couper le MX1 durant une petite demi-heure. Le MX2 récupère
> tous les mails en synchronisant les listes grises entre MX1 et 2 et
> renvoie le tout au MX1 dès qu'il réapparaît.
> 
>   Je finasserai la configuration plus tard.
> 
>   Une question résiduelle que je viens de me poser. Lorsqu'un utilisateur
> envoie un mail, il utilise le SMTP (sur le MX1) sur le port 587.
> sendmail demande une authentification. Si pas d'authentification, le
> mail est refusé. Mais sur le port 25, quel est le mécanisme qui fait
> qu'un utilisateur ne peut pas envoyer directement un mail (que ce soit
> avec Postfix ou sendmail) ?
> 
Peut-être ajouter "reject_unauth_destination" au paramètre
smtpd_recipient_restrictions ?

https://wiki.auf.org/wikiteki/Postfix/Authentification

Salut,

-Roberto

-- 
Roberto C. Sánchez

Re: Postfix comme MX2 d'un Sendmail

[BERTRAND Joël]

Je viens de couper le MX1 durant une petite demi-heure. Le MX2 récupère
tous les mails en synchronisant les listes grises entre MX1 et 2 et
renvoie le tout au MX1 dès qu'il réapparaît.

Je finasserai la configuration plus tard.

Une question résiduelle que je viens de me poser. Lorsqu'un utilisateur
envoie un mail, il utilise le SMTP (sur le MX1) sur le port 587.
sendmail demande une authentification. Si pas d'authentification, le
mail est refusé. Mais sur le port 25, quel est le mécanisme qui fait
qu'un utilisateur ne peut pas envoyer directement un mail (que ce soit
avec Postfix ou sendmail) ?

Bien cordialement,

JKB

Re: Postfix comme MX2 d'un Sendmail

[BERTRAND Joël]

Roberto C. Sánchez a écrit :
> Bonjour Joël,

Bonjour Roberto.

> On Mon, Jun 20, 2022 at 02:14:11PM +0200, BERTRAND Joël wrote:
>>
>>  Pour l'instant, j'ai écrit dans /etc/mail/main.cf la chose suivante :
>>
>> command_directory = /usr/sbin
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/db/postfix
>> debug_peer_level = 2
>> debugger_command =
>> disable_vrfy_command = yes
>> html_directory = /usr/share/doc/html/postfix
>> inet_interfaces = all
>> inet_protocols = all
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/share/man
>> maximal_queue_lifetime = 10d
>> milter_default_action = accept
>> mynetworks = 192.168.10.0/24, 192.168.12.0/24, 192.168.15.14/32, 127.0.0.1/8
>> newaliases_path = /usr/bin/newaliases
>> non_smtpd_milters = unix:/var/clamav/clamav-milter.sock
>> postscreen_access_list = permit_mynetworks
>> proxy_interfaces = 192.168.15.14
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/examples/postfix
>> relay_domains = $mydestination, systella.fr
>> relay_recipient_maps =
>> sample_directory = /usr/share/examples/postfix
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = maildrop
>> smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock
>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>> permit_mynetworks, check_relay_domains, reject_unauth_destination
>> unknown_local_recipient_reject_code = 550
>>
> J'utilise Postfix comme primaire et comme secondaire, alors je ne sais
> rien concernant Sendmail.  Mais, ma configuration Postfix comprend les
> adresses IP des autres serveurs Postfix dans le paramètre mynetworks et
> le secondaire aussi le paramètre relayhost de cette manière:
> 
> relayhost = [mx1.example.com]
> 
> Je pense que parce que relayhost manque de ta configuration, ton Postfix
> ne sait pas qu'il doive envoyer le message au MX1 sans essayer résoudre
> l'adresse se c'est du domaine @systella.fr en ce cas.

Il y a effectivement du mieux :

Root rayleigh:[/etc/mail] > telnet  62.212.98.88 25
Trying 62.212.98.88...
Connected to 62.212.98.88.
Escape character is '^]'.
220 legendre.systella.fr ESMTP Postfix
EHLO rayleigh
250-legendre.systella.fr
250-PIPELINING
250-SIZE 1024
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
554 5.5.4 SPF test failed

Je ne me prends plus le même coup de pied aux fesses ;-)

Dans les logs de postfix, je trouve :

Jun 20 15:32:21 legendre postfix/smtpd[16414]: warning: support for
restriction "check_relay_domains" will be removed from Postfix; use
"reject_unauth_destination" instead
Jun 20 15:32:21 legendre postfix/smtpd[16414]: warning: restriction
`reject_unauth_destination' after `check_relay_domains' is ignored
Jun 20 15:32:21 legendre milter-greylist: (unknown id): addr
213.41.150.218 flushed, removed 0 grey and autowhite (ACL 90)
Jun 20 15:32:21 legendre milter-greylist: (unknown id): addr
[213.41.150.218][213.41.150.218] from  to
 blacklisted (ACL 90)
Jun 20 15:32:21 legendre postfix/smtpd[16414]: NOQUEUE: milter-reject:
RCPT from unknown[213.41.150.218]: 554 5.5.4 SPF test failed;
from= to= proto=ESMTP
helo=

J'ai donc changé la configuration pour la suivante (avec le même
résultat final, à savoir un échec du test SPF) :

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command =
disable_vrfy_command = yes
html_directory = /usr/share/doc/html/postfix
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 10d
milter_default_action = accept
mynetworks = 192.168.10.0/24, 192.168.12.0/24, 192.168.15.14/32, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = unix:/var/clamav/clamav-milter.sock
postscreen_access_list = permit_mynetworks
proxy_interfaces = 192.168.15.14
queue_directory = /var/spool/postfix
readme_directory = /usr/share/examples/postfix
relay_domains = $mydestination, systella.fr
relay_recipient_maps =
relayhost = [rayleigh.systella.fr]
sample_directory = /usr/share/examples/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
unknown_local_recipient_reject_code = 550

(j'ai trié le fichier de conf en retirant les commentaires, ça
n'apparaît peut-être pas dans un ordre logique).

Et là, j'ai un gros doute concernant le DNS. Le champ SPFv1 est le
suivant (récupéré depuis le serveur faisant tourner PostFix) :

legendre# 

Re: Postfix comme MX2 d'un Sendmail

[Roberto C . Sánchez]

Bonjour Joël,

On Mon, Jun 20, 2022 at 02:14:11PM +0200, BERTRAND Joël wrote:
> 
>   Pour l'instant, j'ai écrit dans /etc/mail/main.cf la chose suivante :
> 
> command_directory = /usr/sbin
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> debugger_command =
> disable_vrfy_command = yes
> html_directory = /usr/share/doc/html/postfix
> inet_interfaces = all
> inet_protocols = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> maximal_queue_lifetime = 10d
> milter_default_action = accept
> mynetworks = 192.168.10.0/24, 192.168.12.0/24, 192.168.15.14/32, 127.0.0.1/8
> newaliases_path = /usr/bin/newaliases
> non_smtpd_milters = unix:/var/clamav/clamav-milter.sock
> postscreen_access_list = permit_mynetworks
> proxy_interfaces = 192.168.15.14
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/examples/postfix
> relay_domains = $mydestination, systella.fr
> relay_recipient_maps =
> sample_directory = /usr/share/examples/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = maildrop
> smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, check_relay_domains, reject_unauth_destination
> unknown_local_recipient_reject_code = 550
> 
J'utilise Postfix comme primaire et comme secondaire, alors je ne sais
rien concernant Sendmail.  Mais, ma configuration Postfix comprend les
adresses IP des autres serveurs Postfix dans le paramètre mynetworks et
le secondaire aussi le paramètre relayhost de cette manière:

relayhost = [mx1.example.com]

Je pense que parce que relayhost manque de ta configuration, ton Postfix
ne sait pas qu'il doive envoyer le message au MX1 sans essayer résoudre
l'adresse se c'est du domaine @systella.fr en ce cas.

>   Mais à chaque fois que je tente un envoi, postfix me renvoie la chose
> suivante :
> 
> Root rayleigh:[/etc/mail] > telnet  62.212.98.88 25
> Trying 62.212.98.88...
> Connected to 62.212.98.88.
> Escape character is '^]'.
> 220 legendre.systella.fr ESMTP Postfix
> EHLO rayleigh
> 250-legendre.systella.fr
> 250-PIPELINING
> 250-SIZE 1024
> 250-ETRN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> MAIL FROM:
> 250 2.1.0 Ok
> RCPT TO:
> 451 4.3.0 : Temporary lookup failure
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
> Root rayleigh:[/etc/mail] >
> 
>   Un RCPT TO: renvoie la même erreur alors
> que ce compte existe sur le serveur en question.
> 
>   Et là, je ne comprends plus... Tous les howto que l'on trouve sur
> internet proposent d'autres solutions qui ne donnent pas de meilleurs
> résultats.
> 
>   Une idée ?
> 
Il m'intéressera savoir si c'est le même après avoir ajouté relayhost à
la configuration.

Salut,

-Roberto

-- 
Roberto C. Sánchez

Postfix comme MX2 d'un Sendmail

[BERTRAND Joël]

Bonjour à tous,

Je tente la configuration d'un serveur de mail postfix comme backup
d'un sendmail des familles et le moins qu'on puisse dire, c'est que si
la configuration de sendmail est complexe, on voit assez rapidement ce
qui cloche contrairement à postfix ;-)

Je _sais_ configurer un MX2 avec sendmail. J'ai déjà configuré le DNS :

;; ADDITIONAL SECTION:
rayleigh.systella.fr.   86400   IN  A   213.41.150.218
newton-ipv6.systella.fr. 86400  IN  2001:7a8:a8ed:253::1
newton.systella.fr. 86400   IN  A   213.41.149.211
legendre.systella.fr.   86400   IN  A   62.212.98.88
noemie.nerim.net.   86400   IN  A   178.132.17.109

Le firewall est réglé correctement sur le MX2, je peux l'attaquer avec
un telnet sur le port 25.

J'ai un serveur de mail principal qui récupère avec sendmail tout un
tas de domaines. Ce serveur fait office de ESMTP et de MX1, a accès à
deux WAN et fonctionne en IPv4 et v6. Il fait exactement ce que je lui
demande.

Je dois utiliser un serveur distant qui utilise Postfix. Et là, c'est
un désastre. Je n'arrive pas à avoir la configuration que je désire.

Tous les mails envoyés à localhost ou à legendre.systella.fr (le
serveur en question) sur le port submission doivent être traités par le
MX local, lequel relaye vers le MX1 grâce à /etc/mail.aliases qui
contient des choses comme ça :

MAILER-DAEMON: postmaster
postmaster: root
toor:   root
daemon: root
bin:root
games:  root
postfix:postmaster
named:  root
ntpd:   root
sshd:   root
nobody: root
root: joel.bertr...@systella.fr
operator: joel.bertr...@systella.fr
...

Je ne veux pas que les utilisateurs puissent utiliser ce MX2 comme un
ESMTP (ça casserait DKIM, SPFv1...). Je veux donc que tout ce qui n'est
pas à destination de legendre.systella.fr et qui passe par le ESMTP et
non le MX soit rejeté.

Mais je veux aussi que tout ce qui est à destination de systella.fr
soit relayé vers le MX1.

Pour l'instant, j'ai écrit dans /etc/mail/main.cf la chose suivante :

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command =
disable_vrfy_command = yes
html_directory = /usr/share/doc/html/postfix
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 10d
milter_default_action = accept
mynetworks = 192.168.10.0/24, 192.168.12.0/24, 192.168.15.14/32, 127.0.0.1/8
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = unix:/var/clamav/clamav-milter.sock
postscreen_access_list = permit_mynetworks
proxy_interfaces = 192.168.15.14
queue_directory = /var/spool/postfix
readme_directory = /usr/share/examples/postfix
relay_domains = $mydestination, systella.fr
relay_recipient_maps =
sample_directory = /usr/share/examples/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_relay_domains, reject_unauth_destination
unknown_local_recipient_reject_code = 550

Mais à chaque fois que je tente un envoi, postfix me renvoie la chose
suivante :

Root rayleigh:[/etc/mail] > telnet  62.212.98.88 25
Trying 62.212.98.88...
Connected to 62.212.98.88.
Escape character is '^]'.
220 legendre.systella.fr ESMTP Postfix
EHLO rayleigh
250-legendre.systella.fr
250-PIPELINING
250-SIZE 1024
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
451 4.3.0 : Temporary lookup failure
quit
221 2.0.0 Bye
Connection closed by foreign host.
Root rayleigh:[/etc/mail] >

Un RCPT TO: renvoie la même erreur alors
que ce compte existe sur le serveur en question.

Et là, je ne comprends plus... Tous les howto que l'on trouve sur
internet proposent d'autres solutions qui ne donnent pas de meilleurs
résultats.

Une idée ?

Bien cordialement,

JKB

[Trouvé] Re: Sendmail et authentification par saslauthd

[BERTRAND Joël]

Bonjour à tous,

Après bricolage dans le sendmail.cf, j'ai trouvé que sendmail allait
chercher un fichier de conf Sendmail.conf partout sauf dans
/etc/mail/sasl. Normalement, ce fichier s'appelle d'ailleurs
Sendmail.conf.2 vu qu'il s'agit de saslv2.

Un lien de /etc/mail/sals/Sendmail.conf.2 vers
/usr/lib/sasl/Sendmail.conf résout le problème.

Bien cordialement,

JKB

PS: ce n'est pas la première fois que ce genre de problème m'arrive avec
Debian/Devuan, mais il serait vraiment bien que pour des modifications
qui entraînent un fonctionnement étrange sans avoir d'erreur dans les
logs avec la configuration de loglevel par défaut, celles-ci soient un
tantinet documentées. sendmail, sauf à avoir été méchamment twiké, n'a
aucune raison de chercher ce fichier sous ce nom à cet endroit.

Re: Sendmail et authentification par saslauthd

[BERTRAND Joël]

didier gaumet a écrit :
> 
> pataper: j'y connais vraiment rien
> 
> mais peut-être ici auras-tu un début de piste (utilisation de telnet et
> du port 587 pour tester sasl/smtp)
> 
> https://networking.ringofsaturn.com/Protocols/howtotestsendmailauthentication.php

Merci. Mais ça, je connais, je suis un barbu capable d'envoyer des
mails par telnet. Mon problème est surtout que sendmail semble
totalement ignorer sasl. J'en suis à comparer deux sendmail.cf, celui
d'un site fonctionnel et celui du site que je suis en train de monter.
Et même là, je ne vois rien d'aberrant.

Bien cordialement,

JKB

Re: Sendmail et authentification par saslauthd

[didier gaumet]

pataper: j'y connais vraiment rien

mais peut-être ici auras-tu un début de piste (utilisation de telnet et 
du port 587 pour tester sasl/smtp)


https://networking.ringofsaturn.com/Protocols/howtotestsendmailauthentication.php

Sendmail et authentification par saslauthd

[BERTRAND Joël]

Bonsoir à tous,

Je suis en train de monter pour une association un serveur de mail et
je butte sur un problème que je n'arrive par à résoudre.

J'utilise un sendmail des familles (parce que ça fait trente ans que
j'utilise sendmail sur tous mes systèmes allant de VMS à Solaris et que
je maîtrise à peu près l'engin, donc ne me répondez pas de passer à
postfix, exim ou pire qmail...).

Il reçoit sans problème avec tous les milters qui vont bien, mais je
n'arrive pas à envoyer un mail. L'authentification échoue. Et là, je ne
sais plus quoi faire.

J'ai bien configuré sasl2 (avec pam qui va prendre les informations
dans passwd/shadow). saslauthd fonctionne :

root:[/etc/mail] > testsaslauthd -u bertrand -p 
0: OK "Success."
root:[/etc/mail] > testsaslauthd -u bertrand -p 
0: NO "authentication failed"

J'ai naturellement redémarré sendmail après saslauthd (c'est un grand
gag, je me suis fait avoir un certain paquet de fois).

    J'ai tenté de lancer sendmail avec la ligne suivante :

/usr/sbin/sendmail  -d95.99 -bD -X test.log

histoire d'avoir toute la transaction dans le fichier test.log. Le
client de messagerie envoie le mot de passe après STARTLS en plain puis
login et se fait claquer la porte aux nez. Si je lance saslautd dans un
terminal, je ne note aucune tentative vers saslauthd de la part de
sendmail (un testsaslauthd montre bien une requête).

J'ai comparé la configuration d'un serveur fonctionnel (celui à partir
duquel je poste) avec celui que je viens de monter, je ne vois pas les
différences. J'ai même vérifié les droits des différents fichiers.
Sendmail ne semble par renvoyer d'erreur, mais n'appelle pas le
mécanisme d'authentification.

Mon sendmail.mc se termine par :
LOCAL_CONFIG
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl

Je suis preneur de toute idée raisonnable pour débugguer la chose.

Bien cordialement,

JKB

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[David Wright]

On Thu 26 Nov 2020 at 09:34:25 (+), Joe wrote:
> On Wed, 25 Nov 2020 21:57:10 -0600 David Wright wrote:
> 
> > Perhaps the problem is similar to the one I had with this list
> > (hence the change I made above). What happened was that my posts'
> > Envelope-from (set to the same as my From address above) was being
> > changed by my mail hosting service to an address on their outgoing
> > mail gateway. AIUI Debian immediately tries to establish an email
> > connection to that address on port 25 to verify it exists, but the
> > outgoing gateway apparently is not an incoming mail receiver, and
> > is not listening on port 25. So Debian rejects the post.
> > 
> There should/need be no Envelope-From header in an email as sent, it is
> inserted by the receiving SMTP server as a copy of the sending address
> as used in the SMTP transaction, something which is not a sent header
> and that would not otherwise be available to the end recipient.

When you say "no Envelope-From header", I guess your asking me to make
it clearer in my post that I'm not discussing the email headers at all,
but only the envelope. However, in order to find out what the Envelope-from
of an email was, you have to examine the headers for clues.

Exim uses the term Envelope-from, as seen in your own posts, and
I guess that the number of names "it" has been given reflects the
uses to which it's put. The wiki page lists: return path,
reverse path,  envelope from, envelope sender, MAIL FROM, 5321-FROM,
return address, From_, Errors-to, etc [sic], and the page's own name:
Bounce address. The page continues:
   "It is not uncommon for a single document to use several of these
names. All of these names refer to the email address provided with
the MAIL FROM command during the SMTP session.
Ordinarily, the bounce address is not seen by email users and,
without standardization of the name, it may cause confusion."

> An SMTP sending server does not need to also receive email. Large
> businesses often use separate servers for send and receive, and often
> contract out one or both functions to different companies e.g. mass
> mailers and spam cleaning services. It should not be assumed that the
> MX record for a domain matches its sending address.

Yes, that's the case here. AFAICT there are three hosts involved in
providing my service: an outgoing, an incoming, and the one hosting
my IMAP and SMTP servers. (There may be others involved in, say,
scanning that I don't know about.)

> What Debian's mail server might well do is to look up the sending
> server's HELO/EHLO, sending address and IP address in public DNS, and
> refuse or delay emails with missing or incorrect records. Exim4 by
> default has rules (thought not enabled by default) for checking these
> things with a view to refusing transactions with spammers.

Yes, some of that information may be difficult to control oneself
(I think you also said that), and it's not always clear exactly
how it was used (ie which bits did they look up, and where)
in order to accept or reject it. AFAICT, in my case, Debian
couldn't get a satisfactory response to its RCPT TO command to
what you've termed the "sending address" (which is what I've been
calling the Envelope-from).

I don't have any idea why the Envelope-from that I set should be
changed to something else in the transfer to bendel.debian.org,
so that's something for me to research when I have the time and
inclination. Debian-user is the only address where I have this
problem with submission. Contemporaneous postings to a gnu.org
list show no change in Envelope-from in the equivalent transfer
from my gateway to eggs.gnu.org, the list's incoming host, nor
even next transfer to lists.gnu.org, the list processor itself.

What's really difficult to tell is whether there's something in
the responses from Debian-user that's causing the change at my
gateway. For example, there may be some unseen exchanges between
the two ends in connection with greylisting.

Cheers,
David.

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[David Wright]

On Thu 26 Nov 2020 at 08:52:30 (+), mick crane wrote:
> On 2020-11-26 03:57, David Wright wrote:
> 
> > What sort of rejections and/or bounces have you had?
> 
> It showed up that mails to getmail list that uses Exim were refused as
> unsubscribed whereas before was OK.

I take it that was late last year when your Envelope-from appears to
have changed.

> I "think" I then subscribed with noctiluc...@sky.com which worked for
> a bit but then from list to me bounced.

Is noctiluc...@sky.com an email address that you can/do use, or
is it just an account with Sky?

> "Remote host said: 554 5.7.9 Message not accepted for policy reasons"

Was that response from a List → you-at-Sky message? If so, shouldn't
you ask Sky, particular if you have had success before with sending to
this address (as you wrote "worked for a bit").

> using Sky/Yahoo SMTP it seems to add "Return-Path:" as being
> noctiluc...@sky.com.

That should indicate that you used noctiluc...@sky.com as your
Envelope-from. Was this a concious decision, or did you just
find it to be so? That setting might be obligatory when using
their SMTP server. (For example, it is with my ISP's.)

> Then subscribed to getmail list "from" gmail and other hosted domain
> address
> and welcomed as subscribed as "noctiluc...@sky.com".

I don't know what any of these organisations use to determine the
"subscribed address". Rather than subscribing by sending an email
(which might contain other, confusing addresses) you can usually
find a web page with a subscription box. Typically, the list then
sends an email to the address you typed, as a challenge for you
to respond to, proving that the address is correct and the
subscription desired. If you ignore it, then the subscription
gets cancelled and you can have another go.

> I only know enough about this stuff to get it working and then
> promptly forget.

Yeah—that's not usually a recipe for success.

> Unsure of the etiquette of using other SMTP servers.

Obviously for you to be able to use some random SMTP server, you'd
need some sort of credentials for authorisation/authentication, as
well as being able to connect to the appropriate ports through your
ISP (which is not guaranteed).

If you've logged into some webmail system to read your emails,
it's likely that they use those login credentials to allow you
to send as well (subject to their T).

> This is all using local, not the newest, roundcube for reading/sending.

I've not used roundcube. I take it that "using local" means that
you've got something like apache running on your own machine (rather
than using a web service provided by some website). In which case,
you've probably had to set up some hostnames, ports, and credentials
for your ISP's POP and SMTP servers.

I don't know whether any of this helps with whatever problems you've
been having.

Cheers,
David.

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[Joe]

On Wed, 25 Nov 2020 21:57:10 -0600
David Wright  wrote:


> Perhaps the problem is similar to the one I had with this list
> (hence the change I made above). What happened was that my posts'
> Envelope-from (set to the same as my From address above) was being
> changed by my mail hosting service to an address on their outgoing
> mail gateway. AIUI Debian immediately tries to establish an email
> connection to that address on port 25 to verify it exists, but the
> outgoing gateway apparently is not an incoming mail receiver, and
> is not listening on port 25. So Debian rejects the post.
> 

There should/need be no Envelope-From header in an email as sent, it is
inserted by the receiving SMTP server as a copy of the sending address
as used in the SMTP transaction, something which is not a sent header
and that would not otherwise be available to the end recipient.

An SMTP sending server does not need to also receive email. Large
businesses often use separate servers for send and receive, and often
contract out one or both functions to different companies e.g. mass
mailers and spam cleaning services. It should not be assumed that the
MX record for a domain matches its sending address.

What Debian's mail server might well do is to look up the sending
server's HELO/EHLO, sending address and IP address in public DNS, and
refuse or delay emails with missing or incorrect records. Exim4 by
default has rules (thought not enabled by default) for checking these
things with a view to refusing transactions with spammers.

-- 
Joe

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[mick crane]

On 2020-11-26 03:57, David Wright wrote:


What sort of rejections and/or bounces have you had?


It showed up that mails to getmail list that uses Exim were refused as 
unsubscribed whereas before was OK.
I "think" I then subscribed with noctiluc...@sky.com which worked for a 
bit but then from list to me bounced.

"Remote host said: 554 5.7.9 Message not accepted for policy reasons"
using Sky/Yahoo SMTP it seems to add "Return-Path:" as being 
noctiluc...@sky.com.
Then subscribed to getmail list "from" gmail and other hosted domain 
address

and welcomed as subscribed as "noctiluc...@sky.com".

I only know enough about this stuff to get it working and then promptly 
forget.

Unsure of the etiquette of using other SMTP servers.
This is all using local, not the newest, roundcube for reading/sending.

cheers mick
--
Key ID4BFEBB31

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[David Wright]

On Wed 25 Nov 2020 at 00:08:27 (+), mick crane wrote:
> On 2020-11-23 12:19, Andrei POPESCU wrote:
> > On Lu, 23 nov 20, 14:27:36, Keith Bainbridge wrote:
> > > I was interested to read that Flo, the OP, uses separate mail
> > > collection, sendmail and thunderbird. Some of the replies sound like
> > > this is a common practice.
> > > 
> > > What are the advantages of this set of processes over letting tbird do
> > > it all? - or any other client for that matter?
> > 
> > It makes it easier to switch between different e-mail clients if the
> > sending and/or receiving is handled externally, e.g. one might use a
> > graphical e-mail client in general and a text mode client occasionally.
> > 
> > Such a setup also typically uses standard locations for the storage (as
> > opposed to e-mail client specific), which makes it easier to add more
> > functionality (e.g. serve local e-mail via IMAP) or replace individual
> > components.
> 
> As I can make out if you try to do the useful stuff on your home network
> like having Dovecot doing your mail it is really a bodge if you are
> not advertising those services on the internet.

Apart from any security considerations, you'd need to be running your
server 24/7 if it's going to receive mail from random MTAs across the
globe. We run our modem and routers 24/7 (and my old modem burnt out
recently after 7 years) but I'm not prepared to run my old computers
like that.

> I am I suppose in the domain of Sky who provide my wired connection so
> I use sky/yahoo SMTP server as part of service but they add to
> outgoing email "Reply-Path" being my Sky user account in the headers
> which seems to be confusing exim email lists and results in rejected
> or bounced emails recently.

We only see the accepted emails, of course, and I can see that you
changed something late last year in the way you submit your posts.
I'm not sure why that change would cause rejection or bounces.

I had to make a similar change more recently. Submitting to my ISP
now necessitates using an ISP account as the Envelope-from in order to
authorise a submission (even though the connection has already been
authenticated with the same ISP account *and* password). That works
fine at home, though it's untested when travelling.

> I'd like to sort it out to avoid that if I knew what they were doing.
> I like things as they are when it is working and really, really don't
> want to go the whole hog of advertising email services. I think it is
> some relatively new thing where they are double authenticating or
> something but ideally I don't know why SMTP server does just pass
> message along and not add items to the header except they received it
> and passed it along to the recipient.

Perhaps the problem is similar to the one I had with this list
(hence the change I made above). What happened was that my posts'
Envelope-from (set to the same as my From address above) was being
changed by my mail hosting service to an address on their outgoing
mail gateway. AIUI Debian immediately tries to establish an email
connection to that address on port 25 to verify it exists, but the
outgoing gateway apparently is not an incoming mail receiver, and
is not listening on port 25. So Debian rejects the post.

Hence my change in mail submission for this list, from using my
email hosting service to my ISP instead.

What sort of rejections and/or bounces have you had?

Cheers,
David.

Re: Why use an email client AND sendmail/popa3d

[Celejar]

On Wed, 25 Nov 2020 20:11:29 +
Joe  wrote:

> On Wed, 25 Nov 2020 09:13:03 -0500
> Celejar  wrote:
> 
> > On Wed, 25 Nov 2020 09:03:21 +
> > Joe  wrote:
> > 
> > ...
> > 
> > > proper email client or webmail. I have to admit I use a netbook
> > > while away from home, as I have both "smart"phone and tablet, but
> > > they are extremely limited toys and they are owned by Google. If I
> > > need a mobile computer, then I want a real computer, and one where
> > > I have root access.   
> > 
> > A smartphone running something like LineageOS is not really owned by
> > Google (although there are still the very real problems of binary
> > blobs and the baseband black box stuff). If you get one with an
> > unlocked bootloader, you can have root as well. They're certainly not
> > quite the same thing as a "real" computer, admittedly.
> >
> 
> I'm not really comfortable about downloading a random rooting tool from

Fair points, certainly. But things like LineageOS, TWRP, and Magisk are
not just "random rooting tools" - they are legitimate, well-established
open source projects (although I would concede that they are probably
somewhat less "adult" and responsible than something like the Debian
project we know and love ;))

> the Net, and I have the impression, rightly or wrongly, that writers of
> software for phones and tablets take the same kind of proprietorial
> view of other peoples' devices as writers of Windows software.

Well, that's probably true of developers in the mainstream smartphone
ecosystems, but I don't think it is generally true of the FLOSS
developers for such devices, and particularly not with regard to the
members of sub-communities like F-Droid.

> That's my main objection to using Windows: not so much the OS itself as
> the tendency for writers of software to believe that they own *my*
> computer, and can do what they like with it and with my data.

Certainly.

Celejar

Re: Why use an email client AND sendmail/popa3d

[Joe]

On Wed, 25 Nov 2020 09:13:03 -0500
Celejar  wrote:

> On Wed, 25 Nov 2020 09:03:21 +
> Joe  wrote:
> 
> ...
> 
> > proper email client or webmail. I have to admit I use a netbook
> > while away from home, as I have both "smart"phone and tablet, but
> > they are extremely limited toys and they are owned by Google. If I
> > need a mobile computer, then I want a real computer, and one where
> > I have root access.   
> 
> A smartphone running something like LineageOS is not really owned by
> Google (although there are still the very real problems of binary
> blobs and the baseband black box stuff). If you get one with an
> unlocked bootloader, you can have root as well. They're certainly not
> quite the same thing as a "real" computer, admittedly.
>

I'm not really comfortable about downloading a random rooting tool from
the Net, and I have the impression, rightly or wrongly, that writers of
software for phones and tablets take the same kind of proprietorial
view of other peoples' devices as writers of Windows software.

That's my main objection to using Windows: not so much the OS itself as
the tendency for writers of software to believe that they own *my*
computer, and can do what they like with it and with my data.

-- 
Joe

Re: Why use an email client AND sendmail/popa3d

[David Wright]

On Wed 25 Nov 2020 at 09:30:41 (+1100), Keith Bainbridge wrote:
> On Sun, 22 Nov 2020 23:34:56 -0600  David Wright wrote:
> >>> On Mon 23 Nov 2020 at 14:27:36 (+1100), Keith Bainbridge wrote:
> >>> > So does htis get a new subject in the list?
> 
> Interesting. I'll try it next time I want to use a comment from one
> thread as a separate topic.  BUT I wrote a totally new subject line.
> Surely that is removing 'Re: '

Oops, sorry, my mistake. I was simultaneously replying to several
emails at too late an hour—your subject line was fine.

> I'd appreciate a good explanation if somebody is up to it.

Of why it starts a new thread? Because there are no References and no
In-reply-to, it doesn't get threaded onto an existing thread.

There's an exception where a client threads a message onto any other
one with a similar subject. I remember this often causing problems
20 years ago when someone would send "Lunch?" expecting an immediate
reply, and the recipient's client would thread it to a months-old
duplicate message.

> >>> It would appear so. [snipped the misleading sentence that was here]
> >>>
> >>> > I was interested to read that Flo, the OP, uses separate mail
> >>> > collection, sendmail and thunderbird. Some of the replies sound
> >>> > like this is a common practice.
> >>> >
> >>> > What are the advantages of this set of processes over letting
> >>> > tbird do it all? - or any other client for that matter?
> >>>
> >>> Disadvantages of using your email client to send might include:
> >>> . sending is relatively instant as the client is dispatching
> >>>   it to the same machine, not the remote smarthost,
> 
> So I wouldn't get the message saying the note is being sent by the
> client - because that bit is 'instantaneous' by being local.

I must have been half-asleep: that's poorly expressed.
Each bullet point is meant to be an advantage of using an MTA,
and a disadvantage of sending direct from client to smarthost.

So bullet point 1 ought to say:
  . sending [via an MTA]  is relatively instant as the client is dispatching
it [the email] to the [MTA, running on the] same machine, not the remote 
smarthost,

What you would observe in the two cases is (using mutt as an example):

  With an MTA, the email is transferred almost immediately to the MTA
  running on the same machine, and the client says "Mail sent".

  With sending direct, some messages will flicker by as communication
  is established with the smarthost; with large emails, there'll be a
  pause while the file is transferred; then a couple more messages and
  finally "Mail sent". On this computer, the mutt debug logs show that
  sending a trivial email takes between 2 and 7 seconds, mostly
  related to starting up the connection.

  My transfer speeds (by cable) are very good nowadays. A decade ago
  in the UK, with several miles to the exchange going over copper,
  speeds were fairly dire (until FTTC arrived). Large attachments
  could take a while to get out.

> >>> . exim will retry sending if your smarthost is busy/unavailable,
> 
> OK. I have had instances of the 'sending' notice being there when I
> come back after lunch.
> 
> >>> . it keeps logs,
> 
> Fair enough
> 
> >>> . it send emails on behalf of other processes, like cron jobs,
> >>>   where your client is not involved.
> 
> Is that why email from cron doesn't happen sometimes, then magically
> happens.

I would hesitate to guess without more information.

> >>> I don't collect emails in Flo's sense, as I use IMAP rather than
> >>> POP. So my INBOX is merely mutt's cache of individual emails,
> >>> rather than a live mailfile. The actual server is somewhere around
> >>> Manchester/Stockport.
> 
> I prefer imap as I check mail on 3 devices, but it's become too slow to
> be workable, recently.   I do check back occasionally to see if the
> connection to Germany is getting better. It is 20,000Km I suppose.

That beats my 7000km (over a very fat pipe).

IMAP is designed to be interactive, and fetch each email when you ask
for it. But you can cheat. One way with mutt is to use "search in
message bodies" for some "impossible" string (like a long random one),
and then go and make the coffee. The client is forced to fetch and
cache all the unread emails while searching for the string. When you
return, you'll be able to read new messages instantaneously because
they're already cached.

> I had this thought as I completed that last sentence: should I use my
> ISP as a collection point for my many addresses?

Personally, I prefer to keep my email hosting separate from my ISP.
It's one less complication when travelling, changing service provider,
or moving home or job.

> Thanks for a thought provoking response.   I'll be contemplating this
> for a bit yet.

I hope I was a bit clearer.

Cheers,
David.

Re: Why use an email client AND sendmail/popa3d

[Celejar]

On Wed, 25 Nov 2020 09:03:21 +
Joe  wrote:

...

> proper email client or webmail. I have to admit I use a netbook while
> away from home, as I have both "smart"phone and tablet, but they are
> extremely limited toys and they are owned by Google. If I need a mobile
> computer, then I want a real computer, and one where I have root
> access. 

A smartphone running something like LineageOS is not really owned by
Google (although there are still the very real problems of binary blobs
and the baseband black box stuff). If you get one with an unlocked
bootloader, you can have root as well. They're certainly not quite the
same thing as a "real" computer, admittedly.

Celejar

Re: Why use an email client AND sendmail/popa3d

[Greg Wooledge]

On Wed, Nov 25, 2020 at 09:30:41AM +1100, Keith Bainbridge wrote:
> On Sun, 22 Nov 2020 23:34:56 -0600  David Wright
>  wrote:
> 
> >>> On Mon 23 Nov 2020 at 14:27:36 (+1100), Keith Bainbridge wrote:
> >>> > So does htis get a new subject in the list?
> 
> Interesting. I'll try it next time I want to use a comment from one
> thread as a separate topic.  BUT I wrote a totally new subject line.
> Surely that is removing 'Re: '

It's not the Subject: header that matters for thread construction.(*)
It's the In-Reply-To: header, which contains the Message-ID:s of your
parent message(s).

A sufficiently advanced email client (MUA) takes all the messages,
with all of their unique Message-ID:s, and all of their In-Reply-To:
headers, and constructs a tree in memory, with all of the parent/child
relationships laid out explicitly.  Then it presents this tree
structure to you, however it was programmed to do.

(*) Unless you're using Microsoft Outlook or other similar crap.

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[Joe]

On Wed, 25 Nov 2020 00:08:27 +
mick crane  wrote:

> On 2020-11-23 12:19, Andrei POPESCU wrote:
> > On Lu, 23 nov 20, 14:27:36, Keith Bainbridge wrote:  
> >> So does htis get a new subject in the list?
> >> 
> >> Good afternon All
> >> 
> >> I was interested to read that Flo, the OP, uses separate mail
> >> collection, sendmail and thunderbird. Some of the replies sound
> >> like this is a common practice.
> >> 
> >> What are the advantages of this set of processes over letting
> >> tbird do it all? - or any other client for that matter?  
> > 
> > It makes it easier to switch between different e-mail clients if the
> > sending and/or receiving is handled externally, e.g. one might use a
> > graphical e-mail client in general and a text mode client
> > occasionally.
> > 
> > Such a setup also typically uses standard locations for the storage
> > (as opposed to e-mail client specific), which makes it easier to
> > add more functionality (e.g. serve local e-mail via IMAP) or
> > replace individual components.  
> 
> As I can make out if you try to do the useful stuff on your home
> network like having Dovecot doing your mail it is really a bodge if
> you are not advertising those services on the internet.

As I've posted elsewhere, I run my own servers and don't open the email
ports to the world (other than SMTP). I use ssh with port forwarding to
reach email from outside, or occasionally OpenVPN.

> I am I suppose in the domain of Sky who provide my wired connection
> so I use sky/yahoo SMTP server as part of service but they add to
> outgoing email "Reply-Path" being my Sky user account in the headers
> which seems to be confusing exim email lists and results in rejected
> or bounced emails recently.
> I'd like to sort it out to avoid that if I knew what they were doing.
> I like things as they are when it is working and really, really don't
> want to go the whole hog of advertising email services. I think it is
> some relatively new thing where they are double authenticating or
> something but ideally I don't know why SMTP server does just pass
> message along and not add items to the header except they received it
> and passed it along to the recipient.

As it happens outside your control, there's not a lot you can do about
it other than hire an email service that is fairly professional i.e.
not a domestic service whose primary client base is children (of all
ages). A lot of domestic providers insist that you send using one of
their email addresses, which doesn't suit everyone. I lease a few
domains and I expect to use them for my email addresses.

-- 
Joe

Re: Why use an email client AND sendmail/popa3d

[Joe]

On Wed, 25 Nov 2020 09:30:49 +1100
Keith Bainbridge  wrote:


> 
> I like the idea of a local imap server. I have a RPi that will do the
> job, sitting ready and waiting.  How easy is it to get phone/tablet to
> connect while I'm away? though.  A good URI would be an excellent
> answer.
> 

Less so than with an external email provider.

I prefer not to open email collection ports to the Net, so I use ssh
with keys and port forwarding, on a non-standard port to keep the logs
cleaner. I forward both web and the email ports, so I can either use a
proper email client or webmail. I have to admit I use a netbook while
away from home, as I have both "smart"phone and tablet, but they are
extremely limited toys and they are owned by Google. If I need a mobile
computer, then I want a real computer, and one where I have root
access. 

I'm in the process of building a couple of RPi servers to replace my
HP microserver, and the mail server seems to be running OK. I have
exim4 as the MTA, dovecot for IMAP and Roundcube for webmail. Roundcube
requires an SQL database, and I'm running MariaDB for other reasons, and
it's happy with that. It's also running bind9, as I'm sending and
receiving email directly and need a good local DNS service.

-- 
Joe

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[mick crane]

On 2020-11-23 12:19, Andrei POPESCU wrote:

On Lu, 23 nov 20, 14:27:36, Keith Bainbridge wrote:

So does htis get a new subject in the list?

Good afternon All

I was interested to read that Flo, the OP, uses separate mail
collection, sendmail and thunderbird. Some of the replies sound like
this is a common practice.

What are the advantages of this set of processes over letting tbird do
it all? - or any other client for that matter?


It makes it easier to switch between different e-mail clients if the
sending and/or receiving is handled externally, e.g. one might use a
graphical e-mail client in general and a text mode client occasionally.

Such a setup also typically uses standard locations for the storage (as
opposed to e-mail client specific), which makes it easier to add more
functionality (e.g. serve local e-mail via IMAP) or replace individual
components.


As I can make out if you try to do the useful stuff on your home network
like having Dovecot doing your mail it is really a bodge if you are not 
advertising those services on the internet.
I am I suppose in the domain of Sky who provide my wired connection so I 
use sky/yahoo SMTP server as part of service but they add to outgoing 
email "Reply-Path" being my Sky user account in the headers which seems 
to be confusing exim email lists and results in rejected or bounced 
emails recently.
I'd like to sort it out to avoid that if I knew what they were doing. I 
like things as they are when it is working and really, really don't want 
to go the whole hog of advertising email services. I think it is some 
relatively new thing where they are double authenticating or something 
but ideally I don't know why SMTP server does just pass message along 
and not add items to the header except they received it and passed it 
along to the recipient.


mick
--
Key ID4BFEBB31

Re: Why use an email client AND sendmail/popa3d

[Keith Bainbridge]

On Mon, 23 Nov 2020 09:50:34 -0600  John Hasler 
wrote:

>>  I use Fetchmail to fetch my mail every five minutes from Newsguy.
>> This means that my mail is never on anyone else's server for more
>> than a few minutes.  Fetchmail hands it off to Exim which passes it
>> through Mailagent and Spamassassin and then delivers it to my
>> inbox.  Outgoing mail is delivered to Newsguy by Exim running in
>> smarthost mode (one of the menu choices when installing Exim).  Mail
>> to my domains is forwarded to Newsguy.  I get most of the benefits
>> of running my own email server without having to administer an
>> Internet-facing server.  I have full control of filtering and
>> sorting, can use any MUA, and needn't have a connection up to read
>> or send mail.  Messages I compose while the link is down go out when
>> it comes up.  All my saved mail is right here on my machine where I
>> can look through it at will but no one else can. -- 
>>  John Hasler 
>>  jhas...@newsguy.com
>>  Elmwood, WI USA
>>  

Thanks John. For what it is worth, this has just arrived on my laptop;
I saw it on my phone about 4 hours ago, and have been eagerly awaiting
it.  You might have recognised my reference to it about an hour ago.
But re-reading it, I see I over stated the number of processes you use.

Having used gmail & imap for 15 years, I figure I am way past trying to
prevent prying eyes. I have also 'mislaid' my mail here so often, that
I rely on the server much more than I should. I know that is BAD, and
we lost several weeks of mail off gmail earlier this year, but

I'll give it a go though, as it sounds like reinstating backed up mail
is easier for when I do loose something. Will I get to leaving nothing
out there?   

Can you point me to a simple how-to, please. As I said to another
response, a good URI is an excellent answer.

Next, what is the most efficient way to search 20,000 plus files for a
string of text, especially when the string may omit an adjective?


Thanks again,
From the other side of the Pacific.


Now where has your reply been hiding?


--

Keith Bainbridge

keith.bainbridge.3...@gmx.com
ke1thozgro...@gmx.com

Re: Why use an email client AND sendmail/popa3d

[Keith Bainbridge]

On Mon, 23 Nov 2020 14:19:16 +0200  Andrei POPESCU
 wrote:

>>> On Lu, 23 nov 20, 14:27:36, Keith Bainbridge wrote:
>>> > So does htis get a new subject in the list?
>>> >
>>> > Good afternon All
>>> >
>>> > I was interested to read that Flo, the OP, uses separate mail
>>> > collection, sendmail and thunderbird. Some of the replies sound
>>> > like this is a common practice.
>>> >
>>> > What are the advantages of this set of processes over letting
>>> > tbird do it all? - or any other client for that matter?
>>>
>>> It makes it easier to switch between different e-mail clients if
>>> the sending and/or receiving is handled externally, e.g. one might
>>> use a graphical e-mail client in general and a text mode client
>>> occasionally.
>>>
>>> Such a setup also typically uses standard locations for the storage
>>> (as opposed to e-mail client specific), which makes it easier to
>>> add more functionality (e.g. serve local e-mail via IMAP) or
>>> replace individual components.
>>>
>>> Kind regards,
>>> Andrei
>>> --
>>> http://wiki.debian.org/FAQsFromDebianUser

Thanks for your reply. I have been contemplating

I have switched email client often in the past, less so lately.

I like the idea of a local imap server. I have a RPi that will do the
job, sitting ready and waiting.  How easy is it to get phone/tablet to
connect while I'm away? though.  A good URI would be an excellent
answer.

Thanks again for replying.

--

Keith Bainbridge

keith.bainbridge.3...@gmx.com
ke1thozgro...@gmx.com

Re: Why use an email client AND sendmail/popa3d

[Keith Bainbridge]

On Sun, 22 Nov 2020 23:34:56 -0600  David Wright
 wrote:

>>> On Mon 23 Nov 2020 at 14:27:36 (+1100), Keith Bainbridge wrote:
>>> > So does htis get a new subject in the list?

Interesting. I'll try it next time I want to use a comment from one
thread as a separate topic.  BUT I wrote a totally new subject line.
Surely that is removing 'Re: '

I'd appreciate a good explanation if somebody is up to it.

>>>
>>> It would appear so. I guess you could also have removed the Re:
>>> from the subject line.
>>>
>>> > I was interested to read that Flo, the OP, uses separate mail
>>> > collection, sendmail and thunderbird. Some of the replies sound
>>> > like this is a common practice.
>>> >
>>> > What are the advantages of this set of processes over letting
>>> > tbird do it all? - or any other client for that matter?
>>>
>>> Disadvantages of using your email client to send might include:
>>> . sending is relatively instant as the client is dispatching
>>>   it to the same machine, not the remote smarthost,

So I wouldn't get the message saying the note is being sent by the
client - because that bit is 'instantaneous' by being local.

>>> . exim will retry sending if your smarthost is busy/unavailable,

OK. I have had instances of the 'sending' notice being there when I
come back after lunch.

>>> . it keeps logs,

Fair enough

>>> . it send emails on behalf of other processes, like cron jobs,
>>>   where your client is not involved.

Is that why email from cron doesn't happen sometimes, then magically
happens.

>>>
>>> I don't collect emails in Flo's sense, as I use IMAP rather than
>>> POP. So my INBOX is merely mutt's cache of individual emails,
>>> rather than a live mailfile. The actual server is somewhere around
>>> Manchester/Stockport.

I prefer imap as I check mail on 3 devices, but it's become too slow to
be workable, recently.   I do check back occasionally to see if the
connection to Germany is getting better. It is 20,000Km I suppose.

I had this thought as I completed that last sentence: should I use my
ISP as a collection point for my many addresses?


Thanks for a thought provoking response.   I'll be contemplating this
for a bit yet.

--

Keith Bainbridge

keith.bainbridge.3...@gmx.com
ke1thozgro...@gmx.com

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[John Hasler]

I use Fetchmail to fetch my mail every five minutes from Newsguy.  This
means that my mail is never on anyone else's server for more than a few
minutes.  Fetchmail hands it off to Exim which passes it through
Mailagent and Spamassassin and then delivers it to my inbox.  Outgoing
mail is delivered to Newsguy by Exim running in smarthost mode (one of
the menu choices when installing Exim).  Mail to my domains is forwarded
to Newsguy.  I get most of the benefits of running my own email server
without having to administer an Internet-facing server.  I have full
control of filtering and sorting, can use any MUA, and needn't have a
connection up to read or send mail.  Messages I compose while the link
is down go out when it comes up.  All my saved mail is right here on my
machine where I can look through it at will but no one else can.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[Andrei POPESCU]

On Lu, 23 nov 20, 14:27:36, Keith Bainbridge wrote:
> So does htis get a new subject in the list?
> 
> Good afternon All
> 
> I was interested to read that Flo, the OP, uses separate mail
> collection, sendmail and thunderbird. Some of the replies sound like
> this is a common practice.
> 
> What are the advantages of this set of processes over letting tbird do
> it all? - or any other client for that matter?

It makes it easier to switch between different e-mail clients if the 
sending and/or receiving is handled externally, e.g. one might use a 
graphical e-mail client in general and a text mode client occasionally.

Such a setup also typically uses standard locations for the storage (as 
opposed to e-mail client specific), which makes it easier to add more 
functionality (e.g. serve local e-mail via IMAP) or replace individual 
components.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Why use an email client AND sendmail/popa3d - trying to NOT hijack

[The Wanderer]

On 2020-11-23 at 05:43, Joe wrote:

> On Mon, 23 Nov 2020 13:21:25 +1100 Keith Bainbridge
>  wrote:

>> PS  Am I wrong to avoid 'everyting in 1 file' where possible (mail
>> dir rather than mbox in this case)? OK this is probably a whole
>> separate topic.
> 
> As I've posted elsewhere, I have about 3GB of email. I would not
> consider putting that in one file.

Speaking as a user of Thunderbird, I have ~20GB of E-mail (including
archives which date back well over a decade if not further), split
across a few accounts plus the "Local Folders" non-account.

It's divided into a total of 422 different mail-client-displayed
"folders" (although some of them are parent-folder only, they don't
contain actual messages), each of which is stored as a single file (not
mbox or similar, but the internal "Mork" database format, which as I
understand matters even Thunderbird may now be moving away from).

That averages out to ~47MB per file. After discounting the
otherwise-empty parent folders, the realistic figure is actually
probably somewhere in the 100MB-200MB range. When a given mailing list's
folder gets too large for my taste (or large enough that I start to
notice delays reading or writing that folder), I create a separate
"archive" folders for it by year, and move previous years' mail from
that folder into those per-year archive folders; this tends to happen
when the folder's contents reach somewhere between 10,000 and 20,000
messages.

This isn't necessarily a particularly ideal way of handling things, but
it's worked well for me thus far.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: Why use an email client AND sendmail/popa3d - trying to NOT hijack

[Joe]

On Mon, 23 Nov 2020 13:21:25 +1100
Keith Bainbridge  wrote:

> Good afternon All
> 
> I was interested to read that Flo, the OP, uses separate mail
> collection, sendmail and thunderbird. Some of the replies sound like
> this is a common practice.
> 
> What are the advantages of this set of processes over letting tbird do
> it all? - or any other client for that matter?

As far as I know, TB isn't an MTA, it can send email only as a client
to an MTA somewhere else. So it's not doing it all.

A lot depends how you want to send and receive emails. If you're using
an external email service, you can get away with just an email client,
or even use webmail. If you're sending and receiving yourself, you'll
need an MTA and an email distribution method such as POP3 or IMAP, as
well as clients on any devices you have. If you're also collecting
email from an external service, you'll need an email collector such as
fetchmail or procmail, to keep all email centrally stored. 
> 
> Would it save me from my fairly regular 'can't find profile' errors?
> 
> Thanks

Don't know, I gave up TB for Claws-mail long ago, TB was just too
painfully slow.

> 
> PS  Am I wrong to avoid 'everyting in 1 file' where possible (mail dir
> rather than mbox in this case)? OK this is probably a whole separate
> topic.

As I've posted elsewhere, I have about 3GB of email. I would not
consider putting that in one file.

-- 
Joe

Re: Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[David Wright]

On Mon 23 Nov 2020 at 14:27:36 (+1100), Keith Bainbridge wrote:
> So does htis get a new subject in the list?

It would appear so. I guess you could also have removed the Re:
from the subject line.

> I was interested to read that Flo, the OP, uses separate mail
> collection, sendmail and thunderbird. Some of the replies sound like
> this is a common practice.
> 
> What are the advantages of this set of processes over letting tbird do
> it all? - or any other client for that matter?

Disadvantages of using your email client to send might include:
. sending is relatively instant as the client is dispatching
  it to the same machine, not the remote smarthost,
. exim will retry sending if your smarthost is busy/unavailable,
. it keeps logs,
. it send emails on behalf of other processes, like cron jobs,
  where your client is not involved.

I don't collect emails in Flo's sense, as I use IMAP rather than POP.
So my INBOX is merely mutt's cache of individual emails, rather than a
live mailfile. The actual server is somewhere around Manchester/Stockport.

> Would it save me from my fairly regular 'can't find profile' errors?

I don't use TB, which is where I assume you're getting those from.

Cheers,
David.

Why use an email client AND sendmail/popa3d - Does this avoid the hijack?

[Keith Bainbridge]

So does htis get a new subject in the list?

Good afternon All

I was interested to read that Flo, the OP, uses separate mail
collection, sendmail and thunderbird. Some of the replies sound like
this is a common practice.

What are the advantages of this set of processes over letting tbird do
it all? - or any other client for that matter?

Would it save me from my fairly regular 'can't find profile' errors?


Original post:
 Subject:   Problem with /var/mail file > 2GB with pop3
Resent-Date:Thu, 19 Nov 2020 21:52:35 + (UTC)
Resent-From:debian-user@lists.debian.org
Date:   Thu, 19 Nov 2020 22:42:53 +0100
From:   Flo 
To: debian-user@lists.debian.org


I am using Debian Buster, Thunderbird, Sendmail and popa3d to get emails.

The mail files for each account are stored at /var/mail. No it has come
to that point that such a file exceeded 2GB. And 'Get Messages' doesn't
work anymore.

Does anyone know about this issue? Any hints to solve it? I could try a
different pop3 server?

Any help is appreciated.

Thanks,
Flo


--
Keith Bainbridge

ke1thozgro...@gmx.com

Why use an email client AND sendmail/popa3d - trying to NOT hijack

[Keith Bainbridge]

Good afternon All

I was interested to read that Flo, the OP, uses separate mail
collection, sendmail and thunderbird. Some of the replies sound like
this is a common practice.

What are the advantages of this set of processes over letting tbird do
it all? - or any other client for that matter?

Would it save me from my fairly regular 'can't find profile' errors?

Thanks

PS  Am I wrong to avoid 'everyting in 1 file' where possible (mail dir
rather than mbox in this case)? OK this is probably a whole separate topic.

--
Keith Bainbridge

ke1thozgro...@gmx.com




 Forwarded Message 
Subject:Problem with /var/mail file > 2GB with pop3
Resent-Date:Thu, 19 Nov 2020 21:52:35 + (UTC)
Resent-From:debian-user@lists.debian.org
Date:   Thu, 19 Nov 2020 22:42:53 +0100
From:   Flo 
To: debian-user@lists.debian.org



Hi All,

I am using Debian Buster, Thunderbird, Sendmail and popa3d to get emails.


Any help is appreciated.

Thanks,
Flo

Re: use mailx instead of sendmail in apt-listchanges

[Martin T]

Dan,

> You could do the wrapper, or you could install nullmailer, which
> is an extremely simple MTA that always hands off mail to a
> relayhost (i.e. somebody else's problem).

I ended up with a following wrapper:

$ cat /usr/sbin/sendmail
#!/usr/bin/env bash

# As header fields are at the top of the message, then following substitutions
# should work reliably.
sed '0,/^Subject: =?utf-8?q?apt-listchanges=3A_changelogs_for_vps?=$/
s//Subject: apt-listchanges: changelogs for vps/' | \
sed '0,/^From: root$/ s//From: nore...@example.com (VPS)/' | \
recode -f /qp | \
/usr/bin/mailx -t
$


Andrew,

I guess it works for you because bsd-mailx depends on virtual packet
mail-transport-agent.


regards,
Martin

Re: use mailx instead of sendmail in apt-listchanges

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

On 3/6/19 5:40 am, Martin T wrote:
> What could be the most elegant workaround in this situation? Create
> a /usr/sbin/sendmail wrapper script which processes the 
> "/usr/sbin/sendmail -oi -t" command called by apt_listchanges.py
> and sends the mail using mailx? Modify the apt_listchanges.py?
> Something else?

This is what I use on Devuan (and Debian previously):

# aptitude show bsd-mailx;echo;dpkg -L bsd-mailx;ls -lart
/etc/alternatives/mailx
Tue  4 Jun 04:27:41 AEST 2019 -- show bsd-mailx
Package: bsd-mailx
Version: 8.1.2-0.20160123cvs-4
State: installed
Automatically installed: no
Priority: optional
Section: mail
Maintainer: Robert Luberda 
Architecture: amd64
Uncompressed Size: 169 k
Depends: base-files (>= 2.2.0), default-mta | mail-transport-agent,
libbsd0 (>= 0.2.0), libc6 (>= 2.17), liblockfile1 (>= 1.0)
Provides: mail-reader, mailx
Description: simple mail user agent

Tags: implemented-in::c, interface::commandline, mail::smtp,
mail::user-agent, network::client, protocol::smtp, role::program,
suite::bsd, works-with::mail


/.
/etc
/etc/mail.rc
/usr
/usr/bin
/usr/bin/bsd-mailx
/usr/share
/usr/share/bsd-mailx
/usr/share/bsd-mailx/mail.help
/usr/share/bsd-mailx/mail.tildehelp
/usr/share/doc
/usr/share/doc/bsd-mailx
/usr/share/doc/bsd-mailx/NEWS.Debian.gz
/usr/share/doc/bsd-mailx/README.Debian.gz
/usr/share/doc/bsd-mailx/changelog.Debian.gz
/usr/share/doc/bsd-mailx/changelog.gz
/usr/share/doc/bsd-mailx/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/bsd-mailx.1.gz
lrwxrwxrwx 1 root root 18 May 15 10:52 /etc/alternatives/mailx ->
/usr/bin/bsd-mailx


Cheers
AndrewM
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXPVnCwAKCRCoFmvLt+/i
+5WiAP95KtncIG+nJcrLpweSq47/iSUsJRBws37hlWXPABcgEQD/QljjehIDKdmj
NNQ1AyTcUX5A6kdWmPMTyuTEwv0kNBQ=
=AVBN
-END PGP SIGNATURE-

Re: use mailx instead of sendmail in apt-listchanges

[Dan Ritter]

Martin T wrote: 
> Hi,
> 
> I have apt-listchanges installed and registered in apt system:
> 
> # apt-config dump | grep apt-listchanges
> DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10";
> DPkg::Tools::Options::/usr/bin/apt-listchanges "";
> DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
> DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20";
> #
> 
> "frontend" in /etc/apt/listchanges.conf is set to "mail" and valid
> e-mail address is set with "email_address" configuration option. Now
> when I upgrade a package which has NEWS/changelog present, then I get
> the "apt-listchanges: The mail frontend needs an installed 'sendmail',
> using pager" error message. This is because I don't have
> /usr/sbin/sendmail binary installed. I prefer to use mail/mailx and an
> external MTA.
> 
> What could be the most elegant workaround in this situation? Create a
> /usr/sbin/sendmail wrapper script which processes the
> "/usr/sbin/sendmail -oi -t" command called by apt_listchanges.py and
> sends the mail using mailx? Modify the apt_listchanges.py? Something
> else?

You could do the wrapper, or you could install nullmailer, which
is an extremely simple MTA that always hands off mail to a
relayhost (i.e. somebody else's problem).

Modifying apt_listchanges.py would require you to keep
maintaining the changes forever.

-dsr-

use mailx instead of sendmail in apt-listchanges

[Martin T]

Hi,

I have apt-listchanges installed and registered in apt system:

# apt-config dump | grep apt-listchanges
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20";
#

"frontend" in /etc/apt/listchanges.conf is set to "mail" and valid
e-mail address is set with "email_address" configuration option. Now
when I upgrade a package which has NEWS/changelog present, then I get
the "apt-listchanges: The mail frontend needs an installed 'sendmail',
using pager" error message. This is because I don't have
/usr/sbin/sendmail binary installed. I prefer to use mail/mailx and an
external MTA.

What could be the most elegant workaround in this situation? Create a
/usr/sbin/sendmail wrapper script which processes the
"/usr/sbin/sendmail -oi -t" command called by apt_listchanges.py and
sends the mail using mailx? Modify the apt_listchanges.py? Something
else?


thanks,
Martin

Re: Sendmail et DSN 4.7.0

[BERTRAND Joël]

Ce n'est pas n'importe quoi comme réponses...

Trois "relay=hotmail-com.olc.protection.outlook.com., dsn=4.0.0, 
stat=Deferred" sont toujours suivis par un message DSN complet 
"relay=hotmail-com.olc.protection.outlook.com. [104.47.34.33], 
dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed."


Et ça boucle comme ça. Trois incomplets suivis par un complet...

Re: Sendmail et DSN 4.7.0

[BERTRAND Joël]

Bon, bon, bon... C'est plus grave que ça. Le patch semble fonctionner. 
En revanche, les codes d'erreur sont tronqués aléatoirement. Sur le même 
message envoyé à un MX en échec, j'ai aléatoirement dans mes logs :


Nov  5 18:00:13 rayleigh sm-mta[31991]: wA5GxrK0031751: to=<...>, 
delay=00:00:19, xdelay=00:00:02, mailer=esmtp, pri=61468, 
relay=mx3.gmf.fr. [195.101.194.3], dsn=4.0.0, stat=Deferred: 403 4.7.0 
TLS handshake failed.
Nov  5 18:09:25 rayleigh sm-mta[7414]: wA5GxrK0031751: 
to=, delay=00:09:31, xdelay=00:00:00, mailer=esmtp, 
pri=151468, relay=mx3.gmf.fr., dsn=4.0.0, stat=Deferred
Nov  5 18:14:50 rayleigh sm-mta[11345]: wA5GxrK0031751: 
to=, delay=00:14:56, xdelay=00:00:00, mailer=esmtp, 
pri=241468, relay=mx3.gmf.fr., dsn=4.0.0, stat=Deferred
Nov  5 18:24:50 rayleigh sm-mta[18795]: wA5GxrK0031751: 
to=, delay=00:24:56, xdelay=00:00:00, mailer=esmtp, 
pri=331468, relay=mx3.gmf.fr., dsn=4.0.0, stat=Deferred
Nov  5 18:25:29 rayleigh sm-mta[20104]: wA5GxrK0031751: 
to=, delay=00:25:35, xdelay=00:00:00, mailer=esmtp, 
pri=421468, relay=mx3.gmf.fr., dsn=4.0.0, stat=Deferred


	Ainsi, lors de la première tentative, le code de retour est bon. Lors 
des tentatives suivantes, le message est tronqué. Il peut tout de même 
apparaître en entier de temps en temps.


Suis-je le seul à observer ce genre de chose ?

Sendmail et DSN 4.7.0

[BERTRAND Joël]

   Bonjour à tous,

   J'utilise depuis des années un patch à sendmail pour envoyer des 
mails à des serveurs avec une configuration TLS foireuse.


Ce patch est le suivant :

diff -ruN sendmail-8.15.2-/cf/feature/tls_failures.m4 
sendmail-8.15.2/cf/feature
--- sendmail-8.15.2-/cf/feature/tls_failures.m4 1969-12-31 
16:00:00.0 -0
+++ sendmail-8.15.2/cf/feature/tls_failures.m4  2015-07-22 
20:42:56.0 -0

@@ -0,0 +1,17 @@
+divert(-1)
+#
+# Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
+#  All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+define(`_TLS_FAILURES_', `1')dnl
+define(`_NEED_MACRO_MAP_', `1')dnl
+define(`_TLS_FAILURES_CNT_', ifelse(len(X`'_ARG_),`1',`5',_ARG_)))dnl
+
+LOCAL_CONFIG
+C{persistentMacros}{saved_verify}
diff -ruN sendmail-8.15.2-/cf/m4/proto.m4 sendmail-8.15.2/cf/m4/proto.m4
--- sendmail-8.15.2-/cf/m4/proto.m4 2015-05-22 06:42:27.0 -0700
+++ sendmail-8.15.2/cf/m4/proto.m4  2015-07-22 20:39:48.0 -0700
@@ -2686,7 +2686,11 @@
 R$*$: $>D <$&{server_name}>   <>
 R$* $: $>A <$&{server_addr}>   <>
 R$* $: <$(access TLS_TRY_TAG`'_TAG_DELIM_ $: ? $)>
-R$* $@ OK
+ifdef(`_TLS_FAILURES_', `dnl
+R$* $:  $&{saved_verify} $| $(arith l $@ 
`'_TLS_F
+R SOFTWARE $| TRUE $| $*$#error $@ 5.7.1 $: "550 do not try TLS 
with " $
+R PROTOCOL $| TRUE $| $*$#error $@ 5.7.1 $: "550 do not try TLS 
with " $

+R$* $@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
 R<$* _ATMPF_>$*$#error $@ 4.3.0 $: "451 Temporary system 
failure. Pleas
 R$*$#error $@ 5.7.1 $: "550 do not try TLS with " 
$&{server

@@ -2769,6 +2773,8 @@
 R$*$: $1 $| $>"Local_tls_server" $1
 R$* $| $#$*$#$2
 R$* $| $*  $: $1', `dnl')
+ifdef(`_TLS_FAILURES_',`dnl
+R$*$: $(macro {saved_verify} $@ $1 $) $1')
 ifdef(`_ACCESS_TABLE_', `dnl
 dnl store name of other side
 R$*$: $(macro {TLS_Name} $@ $&{server_name} $) $1

Jusqu'ici, ça fonctionnait très bien. Rien à dire. J'ai fait 
une mise à jour de mon servuer de mail (debian/testing). Cela m'a mis à

jour sendmail (8.15.2-12). J'ai appliqué à nouveau le patch et... ça
ne fonctionne plus.

J'essaye donc de creuser, mais sans succès. Je n'arrive déjà 
pas à trouver la map macro. Où se trouve-t-elle ? Et comment débugguer la

chose ?

Bien cordialement,

JKB

Re: Cannot Install/Uninstall sendmail

[Erik Christiansen]

On 29.08.18 11:57, Jonathan Dowland wrote:
> However both sendmail and update-inetd are orphaned at the moment (no
> regular maintainers, although Andreas Beckmann has done a lot of work
> via the QA team)

After favouring sendmail for a decade and a half, I thought I was slow
to switch to postfix around 15 years ago when sendmail was already
showing signs of age, such as security issues, IIRC. That anyone would
use it today is quite a surprise.

Postfix has a nice set of sendmail compatibility functions, and the list
is very helpful. From the manpage:

   mailq(1), Sendmail compatibility interface
   newaliases(1), Sendmail compatibility interface
   sendmail(1), Sendmail compatibility interface

Erik

Re: Cannot Install/Uninstall sendmail

[Jonathan Dowland]

On Tue, Aug 28, 2018 at 10:42:01AM -0400, Luis Finotti wrote:

Thanks for the pointer!   sendmail-base.prerm had the line:

update-inetd --group MAIL --disable smtp,smtps,submission;

and I was getting the error

update-inetd: error: --group is only relevant with --add


This would appear to be a bug[1] in the sendmail package, which, if you
have the time, might be worth reporting[2]. However both sendmail and
update-inetd are orphaned at the moment (no regular maintainers,
although Andreas Beckmann has done a lot of work via the QA team)

[1] 
https://salsa.debian.org/debian/sendmail/blob/master/debian/sendmail-base.prerm.in
[2] https://www.debian.org/Bugs/Reporting

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Cannot Install/Uninstall sendmail

[Cindy-Sue Causey]

On 8/28/18, Luis Finotti  wrote:
> On Tue, Aug 28, 2018 at 9:41 AM David Wright 
> wrote:
>
>> On Tue 28 Aug 2018 at 09:14:36 (-0400), Luis Finotti wrote:
>> > # apt remove sendemail
>>
>> Oops.
>>
>> > Reading package lists... Done
>> > Building dependency tree
>> > Reading state information... Done
>> > Package 'sendemail' is not installed, so not removed
>> > 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
>> > 1 not fully installed or removed.
>> > After this operation, 0 B of additional disk space will be used.
>> > Setting up sendmail-base (8.15.2-11) ...
>>
>> sendmail-base is what you should be trying to remove.
>> And you should be using dpkg directly, not messing around with apt.
>> As you can see, you asked apt to remove something and it tries to
>> configure something instead. If you're going to use sid or a
>> sid lookalike, you're going to have to use the appropriate tools.
>>
>> > dpkg: error processing package sendmail-base (--configure):
>> >  installed sendmail-base package post-installation script subprocess
>> > returned error exit status 255
>> > Errors were encountered while processing:
>> >  sendmail-base
>> > E: Sub-process /usr/bin/dpkg returned an error code (1)
>> > 
>> >
>> > Any help would be greatly appreciated!
>>
>> You see—you want to know what dpkg itself is doing.
>>
>
> Here it is:
>
> # dpkg -P sendmail-base
> (Reading database ... 1562548 files and directories currently installed.)
> Removing sendmail-base (8.15.2-11) ...
> update-inetd: error: --group is only relevant with --add
> dpkg: error processing package sendmail-base (--purge):
>  installed sendmail-base package pre-removal script subprocess returned
> error exit status 255
> Errors were encountered while processing:
>  sendmail-base
>
> Any suggestions?


I've had luck on occasion by following where *my* setup tells me to try:

apt --fix-broken install

Generic just like that with no specific packages named.

Just had to run it a couple times recently. Sometimes I've gotten
lucky, and it fixes things just like that just that fast.

Other times it's like the other day. It will instead first attempt to
purge/remove the offending partially installed package. At one point,
I think I just gave up and let apt do what it thought might work.
Successfully remove a package *is* what it did.

This has just been since the one thread we had here about manually
installing via dpkg and then running into repeated missing
dependencies. I just checked ~/.bash_history and saw my topic was...
*cough* flash versus pepperflash. I was attempting deb package
installs with "dpkg -i" while otherwise only favoring the main
repository in /etc/apt/sources.list.

PS I finally gave up when I realized flash may have NEVER had anything
to do with the particular webpage issues I've had all these years. I
hate ol' timer's disease,.. been afflicted since about 1992. lol.

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Re: Cannot Install/Uninstall sendmail

[Luis Finotti]

Thanks once more for the support!  The problem is now solved.

On Tue, Aug 28, 2018 at 10:20 AM David Wright 
wrote:

> On Tue 28 Aug 2018 at 09:48:06 (-0400), Luis Finotti wrote:
>
> > # dpkg -P sendmail-base
> > (Reading database ... 1562548 files and directories currently installed.)
> > Removing sendmail-base (8.15.2-11) ...
> > update-inetd: error: --group is only relevant with --add
> > dpkg: error processing package sendmail-base (--purge):
> >  installed sendmail-base package pre-removal script subprocess returned
> > error exit status 255
> > Errors were encountered while processing:
> >  sendmail-base
> >
> > Any suggestions?
>
> I would take a look at the pre-removal script sendmail-base.prerm to
> see what it's trying to do. If there are parts that aren't sensible,
> you could comment them out, alter things so that they can work, or
> even just make them "succeed" with "|| true" so you get to the end
> of the script. (Check sendmail-base.postinst while you're about it.)
>
> The scripts will contain a record of what modifications they intended
> to make to your system, so ultimately all you need to do is nullify
> those changes, remove the files in sendmail-base.list and convince
> dpkg that the package is purged. Manually if necessary.
>

Thanks for the pointer!   sendmail-base.prerm had the line:

update-inetd --group MAIL --disable smtp,smtps,submission;

and I was getting the error

update-inetd: error: --group is only relevant with --add

So, I changed it to:

update-inetd --disable smtp,smtps,submission;

and was then able to uninstall it.

Thanks again for your help.

Re: Cannot Install/Uninstall sendmail

[David Wright]

On Tue 28 Aug 2018 at 09:48:06 (-0400), Luis Finotti wrote:

> # dpkg -P sendmail-base
> (Reading database ... 1562548 files and directories currently installed.)
> Removing sendmail-base (8.15.2-11) ...
> update-inetd: error: --group is only relevant with --add
> dpkg: error processing package sendmail-base (--purge):
>  installed sendmail-base package pre-removal script subprocess returned
> error exit status 255
> Errors were encountered while processing:
>  sendmail-base
> 
> Any suggestions?

I would take a look at the pre-removal script sendmail-base.prerm to
see what it's trying to do. If there are parts that aren't sensible,
you could comment them out, alter things so that they can work, or
even just make them "succeed" with "|| true" so you get to the end
of the script. (Check sendmail-base.postinst while you're about it.)

The scripts will contain a record of what modifications they intended
to make to your system, so ultimately all you need to do is nullify
those changes, remove the files in sendmail-base.list and convince
dpkg that the package is purged. Manually if necessary.

Cheers,
David.

Re: Cannot Install/Uninstall sendmail

[Luis Finotti]

Thanks for the reply again.

On Tue, Aug 28, 2018 at 9:41 AM David Wright 
wrote:

> On Tue 28 Aug 2018 at 09:14:36 (-0400), Luis Finotti wrote:
>
> > # apt remove sendemail
>
> Oops.
>
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > Package 'sendemail' is not installed, so not removed
> > 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
> > 1 not fully installed or removed.
> > After this operation, 0 B of additional disk space will be used.
> > Setting up sendmail-base (8.15.2-11) ...
>
> sendmail-base is what you should be trying to remove.
> And you should be using dpkg directly, not messing around with apt.
> As you can see, you asked apt to remove something and it tries to
> configure something instead. If you're going to use sid or a
> sid lookalike, you're going to have to use the appropriate tools.
>
> > dpkg: error processing package sendmail-base (--configure):
> >  installed sendmail-base package post-installation script subprocess
> > returned error exit status 255
> > Errors were encountered while processing:
> >  sendmail-base
> > E: Sub-process /usr/bin/dpkg returned an error code (1)
> > ----
> >
> > Any help would be greatly appreciated!
>
> You see—you want to know what dpkg itself is doing.
>

Here it is:

# dpkg -P sendmail-base
(Reading database ... 1562548 files and directories currently installed.)
Removing sendmail-base (8.15.2-11) ...
update-inetd: error: --group is only relevant with --add
dpkg: error processing package sendmail-base (--purge):
 installed sendmail-base package pre-removal script subprocess returned
error exit status 255
Errors were encountered while processing:
 sendmail-base

Any suggestions?

Re: Cannot Install/Uninstall sendmail

[David Wright]

On Tue 28 Aug 2018 at 09:14:36 (-0400), Luis Finotti wrote:

> # apt remove sendemail

Oops.

> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Package 'sendemail' is not installed, so not removed
> 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
> 1 not fully installed or removed.
> After this operation, 0 B of additional disk space will be used.
> Setting up sendmail-base (8.15.2-11) ...

sendmail-base is what you should be trying to remove.
And you should be using dpkg directly, not messing around with apt.
As you can see, you asked apt to remove something and it tries to
configure something instead. If you're going to use sid or a
sid lookalike, you're going to have to use the appropriate tools.

> dpkg: error processing package sendmail-base (--configure):
>  installed sendmail-base package post-installation script subprocess
> returned error exit status 255
> Errors were encountered while processing:
>  sendmail-base
> E: Sub-process /usr/bin/dpkg returned an error code (1)
> 
> 
> Any help would be greatly appreciated!

You see—you want to know what dpkg itself is doing.

Cheers,
David.

Re: Cannot Install/Uninstall sendmail

[Luis Finotti]

Firstly, thanks for the reply!

On Tue, Aug 28, 2018 at 9:04 AM David Wright 
wrote:

> On Mon 27 Aug 2018 at 12:38:42 (-0400), Luis Finotti wrote:
> > Hi everyone,
> >
> > I'm having trouble installing/removing sendmail in Debian Sid (well,
> > aptosid -- http://www.aptosid.com -- actually).
>
> Perhaps their forums might help.
>

I tried:
http://www.aptosid.com/index.php?name=PNphpBB2=viewtopic=18661#18661

I've got some of the hints that I mentioned I've tried already from them.


>
> > I tried to install and it failed: https://pastebin.com/Qu2jRqsn
> >
> > 'apt -f install' did not fix it, nor did 'dpkg --configure -a'.
> >
> > Since it was not essential (and did not install correctly), I tried to
> > uninstall it, but it also fails:
>
> […]
>
> > One notices in the failed install attempt (the pastebin link above):
> >
> > --
> > adduser: Warning: The home directory `/var/lib/sendmail' does not belong
> to
> > the user you are currently creating.
> > update-inetd: warning: cannot add service, /etc/inetd.conf does not exist
> > --
> >
> > I had:
> > --
> > # ls -ld /var/lib/sendmail
> > drwx-- 2 smmta smmta 4096 Aug 22 15:06 /var/lib/sendmail/
> > --
> >
> > Changing ownership to root did not allow me to uninstall it.
>
> What's the output from this attempt?
>

Here it is:


# ls -ld /var/lib/sendmail/
drwx-- 2 root root 4096 Aug 22 15:06 /var/lib/sendmail/

# apt remove sendemail
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'sendemail' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up sendmail-base (8.15.2-11) ...
Usage: update-inetd [...]  

Commands:
  --add   add 
  --remove   remove 
  --enable [,...]enable  (comma-separated list)
  --disable [,...]   disable  (comma-separated list)

Options:
  --group add entry to section 
  --pattern  use  to select a service
  --comment-chars use  as comment characters
  --multi allow multiple removes/disables
  --fileuse  instead of /etc/inetd.conf
  --verbose   explain what is being done
  --debug enables debugging mode
  --help  display this help and exit
  --version   output version information and exit

In order to prevent the shell from changing your  definition you
have to quote the  using single or double quotes. You can use
tabs
(tab character or \t) and spaces to separate the fields of the .

Note: users must use --comment-chars '#' to disable a service for that
setting
to survive upgrades. Package maintainer scripts should use the default
--comment-chars. See update-inetd(8) for details.

Usage: update-inetd [...]  

Commands:
  --add   add 
  --remove   remove 
  --enable [,...]enable  (comma-separated list)
  --disable [,...]   disable  (comma-separated list)

Options:
  --group add entry to section 
  --pattern  use  to select a service
  --comment-chars use  as comment characters
  --multi allow multiple removes/disables
  --fileuse  instead of /etc/inetd.conf
  --verbose   explain what is being done
  --debug enables debugging mode
  --help  display this help and exit
  --version   output version information and exit

In order to prevent the shell from changing your  definition you
have to quote the  using single or double quotes. You can use
tabs
(tab character or \t) and spaces to separate the fields of the .

Note: users must use --comment-chars '#' to disable a service for that
setting
to survive upgrades. Package maintainer scripts should use the default
--comment-chars. See update-inetd(8) for details.

Usage: update-inetd [...]  

Commands:
  --add   add 
  --remove   remove 
  --enable [,...]enable  (comma-separated list)
  --disable [,...]   disable  (comma-separated list)

Options:
  --group add entry to section 
  --pattern  use  to select a service
  --comment-chars use  as comment characters
  --multi allow multiple removes/disables
  --fileuse  instead of /etc/inetd.conf
  --verbose   explain what is being done
  --debug enables debugging mode
  --help  display this help and exi

Re: Cannot Install/Uninstall sendmail

[David Wright]

On Mon 27 Aug 2018 at 12:38:42 (-0400), Luis Finotti wrote:
> Hi everyone,
> 
> I'm having trouble installing/removing sendmail in Debian Sid (well,
> aptosid -- http://www.aptosid.com -- actually).

Perhaps their forums might help.

> I tried to install and it failed: https://pastebin.com/Qu2jRqsn
> 
> 'apt -f install' did not fix it, nor did 'dpkg --configure -a'.
> 
> Since it was not essential (and did not install correctly), I tried to
> uninstall it, but it also fails:

[…]

> One notices in the failed install attempt (the pastebin link above):
> 
> --
> adduser: Warning: The home directory `/var/lib/sendmail' does not belong to
> the user you are currently creating.
> update-inetd: warning: cannot add service, /etc/inetd.conf does not exist
> --
> 
> I had:
> --
> # ls -ld /var/lib/sendmail
> drwx-- 2 smmta smmta 4096 Aug 22 15:06 /var/lib/sendmail/
> --
> 
> Changing ownership to root did not allow me to uninstall it.

What's the output from this attempt?

Cheers,
David.

Cannot Install/Uninstall sendmail

[Luis Finotti]

Hi everyone,

I'm having trouble installing/removing sendmail in Debian Sid (well,
aptosid -- http://www.aptosid.com -- actually).

I tried to install and it failed: https://pastebin.com/Qu2jRqsn

'apt -f install' did not fix it, nor did 'dpkg --configure -a'.

Since it was not essential (and did not install correctly), I tried to
uninstall it, but it also fails:

-
# apt remove procmail sendmail sendmail-base sendmail-bin sendmail-cf
sensible-mda
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  procmail sendmail sendmail-base sendmail-bin sendmail-cf sensible-mda
0 upgraded, 0 newly installed, 6 to remove and 2 not upgraded.
4 not fully installed or removed.
After this operation, 4,213 kB disk space will be freed.
Do you want to continue? [Y/n]
(Reading database ... 1537409 files and directories currently installed.)
Removing sendmail (8.15.2-11) ...
Removing sensible-mda (8.15.2-11) ...
Removing sendmail-bin (8.15.2-11) ...
Removing sendmail-base (8.15.2-11) ...
update-inetd: error: --group is only relevant with --add
dpkg: error processing package sendmail-base (--remove):
 installed sendmail-base package pre-removal script subprocess returned
error exit status 255
Removing procmail (3.22-26) ...
Removing sendmail-cf (8.15.2-11) ...
Errors were encountered while processing:
 sendmail-base
E: Sub-process /usr/bin/dpkg returned an error code (1)


One notices in the failed install attempt (the pastebin link above):

--
adduser: Warning: The home directory `/var/lib/sendmail' does not belong to
the user you are currently creating.
update-inetd: warning: cannot add service, /etc/inetd.conf does not exist
--

I had:
--
# ls -ld /var/lib/sendmail
drwx-- 2 smmta smmta 4096 Aug 22 15:06 /var/lib/sendmail/
--

Changing ownership to root did not allow me to uninstall it.

Aptosid itself does not come with a mail daemon installed, so I must have
installed at some point some daemon that created the /var/lib/sendmail.
(If I were to try to install again, I'd probably opt for a lighter
alternative, something like ssmtp.  So, right now, I just want to remove
sendmail.)  So, I have sendmail-base stuck as not fully installed.

It was recommended I install 'openbsd-inetd' (it was not installed, neither
was xinetd), but it still fails to install: https://pastebin.com/sStYqMYi
(I also still cannot uninstall it...)

Any help would be greatly appreciated!

Sendmail

[BERTRAND Joël]

Bonjour à tous,

	Pour information, le sendmail de testing est actuellement moisi. Il 
transforme les erreurs 4xx en 5xx et c'est un comportement connu d'une 
des versions de développement. J'ai remonté le bug 807258. En attendant, 
il est urgent d'attendre avec un 8.14-8 des familles à recompiler pour 
testing.


Cordialement,

JKB

Re: Sendmail compiled with tcpwrappers yet ignores /etc/hosts.deny ?

[jon]

On Sun, 2015-11-22 at 23:44 +, jon wrote:
> 
> root@mail:/usr/share/doc# ldd /usr/sbin/sendmail |grep 'libwrap'
> libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb7525000)
> root@mail:/usr/share/doc# cat /etc/debian_version 
> 8.2
> 
> I want to use sendmail with tcp wrappers but it does not seem to play,
> it looks like it was compiled with support,  can anyone help ?
> 
> 
> Thanks,
> Jon
> 
> 


Anyone ? 

Maybe I was not very clear, this is the default sendmail for Debian
installed via apt. The online docs claims it works with tcpwrappers yet
it seems to ignore /etc/hosts.deny ? 

Thanks,
Jon

Sendmail compiled with tcpwrappers yet ignores /etc/hosts.deny ?

[jon]

root@mail:/usr/share/doc# ldd /usr/sbin/sendmail |grep 'libwrap'
libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb7525000)
root@mail:/usr/share/doc# cat /etc/debian_version 
8.2

I want to use sendmail with tcp wrappers but it does not seem to play,
it looks like it was compiled with support,  can anyone help ?


Thanks,
Jon

Re: sendmail on debian testing

[Michael Grant]

I finally managed to get sendmail working using systemd.

Here is my /etc/systemd/system/sendmail.service:

[Unit]
Description=Sendmail Mail Transport Agent
Requires=clamav-daemon.service spamassassin.service
After=syslog.target network.target clamav-daemon.service
spamassassin.service
Conflicts=postfix.service exim.service

[Service]
Type=forking
PIDFile=/run/sendmail/mta/sendmail.pid
Environment=SENDMAIL_OPTS=-q1h
EnvironmentFile=-/etc/default/sendmail
ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG

[Install]
WantedBy=multi-user.target

and my /etc/tmpfiles.d/sendmail.conf file:
d /run/sendmail/ 0755 smmta smmsp
d /run/sendmail/mta/ 0755 smmta smmsp

I am using clamav-milter and spamass-milter, hence the Requires= and After=
lines.  If you are not using these, probably you should remove those.

Is it wrong to include these dependencies in sendmail.system?  The thing
is, these milters are not specific to sendmail.  Other mailers that support
the milter interface can use them as well.  And they are not required for
sendmail.  So I wonder which pakage's responsibility it would be to add
these dependencies to sendmail.system or if this is even the correct place
to do that.

With the init.d, clamav-milter and spamass-milter install themselves with a
lower number than sendmail and always start before whatever mailer is
installed.  Once you go to explicit dependencies like this, is it clam's
and spamassassin's job to know all the possible mailers out there that
might use it?  Or is it sendmail's job to know all the possible milters out
there and state them as dependencies?

Another observation, to get this working, the only way I found to properly
test this was to continually reboot.  I could get sendmail to start by hand
quite early on, but it was not starting by on reboot because of the timing
problem in the dependencies.  This makes systemd rather more difficult to
debug things in my opinion.

Re: sendmail on debian testing

[Reco]

 Hi.

On Tue, Feb 03, 2015 at 11:07:37PM +, Michael Grant wrote:
 On Tue, Feb 3, 2015 at 6:16 PM, Reco recovery...@gmail.com wrote:
  I don't know if this has anything to do with that:
 
  # systemctl enable sendmail
  Synchronizing state for sendmail.service with sysvinit using 
 update-rc.d...
  Executing /usr/sbin/update-rc.d sendmail defaults
  Executing /usr/sbin/update-rc.d sendmail enable
 
  # systemctl is-enabled sendmail
  Failed to get unit file state for sendmail.service: No such file or 
 directory
 
 No, it doesn't have anything with it.
 
 Systemd uses it's own way to define a service called a 'service unit'.
 Presumably, systemd has something for the compatibility with old init
 (aka sysvinit), which *should* start those /etc/init.d/ scripts just as
 good as if sysvinit itself would do it. Well, now we see how well it
 works in the reality :)
 
 
 Ok, let's try something different then - based on [1]. Try creating the
 file called /etc/systemd/system/sendmail.service with the following
 contents:
 
 ###cut###
 
 [Unit]
 Description=Sendmail Mail Transport Agent
 After=syslog.target network.target
 Conflicts=postfix.service exim.service
 
 [Service]
 Type=forking
 PIDFile=/run/sendmail.pid
 Environment=SENDMAIL_OPTS=-q1h
 EnvironmentFile=-/etc/default/sendmail
 ExecStartPre=-/etc/mail/make
 ExecStartPre=-/etc/mail/make aliases
 ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG
 
 [Install]
 WantedBy=multi-user.target
 
 ###cut###
 
 
 Revert the _SYSTEMCTL_SKIP_REDIRECT change, see how it goes now.
 This unit file may require tweaking in $SENDMAIL_OPTS $SENDMAIL_OPTARG
 part - I'm unable to check now what kind of variables are sourced by
 /etc/default/sendmail.

 
 Ok, I tried creating that file and removing the line from 
 /etc/default/sendmail.  It still did not come up when the machine booted.

 Oh, but did you run 'systemctl enable sendmail' after creating the
file? Because if you did - I'm out of ideas, sorry.

Reco


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150204094244.GA10345@x101h

Re: sendmail on debian testing

[Reco]

 Hi.

On Tue, Feb 03, 2015 at 02:03:25PM +, Michael Grant wrote:
 I'm still searching for an answer to this.
 
 After upgrade from wheezy to testing, sendmail no longer starts.
 
 I see that the system is using systemd.  I see that the /etc/init.d/sendmail 
 script now runs /bin/systemctl start sendmail.service.  But sendmail isn't
 started.  Even running '/bin/systemctl start sendmail.service' manually, 
 nothing happens.

A nessesary correction - /etc/init.d/sendmail *tries* to run
'/bin/systemctl start sendmail.service'.

But, since no sendmail* package provide systemd's service file -
nothing happens.

Such behaviour cannot be considered systemd's bug IMO - systemd simply
does what it's intended to do in this case.

But, at the same time, such behaviour can be considered as a sendmail
bug (given that systemd is Jessie's default init, and sendmail is not
starting with this init).

Still, there's a way to workaround this.

Try adding

export _SYSTEMCTL_SKIP_REDIRECT=true

to /etc/init.d/sendmail


Reco


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150203160421.GA21852@x101h

Re: sendmail on debian testing

[Michael Grant]

I'm still searching for an answer to this.

After upgrade from wheezy to testing, sendmail no longer starts.

I see that the system is using systemd.  I see that the
/etc/init.d/sendmail script now runs /bin/systemctl start
sendmail.service.  But sendmail isn't started.  Even running
'/bin/systemctl start sendmail.service' manually, nothing happens.

I don't see any obvious way to get any debug info out of systemctl.

# systemctl is-enabled sendmail
Failed to get unit file state for sendmail.service: No such file or
directory

and

# /bin/systemctl enable sendmail.service
Synchronizing state for sendmail.service with sysvinit using update-rc.d...
Executing /usr/sbin/update-rc.d sendmail defaults
Executing /usr/sbin/update-rc.d sendmail enable
# systemctl is-enabled sendmail
Failed to get unit file state for sendmail.service: No such file or
directory


On Sun, Feb 1, 2015 at 12:11 AM, Michael Grant mgr...@grant.org wrote:

 Today I upgraded a test machine from wheezy to testing.

 It seemed to install systemd, I'm not sure if it's using it or not.

 One thing I noticed though was that sendmail no longer starts at boot.
 Even if I run:

 /etc/init.d/sendmail start

 or if I cd to /etc/mail and run:

 make restart

 or if I do this:


 nothing except running 'sendmail -bd' will start sendmail.

 In syslog I see this:

 Jan 31 18:53:43 blah systemd[1]: Started LSB: powerful, efficient, and
 scalable Mail Transport Agent.

 in mail.log I don't see anything when I try to start sendmail via
 /etc/init.d/sendmail.

 I do not have the lsb-invalid-mta package installed.  I have tried
 reinstalling the sendmail package.  I have tried the testing and unstable
 versions of sendmail.

 Any ideas where I should look next to figure out what's going on?

 Michael Grant

Re: sendmail on debian testing

[Ansgar Burchardt]

Hi,

Michael Grant mgr...@grant.org writes:
 On Tue, Feb 3, 2015 at 4:04 PM, Reco recovery...@gmail.com wrote:
 A nessesary correction - /etc/init.d/sendmail *tries* to run
 '/bin/systemctl start sendmail.service'.

 But, since no sendmail* package provide systemd's service file -
 nothing happens.

Not true. Systemd is supposed to handle sysvinit scripts as well,
i.e. when there is no native .service file for systemd it will run the
scripts in /etc/init.d/*. This seems to not work here for some reason.

 Try adding
 export _SYSTEMCTL_SKIP_REDIRECT=true
 to /etc/init.d/sendmail

 Thanks, this is progress, I can now start sendmail by hand by running
 '/etc/init.d/sendmail start', but it's not starting automatically at boot
 time.

 I don't know if this has anything to do with that:

 # systemctl enable sendmail
 Synchronizing state for sendmail.service with sysvinit using update-rc.d...
 Executing /usr/sbin/update-rc.d sendmail defaults
 Executing /usr/sbin/update-rc.d sendmail enable

 # systemctl is-enabled sendmail
 Failed to get unit file state for sendmail.service: No such file or
 directory

That should be fine for services without a systemd .service file.

 also, a better place to add this:

 export _SYSTEMCTL_SKIP_REDIRECT=true

 to is /etc/default/sendmail and not modify /etc/init.d/sendmail.  Adding
 this to /etc/default/sendmail seems to work equally as well in that running
 '/etc/init.d/sendmail start' does manually start sendmail.

That is no surprise: at boot it's still systemd calling
/etc/init.d/sendmail so workarounds to bypass systemd don't work.

Could you try restarting sendmail (systemctl restart sendmail) and show
the output of `systemctl status sendmail'? It also shows the most recent
log entries, but the output of journalctl --unit sendmail --since -5min
might also be useful (if it shows more messages).

I tried installing sendmail on a minimal test installation and systemd
started at least one daemon (sendmail: MTA: accepting connections),
so at least something gets started (though it complained about the test
installation not having a FQDN so other parts might be broken and not
have started).

Ansgar


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87egq6kg1b@deep-thought.43-1.org