Re: Sendmail 8.14.5/8.14.5 on fbsd-9.1R (EC2)
2013-04-27 18:43, doug skrev: If sendmail is listening on port 587, it will relay for any valid sender who can reach that port. Only if it is listed in /etc/mail/access file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail 8.14.5/8.14.5 on fbsd-9.1R (EC2)
On 27/04/2013 17:43, doug wrote: >>> DAEMON_OPTIONS(`Port=587, Addr= 111.222.333.444, Name=MSA, M=E') > If sendmail is listening on port 587, it will relay for any valid sender > who can reach that port. You see where it says 'M=E' in that DAEMON_OPTIONS line? That should probably be changed to 'M=Ea' meaning 'require authentication'. That's usually the right thing to do for a message submission agent, and the use of authentication will allow senders to relay through the daemon without the usual anti-relaying checks. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: Sendmail 8.14.5/8.14.5 on fbsd-9.1R (EC2)
On Sat, 27 Apr 2013, Matthew Seaman wrote: On 26/04/2013 16:51, jflowers wrote: All I want to do is have the MTA listen on 127.0.0.1 port 1025 and have no sendmail process listen on the server interface. That's being done by assp which proxies messages to 127.0.0.1:1025. Unfortunately, I haven't been able to figure out how to turn off the default. Sockstat shows: root sendmail 1672 4 tcp4 *:25 *:* root sendmail 1672 5 tcp6 *:25 *:* root sendmail 1672 6 tcp4 127.0.0.1:1025*:* root sendmail 1672 7 tcp4 111.222.333.444:587 *:* The relevant mc entries are: DAEMON_OPTIONS(`Name=IPv4, Family=inet') DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') DAEMON_OPTIONS(`Port=1025, Addr=127.0.0.1, Name=MTA') VIRTUSER_DOMAIN_FILE(`/etc/mail/virtual-domains') FEATURE(`no_default_msa') DAEMON_OPTIONS(`Port=587, Addr= 111.222.333.444, Name=MSA, M=E') The MSA isn't strictly necessary now but I thought might have a future use. So, what am I missing? How do I turn *:25 off so that when assp goes down (as it frequently does) I'm not running an open relay (all user/domain validation is done in assp). Any pointers in the right direction appreciated. You pretty much already have the answer already. Add 'Addr=127.0.0.1' or 'Addr=::1' clauses to your first two DAEMON_OPTIONS lines. That will limit sendmail to listening on port 25 only on the loopback interface. Or indeed, remove those two lines entirely to leave sendmail only listening on port 587. This should not prevent sendmail from sending outgoing messages, but will prevent any incoming. If sendmail is listening on port 587, it will relay for any valid sender who can reach that port. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail 8.14.5/8.14.5 on fbsd-9.1R (EC2)
On 26/04/2013 16:51, jflowers wrote: > All I want to do is have the MTA listen on 127.0.0.1 port 1025 and have no > sendmail process listen on the server interface. That's being done by assp > which proxies messages to 127.0.0.1:1025. Unfortunately, I haven't been able > to figure out how to turn off the default. Sockstat shows: > > root sendmail 1672 4 tcp4 *:25 *:* > root sendmail 1672 5 tcp6 *:25 *:* > root sendmail 1672 6 tcp4 127.0.0.1:1025*:* > root sendmail 1672 7 tcp4 111.222.333.444:587 *:* > > The relevant mc entries are: > > DAEMON_OPTIONS(`Name=IPv4, Family=inet') > DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') > DAEMON_OPTIONS(`Port=1025, Addr=127.0.0.1, Name=MTA') > VIRTUSER_DOMAIN_FILE(`/etc/mail/virtual-domains') > FEATURE(`no_default_msa') > DAEMON_OPTIONS(`Port=587, Addr= 111.222.333.444, Name=MSA, M=E') > > The MSA isn't strictly necessary now but I thought might have a future use. > > So, what am I missing? How do I turn *:25 off so that when assp goes down (as > it frequently does) I'm not running an open relay (all user/domain validation > is done in assp). > > Any pointers in the right direction appreciated. You pretty much already have the answer already. Add 'Addr=127.0.0.1' or 'Addr=::1' clauses to your first two DAEMON_OPTIONS lines. That will limit sendmail to listening on port 25 only on the loopback interface. Or indeed, remove those two lines entirely to leave sendmail only listening on port 587. This should not prevent sendmail from sending outgoing messages, but will prevent any incoming. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matt...@infracaninophile.co.uk signature.asc Description: OpenPGP digital signature
Re: Sendmail relaying for Intranet?
2013-02-14 03:07, Chris Maness skrev: On Wed, Feb 13, 2013 at 12:47 AM, Zyumbilev, Peter wrote: On 13/02/2013 09:50, Bernt Hansson wrote: dnl define(`SMART_HOST', `your.isp.mail.server') on your intranet machine and put in your inet machine name. That looks like would only take care of outbound mail, but what about incoming mail? You mean incoming to the relay or your other machine? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail relaying for Intranet?
On Wed, Feb 13, 2013 at 12:47 AM, Zyumbilev, Peter wrote: > > On 13/02/2013 09:50, Bernt Hansson wrote: > >> dnl define(`SMART_HOST', `your.isp.mail.server') >> on your intranet machine and put in your inet machine name. >> > > > Switching to postfix and editing mynetworks in main.cf might be simplest > solution. > > > Peter > ___ That looks like would only take care of outbound mail, but what about incoming mail? Thanks, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail relaying for Intranet?
On 13/02/2013 09:50, Bernt Hansson wrote: > dnl define(`SMART_HOST', `your.isp.mail.server') > on your intranet machine and put in your inet machine name. > Switching to postfix and editing mynetworks in main.cf might be simplest solution. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail relaying for Intranet?
2013-02-13 06:30, Chris Maness skrev: On Tue, Feb 12, 2013 at 3:05 PM, Robison, Dave wrote: On 02/12/2013 12:54, Chris Maness wrote: I have a FreeBSD box running sendmail that can see the whole internet. I have another mail server that hosts mail for an intranet. It does not have access to the i-net. I think I remember reading that it is possible for the i-net attached sendmail to relay mail for a domain to another host. Is there an easy answer and configuration for this? If not, no biggy since this exercise is more academic than a necessity. Thanks, Chris Maness in sendmail.cf on the host to be your relay, check for "DS" and use it like this: DS relayhost.domain.com in sendmail.cf on the hosts which will be relaying, use the DS command but point them to your new relay host. hope this helps. Dave Dave, how would I add this to the MC file instead of the CF file? I usually rebuild these after an upgrade or a configuration change, and I would rather do it in the MC file for that reason. Thanks, Chris Maness Look in /etc/mail/your-hosts-name.mc for this line dnl define(`SMART_HOST', `your.isp.mail.server') on your intranet machine and put in your inet machine name. You also need to edit /etc/mail/access on your relay to allow to relay for your itranet machine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail relaying for Intranet?
On Tue, Feb 12, 2013 at 3:05 PM, Robison, Dave wrote: > > On 02/12/2013 12:54, Chris Maness wrote: >> I have a FreeBSD box running sendmail that can see the whole internet. >> I have another mail server that hosts mail for an intranet. It does >> not have access to the i-net. I think I remember reading that it is >> possible for the i-net attached sendmail to relay mail for a domain to >> another host. Is there an easy answer and configuration for this? If >> not, no biggy since this exercise is more academic than a necessity. >> >> Thanks, >> Chris Maness >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> >> > > in sendmail.cf on the host to be your relay, check for "DS" and use it > like this: > > DS relayhost.domain.com > > in sendmail.cf on the hosts which will be relaying, use the DS command > but point them to your new relay host. > > hope this helps. > > Dave Dave, how would I add this to the MC file instead of the CF file? I usually rebuild these after an upgrade or a configuration change, and I would rather do it in the MC file for that reason. Thanks, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail relaying for Intranet?
On 02/12/2013 12:54, Chris Maness wrote: > I have a FreeBSD box running sendmail that can see the whole internet. > I have another mail server that hosts mail for an intranet. It does > not have access to the i-net. I think I remember reading that it is > possible for the i-net attached sendmail to relay mail for a domain to > another host. Is there an easy answer and configuration for this? If > not, no biggy since this exercise is more academic than a necessity. > > Thanks, > Chris Maness > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > in sendmail.cf on the host to be your relay, check for "DS" and use it like this: DS relayhost.domain.com in sendmail.cf on the hosts which will be relaying, use the DS command but point them to your new relay host. hope this helps. Dave -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) da...@vicor.com david.robi...@fisglobal.com _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
> From owner-freebsd-questi...@freebsd.org Thu Jan 10 17:04:06 2013 > From: Robert Huff > Date: Thu, 10 Jan 2013 18:00:42 -0500 > To: freebsd-questions@freebsd.org > Subject: Re: sendmail not working > > > Karl Vogel writes: > > > R> After looking into several things, I can now send mail > > successfully. R> However, delivery to local mailboxes is still > > blocked. sm-mta reports R> "accepting connections", but maillog is > > still full of: R> jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: > > mailer local exited R> with exit value 1 > > > >Can you temporarily replace your local mailer? > > I found the problem - mail.local exiting because it couldn't load > libsasl2.so.2 - and worked around by adding an entry in libmap > pointing to .3. This is (obviously) not the final solution, and I am > trying to figure out how to recompile mail.local to fix this. > Recompiling all of sendmail didn't seem to catch it Go to the dir where the sendmail sources live. there will be subdirs named (among others) doc, sendmail, and mail.local. cd to mail.local, then run: make clean make ldd mail.local #to confirm the libs used then make install > > >Thanks, > > > Robert Huff > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
Karl Vogel writes: > R> After looking into several things, I can now send mail successfully. > R> However, delivery to local mailboxes is still blocked. sm-mta reports > R> "accepting connections", but maillog is still full of: > R> jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: mailer local exited > R> with exit value 1 > >Can you temporarily replace your local mailer? I found the problem - mail.local exiting because it couldn't load libsasl2.so.2 - and worked around by adding an entry in libmap pointing to .3. This is (obviously) not the final solution, and I am trying to figure out how to recompile mail.local to fix this. Recompiling all of sendmail didn't seem to catch it Thanks, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
>> On Thu, 10 Jan 2013 11:30:01 -0500,
>> Robert Huff said:
R> After looking into several things, I can now send mail successfully.
R> However, delivery to local mailboxes is still blocked. sm-mta reports
R> "accepting connections", but maillog is still full of:
R> jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: mailer local exited
R> with exit value 1
Can you temporarily replace your local mailer?
you% cd /where/ever
you% mv localmailer localmailer.bin
Then use something like this in its place:
#!/bin/sh
/usr/bin/truss -f -o /tmp/local$$ /where/ever/localmailer.bin ${1+"$@"}
exit 0
--
Karl Vogel I don't speak for the USAF or my company
He fell for her like his heart was a mob informant, and she was the
East River. --bizarre expressions found in English papers
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
On 1/8/2013 2:04 PM, Robert Bonomi wrote: > WHAT HAPPENS when you 'telnet' to your mailserver port(s) and try > doing smtp transaction(s) manually? I don't get the SMTP prompt. "Insufficient data" a) does telnet say "connected"? Yes. b) if yes, how long did you wait for the banner? (if there's a DNS problem, it can be 90 seconds befre the banner line) Good catch - yes sendmail does seem to be hooked to port 25. Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward /home/huff/.forward.jerusalem+: Group writable directory Supposedly you fixed the above problem. But sendmail disagrees. check permissions on / /home and /home/huff Exactly. I fixed the file permissions, but not those on /home/huff. Permissions are now 755. Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward /home/huff/.forward+: Group writable directory Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward /home/huff/.forward.jerusalem: Group writable directory Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward /home/huff/.forward: Group writable directory Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: mailer local exited with exit value 1 Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: to=, delay=2+18:16:27, xdelay=00:00:00, mailer=local, pri=56791038, relay=local, dsn=4.4.2, stat=Deferred: Connection reset by local ok, it's been trying to deliver for nearly three days. with local delivery (program mail.local) failing. mail.local can fail for a number of reasons that shouldn't happen. check permissions on the mailbox directory also owner/permissions on the mailbox, for starters. /var/mail is owned by root:mail with permissions 775 /var/spool/mqueue is owned by root:daemon with permissions 755 > maildir quota set?? No. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
Progress has been made. After looking into several things, I can now send mail successfully. However, delivery to local mailboxes is still blocked. sm-mta reports "accepting connections", but maillog is still full of: jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: mailer local exited with exit value 1 jerusalem sm-mta[28896]: r05KsfdB048780: to=, delay=2+18:16:27, xdelay=00:00:00, \ mailer=local, pri=56791038, relay=local, dsn=4.4.2, stat=Deferred: Connection reset by local So close, and yet so far. What next? Is there a "-d " setting which will get to the heart of this? Respectfully, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
> From owner-freebsd-questi...@freebsd.org Tue Jan 8 11:12:57 2013
> Date: Tue, 08 Jan 2013 12:09:36 -0500
> From: Robert Huff
> To: Robert Bonomi
> Subject: Re: sendmail not working
> Cc: freebsd-questions@freebsd.org
>
> On 1/8/2013 9:18 AM, Robert Bonomi wrote:
>
> >>>> I have compiled sendmail following the instructions in the
> >>>> cyrus-sasl port. Sendmail starts, but no mail is processed
> >>>> either way. /var/log/maillog has this:
> >>>
> >>> No clue, except the first message might be saying it's not going to
> >>> honor anything from .forward because it's in a group writable
> >>> directory which would be considered a security issue. Try making
> >>> /home/huff group read only?
> >>
> >> Done. Restarted sendmail (all parts). Still no mail processed.
>
> > WHAT HAPPENS when you 'telnet' to your mailserver port(s) and try
> > doing smtp transaction(s) manually?
>
> I don't get the SMTP prompt.
"Insufficient data"
a) does telnet say "connected"?
b) if yes, how long did you wait for the banner?
(if there's a DNS problem, it can be 90 seconds befre the banner line)
For testing, consider running sendmail in -foreground (not as a daemon) with
the debug level turned up.
> > WHAT HAPPENS when you -try- to send an email _out_?
> > Do you get an error email?
>
> No.
>
> > Does it show in the outbound mail queue?
> > (if it's in the queue, look at the qf* file, to see why it is
> > deferred.)
>
> In /var/spool/mqueue:
>
> V8 T1357573913 K1357659459 N175 P15690892 I0/111/1420867 Mreply: read
> error from local Fws
> $_localhost [127.0.0.1]
> $rESMTP
> $sjerusalem.litteratus.org
> ${daemon_flags}
> ${if_addr}127.0.0.1
> S A<> MDeferred: Connection reset by local
> rRFC822; h...@jerusalem.litteratus.org
> RPFD: H?P?Return-Path: H??Received:
> from jerusalem.litteratus.org (localhost [127.0.0.1])
> by jerusalem.litteratus.org (8.14.6/8.14.6) with ESMTP id r07FoGPd052948
> for ; Mon, 7 Jan 2013 10:51:53 -0500
> (EST)
> (envelope-from h...@jerusalem.litteratus.org)
> H?x?Full-Name: Robert Huff H??Received: (from root@localhost) by
> jerusalem.litteratus.org (8.14.6/8.14.6/Submit) id r07FoGrl052947 for
> huff; Mon, 7 Jan 2013 10:50:16 -0500 (EST)
> (envelope-from huff)
> H??Date: Mon, 7 Jan 2013 10:50:16 -0500 (EST) H??From: Robert Huff
> H??Message-Id:
> <201301071550.r07fogrl052...@jerusalem.litteratus.org> H??To:
> undisclosed-recipients:; H??X-Spam-Status: No, score=4.3 required=5.0
> tests=ALL_TRUSTED,EMPTY_MESSAGE, MISSING_HEADERS,MISSING_SUBJECT
> autolearn=no version=3.3.2 H??X-Spam-Level:
> H??X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
> jerusalem.litteratus.org
>
> > What do the sendmail log messages say?
>
> Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
> /home/huff/.forward.jerusalem+: Group writable directory
Supposedly you fixed the above problem. But sendmail disagrees.
check permissions on / /home and /home/huff if any are symlinks,
check the 'pointed-to' directory as well.
> Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
> /home/huff/.forward+: Group writable directory
> Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
> /home/huff/.forward.jerusalem: Group writable directory
> Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
> /home/huff/.forward: Group writable directory
> Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: mailer
> local exited with exit value 1 Jan 8 10:12:44 jerusalem sm-mta[28896]:
> r05KsfdB048780: to=, delay=2+18:16:27, xdelay=00:00:00,
> mailer=local, pri=56791038, relay=local, dsn=4.4.2, stat=Deferred:
> Connection reset by local
ok, it's been trying to deliver for nearly three days. with local delivery
(program mail.local) failing.
mail.local can fail for a number of reasons that shouldn't happen.
check permissions on the mailbox directory also owner/permissions on the
mailbox, for starters. maildir quota set??
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
On Jan 8, 2013, at 9:09 AM, Robert Huff wrote: >> WHAT HAPPENS when you 'telnet' to your mailserver port(s) and try >> doing smtp transaction(s) manually? > > I don't get the SMTP prompt. OK, so sendmail either isn't starting, isn't binding to port 25, or some sort of network/firewall issue is blocking the connection. You should see a log entry like: sendmail[]: starting daemon (8.14.6): SMTP+queueing@01:00:00 ...and netstat -an | grep 25 (or similar with lsof) should find a LISTENing process on the port. >> What do the sendmail log messages say? > > Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward > /home/huff/.forward.jerusalem+: Group writable directory > Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward > /home/huff/.forward+: Group writable directory > Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward > /home/huff/.forward.jerusalem: Group writable directory > Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward > /home/huff/.forward: Group writable directory > Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit: mailer > local exited with exit value 1 > Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: to=, > delay=2+18:16:27, xdelay=00:00:00, mailer=local, pri=56791038, relay=local, > dsn=4.4.2, stat=Deferred: Connection reset by local You either need to fix the permissions by running something like: chmod go-w / /home /home/huff /etc /etc/mail ...or you can add something like the following to your sendmail.cf: O DontBlameSendmail=ForwardFileInGroupWritableDirPath Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
On 1/8/2013 9:18 AM, Robert Bonomi wrote:
I have compiled sendmail following the instructions in the
cyrus-sasl port. Sendmail starts, but no mail is processed either
way. /var/log/maillog has this:
No clue, except the first message might be saying it's not going to
honor anything from .forward because it's in a group writable directory
which would be considered a security issue. Try making /home/huff
group read only?
Done. Restarted sendmail (all parts). Still no mail processed.
> WHAT HAPPENS when you 'telnet' to your mailserver port(s) and try
> doing smtp transaction(s) manually?
I don't get the SMTP prompt.
WHAT HAPPENS when you -try- to send an email _out_?
Do you get an error email?
No.
Does it show in the outbound mail queue?
(if it's in the queue, look at the qf* file, to see why it is deferred.)
In /var/spool/mqueue:
V8
T1357573913
K1357659459
N175
P15690892
I0/111/1420867
Mreply: read error from local
Fws
$_localhost [127.0.0.1]
$rESMTP
$sjerusalem.litteratus.org
${daemon_flags}
${if_addr}127.0.0.1
S
A<>
MDeferred: Connection reset by local
rRFC822; h...@jerusalem.litteratus.org
RPFD:
H?P?Return-Path: <g>
H??Received: from jerusalem.litteratus.org (localhost [127.0.0.1])
by jerusalem.litteratus.org (8.14.6/8.14.6) with ESMTP id r07FoGPd052948
for ; Mon, 7 Jan 2013 10:51:53 -0500
(EST)
(envelope-from h...@jerusalem.litteratus.org)
H?x?Full-Name: Robert Huff
H??Received: (from root@localhost)
by jerusalem.litteratus.org (8.14.6/8.14.6/Submit) id r07FoGrl052947
for huff; Mon, 7 Jan 2013 10:50:16 -0500 (EST)
(envelope-from huff)
H??Date: Mon, 7 Jan 2013 10:50:16 -0500 (EST)
H??From: Robert Huff
H??Message-Id: <201301071550.r07fogrl052...@jerusalem.litteratus.org>
H??To: undisclosed-recipients:;
H??X-Spam-Status: No, score=4.3 required=5.0
tests=ALL_TRUSTED,EMPTY_MESSAGE,
MISSING_HEADERS,MISSING_SUBJECT autolearn=no version=3.3.2
H??X-Spam-Level:
H??X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
jerusalem.litteratus.org
What do the sendmail log messages say?
Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
/home/huff/.forward.jerusalem+: Group writable directory
Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
/home/huff/.forward+: Group writable directory
Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
/home/huff/.forward.jerusalem: Group writable directory
Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: forward
/home/huff/.forward: Group writable directory
Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780: smtpquit:
mailer local exited with exit value 1
Jan 8 10:12:44 jerusalem sm-mta[28896]: r05KsfdB048780:
to=, delay=2+18:16:27, xdelay=00:00:00, mailer=local,
pri=56791038, relay=local, dsn=4.4.2, stat=Deferred: Connection reset by
local
Robert Huff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
> From owner-freebsd-questi...@freebsd.org Tue Jan 8 07:43:00 2013 > Date: Tue, 08 Jan 2013 08:39:39 -0500 > From: Robert Huff > To: freebsd-questions@freebsd.org, free...@dreamchaser.org, > Robert Huff > Subject: Re: sendmail not working > > On 1/7/2013 11:48 PM, Gary Aitken wrote: > > On 01/07/13 19:45, Robert Huff wrote: > > >> I have compiled sendmail following the instructions in the > >> cyrus-sasl port. Sendmail starts, but no mail is processed either > >> way. /var/log/maillog has this: > > > > No clue, except the first message might be saying it's not going to > > honor anything from .forward because it's in a group writable directory > > which would be considered a security issue. Try making /home/huff > > group read only? > > Done. Restarted sendmail (all parts). Still no mail processed. "It is a well-known fact that one horse can run faster than another. But _which_ horse? Details are IMPORTANT!" WHAT HAPPENS when you -try- to send an email _out_? Do you get an error email? Does it show in the outbound mail queue? (if it's in the queue, look at the qf* file, to see why it is deferred.) What do the sendmail log messages say? WHAT HAPPENS when somebody -tries- to send an email _in_ from somewhere else? Do they get an error email? Does it show in their outbound mail queue? What do your sendmail log messages say? WHAT HAPPENS when you 'telnet' to your mailserver port(s) and try doing smtp transaction(s) manually? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
On 08.01.2013 07:39, Robert Huff wrote: On 1/7/2013 11:48 PM, Gary Aitken wrote: On 01/07/13 19:45, Robert Huff wrote: I have compiled sendmail following the instructions in the cyrus-sasl port. Sendmail starts, but no mail is processed either way. /var/log/maillog has this: Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: forward /home/huff/.forward: Group writable directory Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: smtpquit: mailer local exited with exit value 1 Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: to=, delay=2+05:11:25, xdelay=00:00:00, mailer=local, pri=52831038, relay=local, dsn=4.4.2, stat=Deferred: Connection reset by local The sendmail.cf and submit.cf are attached. Any idea what I've screwed up, or my next step in finding out? No clue, except the first message might be saying it's not going to honor anything from .forward because it's in a group writable directory which would be considered a security issue. Try making /home/huff group read only? Done. Restarted sendmail (all parts). Still no mail processed. Are you forwarding to an email address (full address with @ sign or just a local account)? If to a local account, is this account new (no email ever)? If so, what is the mode of the directory in which local mbox's are stored? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
On 1/7/2013 11:48 PM, Gary Aitken wrote: On 01/07/13 19:45, Robert Huff wrote: I have compiled sendmail following the instructions in the cyrus-sasl port. Sendmail starts, but no mail is processed either way. /var/log/maillog has this: Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: forward /home/huff/.forward: Group writable directory Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: smtpquit: mailer local exited with exit value 1 Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: to=, delay=2+05:11:25, xdelay=00:00:00, mailer=local, pri=52831038, relay=local, dsn=4.4.2, stat=Deferred: Connection reset by local The sendmail.cf and submit.cf are attached. Any idea what I've screwed up, or my next step in finding out? No clue, except the first message might be saying it's not going to honor anything from .forward because it's in a group writable directory which would be considered a security issue. Try making /home/huff group read only? Done. Restarted sendmail (all parts). Still no mail processed. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail not working
On 01/07/13 19:45, Robert Huff wrote: > > On a system running: > > FreeBSD 10.0-CURRENT #0: Sun Dec 30 12:52:09 EST 2012 amd64 > > I have compiled sendmail following the instructions in the cyrus-sasl > port. > Sendmail starts, but no mail is processed either way. /var/log/maillog > has this: > > > Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: forward > /home/huff/.forward: Group writable directory > Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: smtpquit: mailer > local exited with exit value 1 > Jan 7 21:07:42 jerusalem sm-mta[69792]: r05KsfdB048780: to=, > delay=2+05:11:25, xdelay=00:00:00, mailer=local, pri=52831038, relay=local, > dsn=4.4.2, stat=Deferred: Connection reset by local > > The sendmail.cf and submit.cf are attached. > > Any idea what I've screwed up, or my next step in finding out? No clue, except the first message might be saying it's not going to honor anything from .forward because it's in a group writable directory which would be considered a security issue. Try making /home/huff group read only? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail local-host-names questions
On Wed, 29 Aug 2012, Gary Aitken wrote: Can anyone explain what's going on or point me to a better place to ask? It's now fixed but I'd like to understand why sendmail doesn't like a domain specified with a trailing dot, since I thought that was how one specified a fully qualified domain name. The definitive source is /usr/src/contrib/sendmail/cf/README Also... I can't find anything about how to put a comment in the local-host-names file. I took a guess and used # as in the .mc file, and it doesn't seem to cause errors; but neither does ';' or '%' so I'm guessing the lines are just being skipped because they don't parse properly. I'd like to know whether comments are allowed or not; and if so, what the proper syntax is. I am not sure which table you are commenting but I think some of the tables like virtusertable do not allow comments at the end of the line. Lines starting with a '#' are fine in any table. Again the README is you source ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail local-host-names questions
> Date: Wed, 29 Aug 2012 01:45:19 -0600 > From: Gary Aitken > Subject: sendmail local-host-names questions > > > Also... I can't find anything about how to put a comment in the > local-host-names file. I took a guess and used # as in the .mc file, and > it doesn't seem to cause errors; but neither does ';' or '%' so I'm > guessing the lines are just being skipped because they don't parse > properly. I'd like to know whether comments are allowed or not; and if > so, what the proper syntax is. I don't know, off-hand, where it's documented, but '#' is what you want to use. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail local-host-names questions
[ Gary Aitken wrote on Wed 29.Aug'12 at 1:45:19 -0600 ] > > Also... I can't find anything about how to put a comment in the > local-host-names file. I took a guess and used # as in the .mc file, > and it doesn't seem to cause errors; but neither does ';' or '%' so I'm > guessing the lines are just being skipped because they don't parse properly. > I'd like to know whether comments are allowed or not; and if so, > what the proper syntax is. > > Thanks for any hints, > > Gary Hi Gary, you don't put dots at the end of the domain names in that file. In mine, i've just got: kontrol.kode5.net # the hostname of the machine; and kode5.net # my domain I haven't put those comments in it either, just the host and domain information. The Sendmail site does have quite a bit of information actually about configuration. I was setting up Sendmail on my machine just a week ago in fact and got most of the info from that site. Also the FreeBSD handbook. I also run a local DNS server (BIND/named) which I recommend you look into with a view to setting it up. It does make a difference, especially if you have several machines on your LAN. It's not as hard as it first appears. In fact the default installation is already configured for a local caching nameserver. I have added my own zone files as well which is all explained on the Handbook. Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail + clamav + spamassasin config help
> From owner-freebsd-questi...@freebsd.org Mon Aug 13 21:55:24 2012
> Date: Tue, 14 Aug 2012 02:51:17 -0400 (EDT)
> From: AN
> To: freebsd-questions@freebsd.org
> Subject: sendmail + clamav + spamassasin config help
>
> FreeBSD mail.neu.net 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2 r239243:
> Mon Aug 13 19:20:19 EDT 2012
> r...@mail.neu.net:/usr/obj/usr/src/sys/GENERIC amd64
>
> I am trying to configure sendmail + clamav + spamassasin. The problem I
> have is that neither clamav or spamassasin runs when I send or receive
> email. I would like the server to do the following:
>
> 1. check dns blacklists, which is working (see below)
>
> Aug 14 02:00:54 mail sm-mta[38461]: ruleset=check_relay,
> arg1=[37.121.149.208], arg2=127.0.0.4, relay=[37.121.149.208], reject=550
> 5.7.1 Rejected: 37.121.149.208 listed at sbl-xbl.spamhaus.org
Confirm. FEATURE dsnsbl is functioning.
>
> 2. run spamd
> 3. run clamav
> Aug 14 02:04:41 mail sm-mta[38464]: q7E64eCv038464: milter=clmilter,
> action=rcpt, continue
> Aug 14 02:04:41 mail sm-mta[38464]: q7E64eCv038464: milter=clmilter,
> action=header, continue
> Aug 14 02:04:41 mail lastmessage repeated 12 times
> Aug 14 02:04:41 mail sm-mta[38464]: q7E64eCv038464: milter=clmilter,
> action=body, continue
> Aug 14 02:04:42 mail sm-mta[38464]: q7E64eCv038464: Milter accept: message
> Aug 14 02:04:42 mail sm-mta[38464]: q7E64eCv038464: --- 250 2.0.0
> q7E64eCv038464 Message accepted for delivery
>
> spamd and clamav never execute.
The above logfile entries appear to show that the milter interfae for clamav
_is_ being invoked. Although nothing shows for 'spamassassin'.
NOTE: your copy/paste of the .mc file, etc. *LOST* critical line-break
formatting. I've had to _guess_ where breaks occured in ressurecting
the files. There are 'dnl' verbs below that appear to have nothing after
them. *IF* what appears below as a separate line following such a 'dnl' is
actually on the same line with the dnl, then _that_ directive will *NOT*
be acted on. YOU will have to double-check for that.
>
> # cat mail.neu.net.mc
> divert(-1)
> #
> # Copyright (c) 1983 Eric P. Allman
> # Copyright (c) 1988, 1993
> # The Regents of the University of California. All rights reserved.
> #
> #
> #
>
> #
> # This is a generic configuration file for FreeBSD 6.X and later systems.
> # If you want to customize it, copy it to a name appropriate for your
> # environment and do the modifications there.
> #
> # The best documentation for this .mc file is:
> # /usr/share/sendmail/cf/README or
> # /usr/src/contrib/sendmail/cf/README
> #
>
> divert(0)
> VERSIONID(`$FreeBSD: release/9.0.0/etc/sendmail/freebsd.mc 223068 2011-06-14
> 04:33:43Z gshapiro $')
> OSTYPE(freebsd6)
> DOMAIN(generic)
>
> FEATURE(access_db, `hash -o -T /etc/mail/access')
> FEATURE(blacklist_recipients)
> FEATURE(local_lmtp)
> FEATURE(mailertable,`hash -o /etc/mail/mailertable')
> FEATURE(virtusertable, `hash -o > /etc/mail/virtusertable')
>
> dnl Uncomment to allow relaying based on your MX records.
> dnl NOTE: This can allow sites to use your server as a backup MX without
> dnl your permission.
> dnl FEATURE(relay_based_on_MX)
>
> dnl DNS based black hole lists
> dnl
> dnl DNS based black hole lists come and go on a regular basis
> dnl so this file will not serve as a database of the available servers.
> dnl For that, visit
> dnl http://www.google.com/Top/Computers/Internet/E-mail/Spam/Blacklists/
>
> dnl Uncomment to activate your chosen DNS based blacklist
> dnl FEATURE(dnsbl,`dnsbl.example.com')
> dnl Alternatively, you can provide your own server and rejection message:
> dnl FEATURE(dnsbl,`dnsbl.example.com',``"550 Mail from " $&{client_addr}"
> rejected'')
> FEATURE(dnsbl,`sbl-xbl.spamhaus.org')
> FEATURE(dnsbl,`bl.spamcop.net')
>
>
> dnl Dialup users should uncomment and define this appropriately
> dnl define(`SMART_HOST',`your.isp.mail.server')
>
> dnl Uncomment the first line to change the location of the default
> dnl /etc/mail/local-host-names and comment out the second line.
> dnl define(`confCW_FILE',`-o /etc/mail/sendmail.cw')
> define(`confCW_FILE',`-o /etc/mail/local-host-names')
>
> INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m')dnl
>
> INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass-milter.sock,F=,T=C:15m;S:4m;R:4m;E:10m')dnl
> define(`confINPUT_MAIL_FILTERS',`clmilter,spamassassin')dnl
The 'dnl' at the end of the above lines is superfluous, and should be removed.
>
> dnl Enable for both IPv4 and IPv6 (optional)
> DAEMON_OPTIONS(`Name=IPv4,Family=inet')
> DAEMON_OPTIONS(`Name=IPv6,Family=inet6,Modifiers=O')
>
> define(`confBIND_OPTS',`WorkAroundBroken')
> define(`confNO_RCPT_ACTION',`add-to-undisclosed')
> define(`confPRIVACY_FLAGS',`authwarnings,noexpn,novrfy')
> MAILER(local)
> MAILER(smtp)
>
> [root@mail /etc/mail]#ps -aux
> root1268 0.0 0.3 41200 2668 ?? Is 11:47PM
Re: sendmail + clamav + spamassasin config help
the above). At least, that's how I do it. or, you could consider using Postfix. It's much easier to configure and implement content filters. depends of who is talking and how "easiness" is defined. Postfix is different. That's all. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail + clamav + spamassasin config help
[ Andrea Venturoli wrote on Tue 14.Aug'12 at 10:22:14 +0200 ] > On 08/14/12 08:51, AN wrote: > >FreeBSD mail.neu.net 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2 r239243: > >Mon Aug 13 19:20:19 EDT 2012 > >r...@mail.neu.net:/usr/obj/usr/src/sys/GENERIC amd64 > > > >I am trying to configure sendmail + clamav + spamassasin. The problem I > >have is that neither clamav or spamassasin runs when I send or receive > >email. I would like the server to do the following: > > > >1. check dns blacklists, which is working (see below) > > Not really able to help you here... > However, you may consider MIMEDefang (which in turn will run all of > the above). At least, that's how I do it. or, you could consider using Postfix. It's much easier to configure and implement content filters. Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail + clamav + spamassasin config help
On 08/14/12 08:51, AN wrote: FreeBSD mail.neu.net 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2 r239243: Mon Aug 13 19:20:19 EDT 2012 r...@mail.neu.net:/usr/obj/usr/src/sys/GENERIC amd64 I am trying to configure sendmail + clamav + spamassasin. The problem I have is that neither clamav or spamassasin runs when I send or receive email. I would like the server to do the following: 1. check dns blacklists, which is working (see below) Not really able to help you here... However, you may consider MIMEDefang (which in turn will run all of the above). At least, that's how I do it. HTH. bye av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
On Fri, Jun 22, 2012 at 8:15 PM, Robert Bonomi wrote: >> From owner-freebsd-questi...@freebsd.org Fri Jun 22 13:47:20 2012 >> To: freebsd-questions@freebsd.org >> Date: Fri, 22 Jun 2012 13:41:46 -0500 >> From: Mark Felder >> Subject: Re: Sendmail and Postfix >> >> When you installed Postfix did you allow it to update the entries in >> /etc/mail/mailer.conf ? If so, I wouldn't worry about the mailq binary >> that came with the system; it's ignored. > > For SendMail, mailq is just a symlink to the SendMail executable. > > the "mail.conf" stuff (to use a polite word) installs it's own executable(s) > under all the 'common' names that SendMail is invoked as. These > executables look at /etc/mailer.conf, and invoke the appropiate executable > for the mailer that you have seleccted in mailer.conf. > mailer.conf is usually modified my the Postfix port and I am not sure but I think the option is checked by default. The lines to add to rc.conf to de-activate Sendmail and usu Postfix on the base system are: sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" postfix_enable="YES" -- Alejandro Imass > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
> From owner-freebsd-questi...@freebsd.org Fri Jun 22 13:47:20 2012 > To: freebsd-questions@freebsd.org > Date: Fri, 22 Jun 2012 13:41:46 -0500 > From: Mark Felder > Subject: Re: Sendmail and Postfix > > When you installed Postfix did you allow it to update the entries in > /etc/mail/mailer.conf ? If so, I wouldn't worry about the mailq binary > that came with the system; it's ignored. For SendMail, mailq is just a symlink to the SendMail executable. the "mail.conf" stuff (to use a polite word) installs it's own executable(s) under all the 'common' names that SendMail is invoked as. These executables look at /etc/mailer.conf, and invoke the appropiate executable for the mailer that you have seleccted in mailer.conf. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
On Fri, 22 Jun 2012 13:41:46 -0500, Mark Felder wrote: > When you installed Postfix did you allow it to update the entries in > /etc/mail/mailer.conf ? If so, I wouldn't worry about the mailq binary > that came with the system; it's ignored. Thanks! (Thanks too to the other responders.) Looks like that's the step I missed. Fixed now. Cheers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
Hi-- On Jun 22, 2012, at 11:19 AM, Walter Hurry wrote: > A little digging around has revealed that there are two 'mailq' > executables on my system: /usr/local/bin/mailq and /usr/bin/mailq. > > The first is part of the mail/postfix-current port which I have installed > and use, and the second is presumably part of Sendmail, which I have not > installed and do not use. > > It seems that Sendmail is embedded somehow in the base system. What is > the 'approved' way to get rid of /usr/bin/mailq? Or better, remove > Sendmail? BSD Unixes have shipped with Sendmail for decades, much as BIND is also included-- so yes, Sendmail is included with the base system by default. The approved way is to simply leave things be. Properly written software will honor the links setup by mailwrapper(8) and use the Postfix MTA which you installed instead: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mail-changingmta.html If you really want to remove sendmail entirely, you can rebuild FreeBSD with NO_SENDMAIL=TRUE ...set in /etc/make.conf, which will avoid building sendmail at all. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
During subsequent system upgrades, of you build from source, you should watch out for thus during the mergemaster piece. Brian On Jun 22, 2012 11:44 AM, "Matthew Seaman" wrote: > On 22/06/2012 19:19, Walter Hurry wrote: > > It seems that Sendmail is embedded somehow in the base system. What is > > the 'approved' way to get rid of /usr/bin/mailq? Or better, remove > > Sendmail? > > You don't need to remove the base system sendmail. All you need to do > is set up /etc/mail/mailer.conf properly -- and installing the postfix > port should do that for you -- and then any reference to > /usr/sbin/sendmail, /usr/bin/mailq, usr/bin/hoststat etc. will run > postfix instead. It's really very nicely done. > > See mailer.conf(5) > >Cheers, > >Matthew > > PS. Alright, yes. You can prevent sendmail from being built as part of > the base system by defining 'WITHOUT_SENDMAIL=yes' in /etc/src.conf, but > this supposes that you want to build the system yourself, rather than > using, say, freebsd-update(8). See src.conf(5) and read in > /usr/src/UPDATING and the Handbook about the procedure for building the > system from source. > > -- > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
When you installed Postfix did you allow it to update the entries in /etc/mail/mailer.conf ? If so, I wouldn't worry about the mailq binary that came with the system; it's ignored. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail and Postfix
On 22/06/2012 19:19, Walter Hurry wrote: > It seems that Sendmail is embedded somehow in the base system. What is > the 'approved' way to get rid of /usr/bin/mailq? Or better, remove > Sendmail? You don't need to remove the base system sendmail. All you need to do is set up /etc/mail/mailer.conf properly -- and installing the postfix port should do that for you -- and then any reference to /usr/sbin/sendmail, /usr/bin/mailq, usr/bin/hoststat etc. will run postfix instead. It's really very nicely done. See mailer.conf(5) Cheers, Matthew PS. Alright, yes. You can prevent sendmail from being built as part of the base system by defining 'WITHOUT_SENDMAIL=yes' in /etc/src.conf, but this supposes that you want to build the system yourself, rather than using, say, freebsd-update(8). See src.conf(5) and read in /usr/src/UPDATING and the Handbook about the procedure for building the system from source. -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: sendmail, masquerading, exposed root?
On Mon, 28 May 2012 12:49:43 +0100, Anton Shterenlikht wrote: > If I leave the root exposed, the From > field looks e.g. r...@mech-anton240.men.bris.ac.uk, > which is rejected by the university mailer, > because it has no knowledge of this address. You should be able to use sendmail's masquerading features. For example to be configured in the correct .mc file: FEATURE(always_add_domain) FEATURE(`masquerade_entire_domain') FEATURE(`masquerade_envelope') FEATURE(`allmasquerade') MASQUERADE_AS(`bris.ac.uk') MASQUERADE_DOMAIN(`bris.ac.uk.') MASQUERADE_DOMAIN(localhost) MASQUERADE_DOMAIN(localhost.localdomain) That should turn r...@mech-anton240.men.bris.ac.uk into r...@bris.ac.uk if that's okay for you. If you change root's name field in the passwd database (use chsh), you could add a specific machine name so you'll easily see from which root account you're receiving messages, e. g. From: mech-anton240.men root To: You Subject: mech-anton240.men.bris.ac.uk security run output ... and so on ... That's no big problem as you're not going to reply to that address. (If you had to, setting Reply-To: would surely help.) Or you could use /etc/mail/aliases to redirect root to a different mail address. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail recommended permissions for apache/php server
On 12/04/2012 14:40, Ian Lord wrote: >> What are the permissions on /usr/libexec/sendmail/sendmail ? They should >> >look like this: >> >% ls -la /usr/libexec/sendmail/sendmail >> >-r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38 >> >/usr/libexec/sendmail/sendmail > # ls -al /usr/libexec/sendmail/sendmail > -r-xr-sr-x 1 root wheel 707160 Jan 3 02:57 /usr/libexec/sendmail/sendmail > > So the group is wrong... I changed it from wheel to smmsp and > everything works fine now ! > > Thanks a lot for the fix, but this server is a clean install of > 9.0-RELEASE that I installed about 2-3 months ago. I never changed the > permission myself on that file so I guess there is something wrong that > would need to be fixed (unless it's already fixed in newer versions). I haven't had any similar problems on 9.0 systems I've installed so I don't think it is an obvious and universal bug in the system installer. It might be the case that you did something differently -- if you can reproduce the effect, and if it's not by doing something daft like 'oh, and here is where we recursively chgrp the whole filesystem for no apparent reason' then please do send a PR with the details. If you want to ensure that almost everything has the correct ownership and permissions, then you can use mtree(8). eg. # cd / # mtree -Ue -f /etc/mtree/BSD.root.dist # mtree -Ue -f /etc/mtree/BSD.sendmail.dist # cd /usr # mtree -Ue -f /etc/mtree/BSD.usr.dist # cd /usr/include # mtree -Ue -f /etc/mtree/BSD.include.dist # cd /var # mtree -Ue -f /etc/mtree/BSD.var.dist ... although now I come to look at it, this won't actually fix the group ownership on /usr/libexec/sendmail/sendmail for example. For that, you'ld probably have to use the system sources or the installation media. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
RE: Sendmail recommended permissions for apache/php server
>You should not be changing the ownership and permissions on any of the >directories used by sendmail(8), or the group membership of any of the >groups used by sendmail. Not even if you think you know what you are >doing. This is extremely security sensitive, and getting it wrong means >at minimum unprivileged users can forge e-mails untraceably[*]. That's what I thought, I found it to work but preferred to ask on the list since it didn't make sense to me :) >To the OP -- can you execute sendmail outside PHP? If you can use >mail(1) to send a test e-mail, then sendmail should be fine. Note: test >this as an unprivileged user. No it doesn't work, just tried it: %mail -s Hello lo...@msdi.ca Hello ! . EOT %WARNING: RunAsUser for MSP ignored, check group ids (egid=0, want=25) can not chdir(/var/spool/clientmqueue/): Permission denied Program mode requires special privileges, e.g., root or TrustedUser. Apr 12 08:47:08 dev sendmail[94980]: NOQUEUE: SYSERR(msdi): can not chdir(/var/spool/clientmqueue/): Permission denied >What are the permissions on /usr/libexec/sendmail/sendmail ? They should >look like this: >% ls -la /usr/libexec/sendmail/sendmail >-r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38 >/usr/libexec/sendmail/sendmail # ls -al /usr/libexec/sendmail/sendmail -r-xr-sr-x 1 root wheel 707160 Jan 3 02:57 /usr/libexec/sendmail/sendmail So the group is wrong... I changed it from wheel to smmsp and everything works fine now ! Thanks a lot for the fix, but this server is a clean install of 9.0-RELEASE that I installed about 2-3 months ago. I never changed the permission myself on that file so I guess there is something wrong that would need to be fixed (unless it's already fixed in newer versions). Thanks again ~~ Ian Lord MSD Informatique 143 Rue des Fauvettes St-Colomban (Québec) J5K 0E2 Tél: (514) 776-MSDI -> (514) 776-6734 Sans Frais: 1(877) 776-MSDI -> 1(877) 776-6734 http://www.msdi.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail recommended permissions for apache/php server
On Thu, 12 Apr 2012 08:17:33 +0100, Matthew Seaman wrote: > On 12/04/2012 02:49, Polytropon wrote: > > On Wed, 11 Apr 2012 23:57:51 +, Ian Lord wrote: > >> > I then got a different error in /var/log/messages > >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write > >> > to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): > >> > Permission denied > > >> > I found very old threads saying to change the group of apache > >> > to "smmsp" but I doubt it's a good idea. > > > No, not "change to", but you can _add_ apache (or whatever is > > originating the error) to the smmsp group. Add it to "smmsp:*:25:" > > in /etc/group. > > You should not be changing the ownership and permissions on any of the > directories used by sendmail(8), or the group membership of any of the > groups used by sendmail. Not even if you think you know what you are > doing. This is extremely security sensitive, and getting it wrong means > at minimum unprivileged users can forge e-mails untraceably[*]. You're right - as long as sendmail works properly (and is invoked by whatever means sends e-mail out of apache / PHP), the present group settings and permissions should be okay. Sendmail will then properly run "as the smmsp group member" which will enable it to properly access the queue directory. > There is no reason for apache to have any sort of write permissions to > /var/spool/clientmqueue -- that should only be accessible to sendmail, > and sendmail is the only program that should ever use it. I'm not aware of why a program should directly access the mail queues, but maybe that's a "special" PHP feature. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail recommended permissions for apache/php server
On 12/04/2012 02:49, Polytropon wrote: > On Wed, 11 Apr 2012 23:57:51 +, Ian Lord wrote: >> > I then got a different error in /var/log/messages >> > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write >> > to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): >> > Permission denied >> > I found very old threads saying to change the group of apache >> > to "smmsp" but I doubt it's a good idea. > No, not "change to", but you can _add_ apache (or whatever is > originating the error) to the smmsp group. Add it to "smmsp:*:25:" > in /etc/group. You should not be changing the ownership and permissions on any of the directories used by sendmail(8), or the group membership of any of the groups used by sendmail. Not even if you think you know what you are doing. This is extremely security sensitive, and getting it wrong means at minimum unprivileged users can forge e-mails untraceably[*]. There is no reason for apache to have any sort of write permissions to /var/spool/clientmqueue -- that should only be accessible to sendmail, and sendmail is the only program that should ever use it. To the OP -- can you execute sendmail outside PHP? If you can use mail(1) to send a test e-mail, then sendmail should be fine. Note: test this as an unprivileged user. What are the permissions on /usr/libexec/sendmail/sendmail ? They should look like this: % ls -la /usr/libexec/sendmail/sendmail -r-xr-sr-x 1 root smmsp 662136 Apr 1 08:38 /usr/libexec/sendmail/sendmail If that all checks out, then the problem is with PHP rather than your sendmail installation. There are several different ways PHP might be programmed to send e-mail; perhaps you could describe how your particular application tries to do it? Cheers, Matthew [*] So what? you might think. Until you get an e-mail request from your boss to provide sensitive information to some contractor you don't really know. -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: Sendmail recommended permissions for apache/php server
On Wed, 11 Apr 2012 23:57:51 +, Ian Lord wrote: > I then got a different error in /var/log/messages > Apr 11 19:38:40 dev sendmail[41170]: NOQUEUE: SYSERR(www): can not write to > queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=25): > Permission denied > > I found very old threads saying to change the group of apache > to "smmsp" but I doubt it's a good idea. No, not "change to", but you can _add_ apache (or whatever is originating the error) to the smmsp group. Add it to "smmsp:*:25:" in /etc/group. See the error message above: "can not write to queue directory /var/spool/clientmqueue/" Check: % ls -ld /var/spool/clientmqueue drwxrwx--- 2 smmsp smmsp 512 Apr 12 03:12 /var/spool/clientmqueue/ ^^^ This directory can be read, written and entered/searched by _members_ of the smmsp group. Back to the error message: "(RunAsGid=0, required=25)" It is indicated that group #25 (smmsp) is the required GID, not 0. And: "Permission denied" which is the logical conclusion. Conclusion: You must make sure that whatever needs to access this directory is in the smmsp group (25). > Chmodding 777 the /var/spool/clientmqueue/ fixed the problem, > I can now send emails, but I wonder if this is the way to fix > the issue correctly. You souldn't need to do that. Now this directory can be modified by anyone, that's not good. > Is that the official fix or did I missed some configuration > somewhere ? Sending emails from php using mail or sendmail > should be something working out of the box I guess, I doubt > we're supposed to change permissions to make it work Correct. In regards of _security_, it's required to _allow_ the corresponding program / functionality / part of apache / mailer or whatever the access to the mail queue. This is something that is _not_ possible out of the box because there are many possi- bilities and security considerations. > Any help would be appreciated. Try to add apache (or whatever part of it, or PHP subsystem called by it that needs to access the mail queue) to the required group to give it the proper permission to do so. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail+saslauthd && verify=FAIL
On 18/11/2011 10:00, Edward Martinez wrote: > On 11/18/11 00:12, Matthias Apitz wrote: >> STARTTLS=client, relay=smtp.1blu.de., version=TLSv1/SSLv3, verify=FAIL >> >> se below; what does the FAIL means exactly? >> >I have been reading on the subject and it appears you do not trust > the certificate > issuer for smtp.lblu.de. Which is pretty much normal for SSL certs used for mail transfer. Most mail servers use a self-signed certificate, because the important point is not to verify the identity of the other party but to protect the messages in transit against snooping. All that requires is a secure means of agreeing a symmetric session key between both parties, and the TLS handshake is the best available way of doing that. Verifying SSL keys between MTAs is mostly useful only within one organisation where the keys can be issued from one central authority, or between a group of tightly integrated organisations. With the advent of DNSSEC and things like the DANE project (https://tools.ietf.org/html/draft-ietf-dane-protocol-12) that might change, but DNSSEC adoption is too patchy yet for it to be effective. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: sendmail+saslauthd && verify=FAIL
On 11/18/11 00:12, Matthias Apitz wrote: STARTTLS=client, relay=smtp.1blu.de., version=TLSv1/SSLv3, verify=FAIL se below; what does the FAIL means exactly? I have been reading on the subject and it appears you do not trust the certificate issuer for smtp.lblu.de. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25 (solved)
> Date: Sat, 23 Jul 2011 11:03:26 -0700
> From: ssgriffonuser
> Subject: Re: Sendmail not accepting connections on port 25 (solved)
>
[[.. sneck ..]]
> However, I also learned that my home ISP blocks outbound
> traffic on port 25 (I thought it only blocked inbound) so I could not
> telnet to port 25 on my VPS. I want to say thanks again for all the
> comments and help.
Note: Blocking _outbound_ traffic to 'port 25' (except for the provider-
operated mail-server) is -very- common for residential ("eyeball"-based)
networks. It prevents virtually all "bot"-originated spam from going
anywhere. Blocking _inbound_ traffic to 'port 25' is *very* rare. If you
just want to _receive_ mail directly, the ISP generally "doesn't care".
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25 (solved)
On 07/23/11 13:51, Bill Tillman wrote: --- On Thu, 7/21/11, Bernt Hansson wrote: From: Bernt Hansson Subject: Re: Sendmail not accepting connections on port 25 To: "ssgriffonuser" Cc:freebsd-questions@freebsd.org Date: Thursday, July 21, 2011, 3:31 AM 2011-07-20 06:24, ssgriffonuser skrev: I still can't telnet in from an external network. To me, that sounds like your external network might be blocking outgoing traffic on port 25. Can you connect to any other mailservers on port 25? %telnet gmail-smtp-in.l.google.com 25 Trying 74.125.77.27... telnet: connect to address 74.125.77.27: Connection refused telnet: Unable to connect to remote host My isp is blocking outgoing traffic on port 25. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to"freebsd-questions-unsubscr...@freebsd.org" I am not surprised. Like in my previous reply, every ISP I've ever worked with blocks ports 25. They have this done by their 3rd tier techs because when you call them for help they will be clueless as to what you're talking about. The thing I've found with Comcast is they do what's called black listing your IP address with some service. They will claim that your server has been sending spam. When it actuality all they are doing is forcing you to go to their sales people and pay extra if you want to run a mail server on your LAN. Gone are the days when I could run my own mailserver at home. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to"freebsd-questions-unsubscr...@freebsd.org" Just to clarify I have a VPS that I want to run a mail server on. The problem ended up being that I had the priorities of the MX record backwards. However, I also learned that my home ISP blocks outbound traffic on port 25 (I thought it only blocked inbound) so I could not telnet to port 25 on my VPS. I want to say thanks again for all the comments and help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
--- On Thu, 7/21/11, Bernt Hansson wrote: From: Bernt Hansson Subject: Re: Sendmail not accepting connections on port 25 To: "ssgriffonuser" Cc: freebsd-questions@freebsd.org Date: Thursday, July 21, 2011, 3:31 AM 2011-07-20 06:24, ssgriffonuser skrev: > I still can't telnet in from an external network. To me, that sounds like your external network might be blocking outgoing traffic on port 25. Can you connect to any other mailservers on port 25? %telnet gmail-smtp-in.l.google.com 25 Trying 74.125.77.27... telnet: connect to address 74.125.77.27: Connection refused telnet: Unable to connect to remote host My isp is blocking outgoing traffic on port 25. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" I am not surprised. Like in my previous reply, every ISP I've ever worked with blocks ports 25. They have this done by their 3rd tier techs because when you call them for help they will be clueless as to what you're talking about. The thing I've found with Comcast is they do what's called black listing your IP address with some service. They will claim that your server has been sending spam. When it actuality all they are doing is forcing you to go to their sales people and pay extra if you want to run a mail server on your LAN. Gone are the days when I could run my own mailserver at home. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
On Thu, 21 Jul 2011 22:34:26 -0400, Robert Huff wrote: > > ssgriffonuser writes: > > > > My isp is blocking outgoing traffic on port 25. > > > > Yeah, it looks like your right. I never would've considered my ISP > > blocking outbound traffic from my home, but I suppose it makes > > sense. Does _not_ make sense as it just hides symptoms, but does not cure the initial problem. > It is my understanding many I.S.P.s in the U,S, do, as part of > spam control procedures. I am obliged to relay through my I.S.P.; > after some initial set-up issues, this works flawlessly as long as > at least one relay machine is up. Same here - but different. Due to the fact that more than 90% of world's mail traffic is spam, many providers of mail services have the policy to _not_ accept mail coming from a "suspicious" IP. This is mostly ranges of dynamic IPs assigned to "dial-up" (home consumer) services, but may also contain other "blacklisted" IPs. In conclusion, you often have the situation that you can actually _send_ a message, but the target ISP's mail server will deny to accept it. The same way of "manipulating the symptoms", I relay my mail through my ISP's MX. Thanks to sendmail's SmartHost setting, this is easy once set up. In the mail logs, you can then see when messages are commited to the MX (you do _not_ see delivery status to target anymore). Blocking _outgoing_ "mail traffic" is also an interesting approach, so my initial guess "check if ISP is blocking something" was right... :-) The initial problem, the "creation" of spam, is mainly due to hijacked "Windows" PCs (and servers) in homes and offices (the larger the "better"). Most people who run an own mailserver, and even if it's just for outgoing mail, do this in a _proper_ way. Sadly, those have to suffer from the carelessness of the masses. Business as usual. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
ssgriffonuser writes: > > My isp is blocking outgoing traffic on port 25. > > Yeah, it looks like your right. I never would've considered my ISP > blocking outbound traffic from my home, but I suppose it makes > sense. It is my understanding many I.S.P.s in the U,S, do, as part of spam control procedures. I am obliged to relay through my I.S.P.; after some initial set-up issues, this works flawlessly as long as at least one relay machine is up. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
On 07/21/11 01:31, Bernt Hansson wrote: 2011-07-20 06:24, ssgriffonuser skrev: I still can't telnet in from an external network. To me, that sounds like your external network might be blocking outgoing traffic on port 25. Can you connect to any other mailservers on port 25? %telnet gmail-smtp-in.l.google.com 25 Trying 74.125.77.27... telnet: connect to address 74.125.77.27: Connection refused telnet: Unable to connect to remote host My isp is blocking outgoing traffic on port 25. Yeah, it looks like your right. I never would've considered my ISP blocking outbound traffic from my home, but I suppose it makes sense. Thanks a lot for pointing this out, now I just have to get the server configured correctly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
2011-07-20 06:24, ssgriffonuser skrev: I still can't telnet in from an external network. To me, that sounds like your external network might be blocking outgoing traffic on port 25. Can you connect to any other mailservers on port 25? %telnet gmail-smtp-in.l.google.com 25 Trying 74.125.77.27... telnet: connect to address 74.125.77.27: Connection refused telnet: Unable to connect to remote host My isp is blocking outgoing traffic on port 25. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
On 07/19/11 09:31, Robert Bonomi wrote: Date: Tue, 19 Jul 2011 00:03:58 -0700 From: ssgriffonuser Subject: Sendmail not accepting connections on port 25 Hi all, I'm having difficulty getting sendmail set up on my server. I can send and receive to localhost and I can send to external networks but I can not receive from external networks (I receive a 550: Address rejected). What does the sendmail LOG FILE show? Netstat says sendmail is listening on port 25 but I cannot telnet to it. Netstat just says "something" has port 25 open on 'any' address -- this may, or may *not* be the sendmail instance you think is running. It probably *IS*, but you need to be sure. When I do a port scan of the server, nmap does not show anything on port 25 but does show smtp on 587. May I recommend 'lsof'? The command-line "lsof -n -P |grep IPv" will show exactly what processes have have what ports, on what addresses, open. As far as configuration goes, I added my hostname to /etc/mail/local-host-names and created a /etc/host/virtusertable that looks like: ad...@host.comshane sh...@host.comshane then I ran 'make all install restart' . *Unless* you modified the .mc file, I believe 'virtusertable' should be in /etc/mail, not /etc/host. what does 'grep Kvirtuser /etc/mail/sendmail.cf' show? Lastly, you need to run 'makemap hash virtusertable' in the directory where the virtusertable file lives. First of all, thanks everybody for the help and suggestions. Let me just clarify that the problem is: I cannot submit mail to my sendmail server (i.e sending mail from gmail to my server). Answers to the questions that were presented are below. *sendmail_enable and sendmail_submit_enable are set to YES in my rc.conf. *ISP is not blocking port 25. *The sendmail log file doesn't show anything useful which makes me believe that the connections are not getting to sendmail. *lsof shows that sendmail is listening on port 25. *The virtusertable file is in /etc/mail and not /etc/host. That was a typo. *'grep Kvirtuser /etc/mail/sendmail.cf': Kvirtuser hash -o /etc/mail/virtusertable *The correct files (i.e access.db, virtusertable.db, aliases.db and sendmail.cf) are being generated before sendmail is started. *I noticed the following line in /etc/defaults/rc.conf: sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost" # Flags for localhost-only MTA That line seems to describe the problem I am having, however when I move that line to /etc/rc.conf and change the address from localhost to gatanova.com I still can't telnet in from an external network. Some relevant files are shown below: /etc/rc.conf: hostname="gatanova.com" ifconfig_re0="DHCP" apache22_enable="YES" apache22_http_accept_enable="YES" mysql_enable="YES" sendmail_enable="YES" sendmail_submit_enable="YES" sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=gatanova.com" /etc/hosts: ::1 localhost localhost.gatanova.com 127.0.0.1 localhost localhost.gatanova.com 10.12.32.90 rootbsdinternal /etc/mail/local-host-names: gatanova.com gatanova /etc/mail/virtusertable: ad...@gatanova.com shane sh...@gatanova.com shane @gatanova.com shane /etc/mail/access: #Empty, everything is commented out Sorry for the long winded email, I wanted to make sure that enough information was available. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
2011-07-19 09:03, ssgriffonuser skrev: Hi all, I'm having difficulty getting sendmail set up on my server. I can send and receive to localhost and I can send to external networks but I can not receive from external networks (I receive a 550: Address rejected). Netstat says sendmail is listening on port 25 but I cannot telnet to it. When I do a port scan of the server, nmap does not show anything on port 25 but does show smtp on 587. You do have sendmail_enable="YES" in /etc/rc.conf? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
On Tue, Jul 19, 2011 at 04:27:14PM -0400, Lowell Gilbert wrote: > ssgriffonuser writes: > > > I'm having difficulty getting sendmail set up on my server. I can > > send and receive to localhost and I can send to external networks but > > I can not receive from external networks (I receive a 550: Address > > rejected). Netstat says sendmail is listening on port 25 but I cannot > > telnet to it. > > When I do a port scan of the server, nmap does not show anything on > > port 25 but does show smtp on 587. > > How did you start sendmail? The daemon doesn't run by default; perhaps > you forgot to enable it in rc.conf? There's a manual for rc.sendmail(8) > which describes the options for that... Yes check /etc/rc.conf as pointed out above, I had missed that initially as well and took me a few minutes to realise what i'd missed. sendmail_enable="YES" sendmail_submit_enable="YES" Should be all you need as well as your settings in the .cf file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
ssgriffonuser writes: > I'm having difficulty getting sendmail set up on my server. I can > send and receive to localhost and I can send to external networks but > I can not receive from external networks (I receive a 550: Address > rejected). Netstat says sendmail is listening on port 25 but I cannot > telnet to it. > When I do a port scan of the server, nmap does not show anything on > port 25 but does show smtp on 587. How did you start sendmail? The daemon doesn't run by default; perhaps you forgot to enable it in rc.conf? There's a manual for rc.sendmail(8) which describes the options for that... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
From: Robert Bonomi To: freebsd-questions@freebsd.org; ssgriffonu...@gmail.com Sent: Tue, July 19, 2011 12:31:56 PM Subject: Re: Sendmail not accepting connections on port 25 > Date: Tue, 19 Jul 2011 00:03:58 -0700 > From: ssgriffonuser > Subject: Sendmail not accepting connections on port 25 > > Hi all, > > I'm having difficulty getting sendmail set up on my server. I can send > and receive to localhost and I can send to external networks but I can > not receive from external networks (I receive a 550: Address rejected). What does the sendmail LOG FILE show? > Netstat says sendmail is listening on port 25 but I cannot telnet to it. Netstat just says "something" has port 25 open on 'any' address -- this may, or may *not* be the sendmail instance you think is running. It probably *IS*, but you need to be sure. > When I do a port scan of the server, nmap does not show anything on port > 25 but does show smtp on 587. May I recommend 'lsof'? The command-line "lsof -n -P |grep IPv" will show exactly what processes have have what ports, on what addresses, open. > > As far as configuration goes, I added my hostname to > /etc/mail/local-host-names and created a /etc/host/virtusertable that > looks like: > > ad...@host.com shane > sh...@host.com shane > > then I ran 'make all install restart' . *Unless* you modified the .mc file, I believe 'virtusertable' should be in /etc/mail, not /etc/host. what does 'grep Kvirtuser /etc/mail/sendmail.cf' show? Lastly, you need to run 'makemap hash virtusertable' in the directory where the virtusertable file lives. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" It's been ages since I configured an e-mail server but I do recall that sendmail likes to have the makemap hash command run as well as a few config file adjustments. If you get into the m4 stuff with sendmail it can become quite complex which is why lots of people stay away from sendmail these days in favor of postfix or qmail. I am surprised that your able to send mail but not receive it. It's usually the other way around because ISP's block e-mail being sent from their subscribers due to spammers and because they have found they can charge you extra if you want to run an e-mail server other than the one they provide. Also, receiving mail usually runs with with a pop3 or imap deamon, your setup may be different and those programs usually default to port 110, not 25. Port 25 would be the typical outgoing port. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
> Date: Tue, 19 Jul 2011 00:03:58 -0700 > From: ssgriffonuser > Subject: Sendmail not accepting connections on port 25 > > Hi all, > > I'm having difficulty getting sendmail set up on my server. I can send > and receive to localhost and I can send to external networks but I can > not receive from external networks (I receive a 550: Address rejected). What does the sendmail LOG FILE show? > Netstat says sendmail is listening on port 25 but I cannot telnet to it. Netstat just says "something" has port 25 open on 'any' address -- this may, or may *not* be the sendmail instance you think is running. It probably *IS*, but you need to be sure. > When I do a port scan of the server, nmap does not show anything on port > 25 but does show smtp on 587. May I recommend 'lsof'? The command-line "lsof -n -P |grep IPv" will show exactly what processes have have what ports, on what addresses, open. > > As far as configuration goes, I added my hostname to > /etc/mail/local-host-names and created a /etc/host/virtusertable that > looks like: > > ad...@host.comshane > sh...@host.comshane > > then I ran 'make all install restart' . *Unless* you modified the .mc file, I believe 'virtusertable' should be in /etc/mail, not /etc/host. what does 'grep Kvirtuser /etc/mail/sendmail.cf' show? Lastly, you need to run 'makemap hash virtusertable' in the directory where the virtusertable file lives. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail not accepting connections on port 25
On Tue, 19 Jul 2011 00:03:58 -0700, ssgriffonuser wrote: > Hi all, > > I'm having difficulty getting sendmail set up on my server. I can send > and receive to localhost and I can send to external networks but I can > not receive from external networks (I receive a 550: Address rejected). > Netstat says sendmail is listening on port 25 but I cannot telnet to it. > When I do a port scan of the server, nmap does not show anything on port > 25 but does show smtp on 587. Do you have any options corresponding to port settings in /etc/rc.conf? Do you run a firewall and maybe port redirection? Do you have /etc/hosts set up properly? What does % telnet 25 in contradiction to % telnet 587 show? Are you sure your ISP isn't filtering anything "for your comfortability"? :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail panic - savemail: cannot save rejected email anywhere
On Thu, 2011-01-06 at 17:47 +, Paul Macdonald wrote: > On 06/01/2011 17:04, Lydia Rowe wrote: > > cannot save rejected email anywhere > > "savemail panics" occur when sendmail is unable to deliver a bounced > message to the postmaster alias. > (from googling :) > http://www.brandonhutchinson.com/savemail_panic_in_Sendmail.html > Ah, thank you. That helped. In case these archives help someone in the future, here's what hapened: Armed with this information, I took another run at the logs and there was a problem with the hostname, which was: .root Yeah, so I updated the hostname and savemail isn't panicking anymore and neither am I. :). Thanks, all! -- Lydia ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail panic - savemail: cannot save rejected email anywhere
Lydia Rowe wrote: > Hi! > > I'm encountering this most curious error on a fairly new FreeBSD 8 > machine and I'm just not sure where to go with this. > > The Error: > Jan 6 12:56:31 sendmail[1600]: p06HuRGB001600: > Losing ./qfp06HuRGB001600: savemail panic > Jan 6 12:56:31 sendmail[1600]: p06HuRGB001600: SYSERR(root): savemail: > cannot save rejected email anywhere > > > uname -a: > > FreeBSD .root 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 > UTC 2009 > r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > > Unless my understanding of mathematics is way off, I've got more than > enough room: > > Filesystem SizeUsed Avail Capacity Mounted on > /dev/ad0s1a496M180M277M39%/ > devfs 1.0K1.0K 0B 100%/dev > /dev/ad0s1e496M 14K456M 0%/tmp > /dev/ad0s1f 24G5.7G 17G26%/usr > /dev/ad0s1d1.3G 18M1.2G 1%/var > > > Any insight on what is happening/causing this would be beyond > awesome. :). > > -- > Lydia Rowe When I've had that err message I check my /etc/mail/sendmail.cf is up to newest release to match the .mc & binaries from source, then check all path in the .cf exist, & check access permissions. Then the problem goes away. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text; Not quoted-printable, or HTML or base 64. Avoid top posting, it cripples itemised cumulative responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail panic - savemail: cannot save rejected email anywhere
On 06/01/2011 17:04, Lydia Rowe wrote: cannot save rejected email anywhere "savemail panics" occur when sendmail is unable to deliver a bounced message to the postmaster alias. (from googling :) http://www.brandonhutchinson.com/savemail_panic_in_Sendmail.html -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07534206249 e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail and /etc/hosts
On Thu, Dec 9, 2010 at 3:08 PM, Gabor Illo wrote: > Hello > > My problem: sendmail skipping /etc/host and use MX record. Somebody > have any ide how use sendmail /etc/host file? > > Dec 9 20:58:23 www sm-mta[29438]: oB9Fxmx0027174: > to=, delay=03:58:35, xdelay=00:00:00, mailer=esmtp, > pri=1313137, relay=mail.mouseoleum.hu., dsn=4.0.0, stat=Deferred: > Connection refused by mail.mouseoleum.hu. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > Could you clarify in regards to what you want sendmail to actually use /etc/host for? If your intent is to re-map where mail destined for a given host/domain goes - (ie override DNS MX records) - then /etc/hosts is not going to do what you want. Depending on where you intend to redirect to, you'll need either mailer table, access table entries or to configure your local sendmail to receive for that domain to accomplish that. You might try reading further at: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mail-using.html Specifically in regards to email and DNS relationships. -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Sendmail as client via smarthost and ssl
>GSSAPI is the "Generic Security Services Application Program Interface" >and NTLM is "NT Lan Manager" -- they are both authentication systems >popular amongst various generations of Microsoft OSes. GSSAPI is >actually based on that old Unix stalwart: Kerberos, and hence is also >fairly popular amongst non-Microsoft types. They are some of the >authentication mechanisms that come as standard with SASL implementations. > >Unless you know that you do need them, you almost certainly don't. <...> Thanks your for the explanation. I was actually not sure whether or not these options were needed. Authentication to the smarthost did not work, and at one point I noticed the line: <...> 250-AUTH GSSAPI NTLM <...> coming from the server. So I gave it a try - and it still did not work. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Sendmail as client via smarthost and ssl
>On 29/10/2010 14:49, Christopher Illies wrote: >> >> <...> >> Ok, when I use telnet, this happens: >>> telnet send.ki.se 587 >> Trying 130.xxx.xxx.26... >> Connected to send.ki.se. >> Escape character is '^]'. >> 220 KIMSX09.user.ki.se Microsoft ESMTP MAIL Service ready at Fri, 29 Oct >> 2010 14:55:51 +0200 >> EHLO >> 250-KIMSX09.user.ki.se Hello [136.xxx.xxx.214] >> 250-SIZE 10485760 >> 250-PIPELINING >> 250-DSN >> 250-ENHANCEDSTATUSCODES >> 250-STARTTLS >> 250-AUTH GSSAPI NTLM <<< >> 250-8BITMIME >> 250-BINARYMIME >> 250 CHUNKING <...> >I'd guess from here that the microsoft mail server (i'd say exchange but >its part of IIS these days i think) is being awkward. GSSAPI is kerberos >related i believe, NTLM is a windows method from what i remember. I'm >not familiar with either i'm afraid. Thanks for your suggestions, anyhow. It might very well be that something about the server's behaviour is awkward. fetchmail, which worked well with the old server, stopped working after the mailserver was changed to the current one. The settings were correct, but only after I installed a new version of fetchmail, it worked again. It looks like that I will have to use webmail for now. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail as client via smarthost and ssl
On 29/10/2010 14:49, Christopher Illies wrote: > Thanks for your explanations, Vince. It got me one step further (I think). > > <...> > Ok, when I use telnet, this happens: >> telnet send.ki.se 587 > Trying 130.xxx.xxx.26... > Connected to send.ki.se. > Escape character is '^]'. > 220 KIMSX09.user.ki.se Microsoft ESMTP MAIL Service ready at Fri, 29 Oct 2010 > 14:55:51 +0200 > EHLO > 250-KIMSX09.user.ki.se Hello [136.xxx.xxx.214] > 250-SIZE 10485760 > 250-PIPELINING > 250-DSN > 250-ENHANCEDSTATUSCODES > 250-STARTTLS > 250-AUTH GSSAPI NTLM <<< > 250-8BITMIME > 250-BINARYMIME > 250 CHUNKING > > > Although I have no idea what GSSAPI and NTLM are, I remembered that I have > seen these abbreviations before: NTLM is an OPTION for cyrus-sasl2, and yes, > it is compiled in (WITH_NTLM=true). And GSSAPI appeared first in the mc file: > > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN > PLAIN')dnl > > So I changed the authinfo/client-info file to: > > AuthInfo:[send.ki.se] "U:smmsp" "I:XXX" "P:YYY" "M:GSSAPI" > > Still, it does not work: > > <<< 530 5.7.1 Client was not authenticated I'd guess from here that the microsoft mail server (i'd say exchange but its part of IIS these days i think) is being awkward. GSSAPI is kerberos related i believe, NTLM is a windows method from what i remember. I'm not familiar with either i'm afraid. Vince > Christopher > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail as client via smarthost and ssl
On 29/10/2010 14:49, Christopher Illies wrote: > Although I have no idea what GSSAPI and NTLM are, I remembered that I have > seen these abbreviations before: NTLM is an OPTION for cyrus-sasl2, and yes, > it is compiled in (WITH_NTLM=true). And GSSAPI appeared first in the mc file: GSSAPI is the "Generic Security Services Application Program Interface" and NTLM is "NT Lan Manager" -- they are both authentication systems popular amongst various generations of Microsoft OSes. GSSAPI is actually based on that old Unix stalwart: Kerberos, and hence is also fairly popular amongst non-Microsoft types. They are some of the authentication mechanisms that come as standard with SASL implementations. Unless you know that you do need them, you almost certainly don't. You can turn off support for those mechanisms at the point of compiling cyrus-sasl2, or you can take them out of the configuration for the various SASL consumers if you want. They are pretty much harmless though, so just doing nothing is also a viable option[*]. Cheers, Matthew [*] I have run into situations where not compiling them into various software made everything run much more smoothly: however, those were exceptional circumstances, and probably a temporary artefact of the particular software versions. Your mileage will probably vary. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
RE: Sendmail as client via smarthost and ssl
Thanks for your explanations, Vince. It got me one step further (I think). <...> >PLAIN mechanism mean that i'm sending the password/user in plain rather >than using something like DIGEST-MD5 or any of the other possible >mechanisms that can be listed in confAUTH_MECHANISMS in your sendmail >.mc file > >to get a list of whats supported by your relay telnet to it on port 25 >and issue an EHLO command. the supported mechanisms are listed following >the AUTH keyword. > >for example for me >(11:59:59 <~>) 1 $ telnet RELAY.ISP.net 25 >Trying 213.xxx.xxx.53... >Connected to RELAY.ISP.net. <...> >250-AUTH LOGIN PLAIN ---THIS ONE. >250-STARTTLS >250-DELIVERBY >250 HELP Ok, when I use telnet, this happens: > telnet send.ki.se 587 Trying 130.xxx.xxx.26... Connected to send.ki.se. Escape character is '^]'. 220 KIMSX09.user.ki.se Microsoft ESMTP MAIL Service ready at Fri, 29 Oct 2010 14:55:51 +0200 EHLO 250-KIMSX09.user.ki.se Hello [136.xxx.xxx.214] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH GSSAPI NTLM <<< 250-8BITMIME 250-BINARYMIME 250 CHUNKING Although I have no idea what GSSAPI and NTLM are, I remembered that I have seen these abbreviations before: NTLM is an OPTION for cyrus-sasl2, and yes, it is compiled in (WITH_NTLM=true). And GSSAPI appeared first in the mc file: define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl So I changed the authinfo/client-info file to: AuthInfo:[send.ki.se] "U:smmsp" "I:XXX" "P:YYY" "M:GSSAPI" Still, it does not work: <<< 530 5.7.1 Client was not authenticated Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail as client via smarthost and ssl
On 29/10/2010 11:19, Christopher Illies wrote: > > I added "U:smmsp" and "M:PLAIN" to my /etc/mail/auth/client-info file, but > that did not change anything. When I left out the square brackets around the > server name in that file, I got another error message in /val/log/maillog: > > Oct 29 12:05:22 muck sm-mta[42252]: o9TA5Mtt042250: > to=, ctladdr= (1001/1001), > delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30466, relay=send.ki.se. > [130.229.20.28], dsn=4.0.0, stat=Deferred: Name server: send.ki.se.: host > name lookup failure > > <...> odd http://www.sendmail.org/~ca/email/sm-812.html#812AUTH has an example with no square brackets. Not sure why this would break it for you. >> (I also set up SSL separately as i'm using plain method but you seem to >> have that covered.) > Could you explain this a bit further, please? I am not clear on how this > works. > Setting up SSL is done by compiling sendmail with sasl, isn't it? Or is there > something else to do? Also, the term "plain method" confuses me: This does > not refer to whether or not you are using ssl? > Sorry wrong terminology. That should have been plain mechanism not method. PLAIN mechanism mean that i'm sending the password/user in plain rather than using something like DIGEST-MD5 or any of the other possible mechanisms that can be listed in confAUTH_MECHANISMS in your sendmail .mc file to get a list of whats supported by your relay telnet to it on port 25 and issue an EHLO command. the supported mechanisms are listed following the AUTH keyword. for example for me (11:59:59 <~>) 1 $ telnet RELAY.ISP.net 25 Trying 213.xxx.xxx.53... Connected to RELAY.ISP.net. Escape character is '^]'. 220 RELAY.ISP.net ESMTP Sendmail 8.13.8/8.13.8; Fri, 29 Oct 2010 12:00:08 +0100 ehlo unsane.co.uk 250-RELAY.ISP.net Hello foo.ISP.net [195.x.x.102], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN ---THIS ONE. 250-STARTTLS 250-DELIVERBY 250 HELP Ignore the ssl comment, I was obviously half asleep, the ssl config I have is for receiving mail over ssl (server side) not sending (client side) I have tried copying your steps for testing, dnl define(`SMART_HOST', `RELAY.ISP.net')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl to ostracod.unsane.co.uk.mc (my machines mc file) [r...@ostracod /etc/mail]# make all /usr/bin/m4 -D_CF_DIR_=/usr/local/share/sendmail/cf/ /usr/local/share/sendmail/cf/m4/cf.m4 ostracod.unsane.co.uk.mc > ostracod.unsane.co.uk.cf [r...@ostracod /etc/mail]# make install install -m 444 ostracod.unsane.co.uk.cf /etc/mail/sendmail.cf install -m 444 ostracod.unsane.co.uk.submit.cf /etc/mail/submit.cf [r...@ostracod /etc/mail]# then created /etc/mail/auth/client-info with [r...@ostracod /etc/mail]# cat /etc/mail/auth/client-info AuthInfo:RELAY.ISP.net "U:smmsp" "I:USER" "P:PASSWORD" "M:PLAIN" and then makemap hash client-info Sorry to bother you with all these questions. Thats fine, what sendmail I do know will be forgotten if i dont use it.. hope these data-points help but it looks like a bit of a "works for me" without solving your issue. Vince > Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Sendmail as client via smarthost and ssl
From: owner-freebsd-questi...@freebsd.org [owner-freebsd-questi...@freebsd.org] On Behalf Of Vincent Hoffman [vi...@unsane.co.uk] Sent: Thursday, October 28, 2010 11:22 PM To: freebsd-questions@freebsd.org Subject: Re: Sendmail as client via smarthost and ssl >On 28/10/2010 15:25, Christopher Illies wrote: >>> 2010-10-28 14:49, Christopher Illies: >>>> To send email from my computer at work I need to send through a >>>> smarthost. In the past I had added the line: >>>> >>>> define(`SMART_HOST', `[smpt.ki.se]') >>> Brackets are only needed for ipaddresses. <...> >All I had to do for was add >AuthInfo:relay.isp.net "U:smmsp" "I:username" "P:PassWord" "M:PLAIN" >to /etc/mail/access >and the smarthost directive. I added "U:smmsp" and "M:PLAIN" to my /etc/mail/auth/client-info file, but that did not change anything. When I left out the square brackets around the server name in that file, I got another error message in /val/log/maillog: Oct 29 12:05:22 muck sm-mta[42252]: o9TA5Mtt042250: to=, ctladdr= (1001/1001), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30466, relay=send.ki.se. [130.229.20.28], dsn=4.0.0, stat=Deferred: Name server: send.ki.se.: host name lookup failure <...> > >(I also set up SSL separately as i'm using plain method but you seem to >have that covered.) Could you explain this a bit further, please? I am not clear on how this works. Setting up SSL is done by compiling sendmail with sasl, isn't it? Or is there something else to do? Also, the term "plain method" confuses me: This does not refer to whether or not you are using ssl? Sorry to bother you with all these questions. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail as client via smarthost and ssl
On 28/10/2010 15:25, Christopher Illies wrote:
>> 2010-10-28 14:49, Christopher Illies:
>>> To send email from my computer at work I need to send through a
>>> smarthost. In the past I had added the line:
>>>
>>> define(`SMART_HOST', `[smpt.ki.se]')
>> Brackets are only needed for ipaddresses.
>>
>> What happens when you remove the brackets, like so
>> define(`SMART_HOST', `your.mail.server')
> Nothing changes. I get the same error messages as with
> the brackets.
>
I'm a bit late here, but...
All I had to do for was add
AuthInfo:relay.isp.net "U:smmsp" "I:username" "P:PassWord" "M:PLAIN"
to /etc/mail/access
and the smarthost directive.
I assume from your config this would go in /etc/mail/auth/client-info
>From /usr/share/sendmail/cf/README
Providing SMTP AUTH Data when sendmail acts as Client
-
If sendmail acts as client, it needs some information how to
authenticate against another MTA. This information can be provided
by the ruleset authinfo or by the option DefaultAuthInfo. The
authinfo ruleset looks up {server_name} using the tag AuthInfo: in
the access map. If no entry is found, {server_addr} is looked up
in the same way and finally just the tag AuthInfo: to provide
default values. Note: searches for domain parts or IP nets are
only performed if the access map is used; if the authinfo feature
is used then only up to three lookups are performed (two exact
matches, one default).
(I also set up SSL separately as i'm using plain method but you seem to
have that covered.)
Hope thats useful to you.
Vince
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Sendmail as client via smarthost and ssl
>On Thu, 2010-10-28 at 14:49 +0200, Christopher Illies wrote: > >> >> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 >> LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl >> >> dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587') < >I can't speak to the validity of the technique that you're attempting to >use, however the 'dnl' directive is an instruction to ignore the rest of >the line (c.f. '#' in shell scripts, etc., in fact I believe 'dnl' is a >mnemonic for something like "delete to newline" or "discard to >newline"). > >In which case these are probably intended to be: > >define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > LOGIN PLAIN')dnl >FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl > >dnl Set port >define(`RELAY_MAILER_ARGS', `IPC $h 587')dnl > > >Wayne Yes, you are right. This is not only how these lines are intended to be, this is how they actually look like. Some newlines were deleted while copy-and-pasting these lines. Sorry for the confusion. Christopher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail as client via smarthost and ssl
On Thu, 2010-10-28 at 14:49 +0200, Christopher Illies wrote: > Not knowing much about sendmail, I tried google and more or less > blindly followed suggestions. Here is what I have done so far, but > sending email still does not work: > > 1. recompiled sendmail with sasl by adding the following lines to > /etc/make.conf + installing security/cyrus-sasl2 + recompiling > sendmail: > > SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 > SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 > > 2. Adding the following line to my mc file (+ make all install > restart): > > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl > > dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587') I can't speak to the validity of the technique that you're attempting to use, however the 'dnl' directive is an instruction to ignore the rest of the line (c.f. '#' in shell scripts, etc., in fact I believe 'dnl' is a mnemonic for something like "delete to newline" or "discard to newline"). In which case these are probably intended to be: define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl dnl Set port define(`RELAY_MAILER_ARGS', `IPC $h 587')dnl Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Sendmail as client via smarthost and ssl
>2010-10-28 14:49, Christopher Illies: >> To send email from my computer at work I need to send through a >> smarthost. In the past I had added the line: >> >> define(`SMART_HOST', `[smpt.ki.se]') > >Brackets are only needed for ipaddresses. > >What happens when you remove the brackets, like so >define(`SMART_HOST', `your.mail.server') Nothing changes. I get the same error messages as with the brackets. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Question: Smart Host Round-Robin In Mailertable?
On 10/27/2010 3:26 PM, Giorgos Keramidas wrote: > On Wed, 27 Oct 2010 09:51:59 -0500, Tim Daneliuk > wrote: >> A bit OT, but I'm hoping one of you resident geniuses can point me to >> an answer >> >> I have a situation where I need to set up round-robin across several >> smart hosts in the sendmail mailertable for all traffic. (For a >> variety of reasons, the client does not want this done in either the >> .mc file or directly in the .cf file.) >> >> Can some kind soul point me to a resource that explains the syntax for >> doing this? > > Maybe a DNS-based round robin solution would suffice? > DNS cannot be changed for a variety of reasons... -- Tim Daneliuk tun...@tundraware.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Question: Smart Host Round-Robin In Mailertable?
On Wed, 27 Oct 2010 09:51:59 -0500, Tim Daneliuk wrote: > A bit OT, but I'm hoping one of you resident geniuses can point me to > an answer > > I have a situation where I need to set up round-robin across several > smart hosts in the sendmail mailertable for all traffic. (For a > variety of reasons, the client does not want this done in either the > .mc file or directly in the .cf file.) > > Can some kind soul point me to a resource that explains the syntax for > doing this? Maybe a DNS-based round robin solution would suffice? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail && resolv.conf changes
El día Tuesday, September 14, 2010 a las 05:49:07PM +0200, Terrence Koeman
escribió:
> > > What I wanted to say: sendmail runs and DHCP changes in certain
> > > situations the IP, routing and DNS, and sendmail does not adopt on
> > these
> > > changes.
> >
> >
> It might be an idea to (mis)use the "script" option in dhclient.conf to
> restart sendmail (/etc/rc.d/sendmail restart) after a lease has been aquired.
> See 'man dhclient.conf'.
Actually I'm using hooks in devd(8) like:
$ cat /usr/local/etc/devd/tun6.conf
notify 0 {
match "system" "IFNET";
match "subsystem" "tun6";
match "type""LINK_UP";
action "/usr/local/etc/devd/tun6.sh $subsystem $type";
};
$ cat /usr/local/etc/devd/tun6.sh
#!/bin/sh
#
echo `date`: $0 $* >> /tmp/devd.out
(
sleep 30 ;
echo Doing: /etc/rc.d/sendmail onerestart >> /tmp/devd.out ;
/etc/rc.d/sendmail onerestart ;
)
exit 0
for each interface which might come up; but I was thinking that
there must be a more general solution in sendmail or DNS itself;
in any case, thanks for your idea;
> ...
> Please quote all replies in correspondence.
No. See netiquette RFC: http://www.faqs.org/rfcs/rfc1855.html
matthias
--
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e - w http://www.unixarea.de/
Solidarity with the zionistic pirates of Israel? Not in my name!
¿Solidaridad con los piratas sionistas de Israel? ¡No en mi nombre!
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: sendmail && resolv.conf changes
> -Original Message- > From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- > questi...@freebsd.org] On Behalf Of tomasz dereszynski > Sent: Tuesday, September 14, 2010 11:28 AM > To: Matthias Apitz; freebsd-questions@freebsd.org > Subject: Re: sendmail && resolv.conf changes > > > > El día Tuesday, September 14, 2010 a las 09:15:49AM +0100, tomasz > > dereszynski escribió: > > > >> > >> > > >> > Hello, > >> > > >> > When using a laptop it is normal that there are some changes in > >> > resolv.conf during the live, for example: > >> > > >> > boot time: no network available > >> > start of PPP over UMTS: resolv.conf from provider > >> > start VPN to connect to company: resolv.conf from company > >> > ... > >> > > >> > it seems that sendmail is not aware of such changes in the > resolv.conf > >> > and always get stuck with the old DNS and ofc does not work on > >> incoming > >> > mails (provided by fetchmail). A restart helps, but is there some > >> better > >> > way to let sendmail switch to the new DNS environment when > resolv.conf > >> > changes? > >> > > >> > Thanks > >> > > >> My very wide guess would be that Sendmail starts before system > obtain > >> network settings from DHCP. > > > > Your guess is correct :-) > > > > What I wanted to say: sendmail runs and DHCP changes in certain > > situations the IP, routing and DNS, and sendmail does not adopt on > these > > changes. > > > delay Sendmail start to after network settings loaded from DHCP. > > not sure if there is any 'documentation correct' way of doing that but > 'home crafted' one would be to move /etc/rc.sendmail to > /usr/local/etc/rc.d/blah.sendmail.sh and remove it from rc.config > > hope someone here knows more proper way and can advise. > It might be an idea to (mis)use the "script" option in dhclient.conf to restart sendmail (/etc/rc.d/sendmail restart) after a lease has been aquired. See 'man dhclient.conf'. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail && resolv.conf changes
> El día Tuesday, September 14, 2010 a las 09:15:49AM +0100, tomasz > dereszynski escribió: > >> >> > >> > Hello, >> > >> > When using a laptop it is normal that there are some changes in >> > resolv.conf during the live, for example: >> > >> > boot time: no network available >> > start of PPP over UMTS: resolv.conf from provider >> > start VPN to connect to company: resolv.conf from company >> > ... >> > >> > it seems that sendmail is not aware of such changes in the resolv.conf >> > and always get stuck with the old DNS and ofc does not work on >> incoming >> > mails (provided by fetchmail). A restart helps, but is there some >> better >> > way to let sendmail switch to the new DNS environment when resolv.conf >> > changes? >> > >> > Thanks >> > >> My very wide guess would be that Sendmail starts before system obtain >> network settings from DHCP. > > Your guess is correct :-) > > What I wanted to say: sendmail runs and DHCP changes in certain > situations the IP, routing and DNS, and sendmail does not adopt on these > changes. delay Sendmail start to after network settings loaded from DHCP. not sure if there is any 'documentation correct' way of doing that but 'home crafted' one would be to move /etc/rc.sendmail to /usr/local/etc/rc.d/blah.sendmail.sh and remove it from rc.config hope someone here knows more proper way and can advise. -- bEsT rEgArDs| "Confidence is what you have before you tomasz dereszynski | understand the problem." -- Woody Allen | Spes confisa Deo| "In theory, theory and practice are much numquam confusa recedit | the same. In practice they are very | different." -- Albert Einstein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail && resolv.conf changes
El día Tuesday, September 14, 2010 a las 09:15:49AM +0100, tomasz dereszynski escribió: > > > > > Hello, > > > > When using a laptop it is normal that there are some changes in > > resolv.conf during the live, for example: > > > > boot time: no network available > > start of PPP over UMTS: resolv.conf from provider > > start VPN to connect to company: resolv.conf from company > > ... > > > > it seems that sendmail is not aware of such changes in the resolv.conf > > and always get stuck with the old DNS and ofc does not work on incoming > > mails (provided by fetchmail). A restart helps, but is there some better > > way to let sendmail switch to the new DNS environment when resolv.conf > > changes? > > > > Thanks > > > My very wide guess would be that Sendmail starts before system obtain > network settings from DHCP. Your guess is correct :-) What I wanted to say: sendmail runs and DHCP changes in certain situations the IP, routing and DNS, and sendmail does not adopt on these changes. matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ Solidarity with the zionistic pirates of Israel? Not in my name! ¿Solidaridad con los piratas sionistas de Israel? ¡No en mi nombre! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail && resolv.conf changes
> > Hello, > > When using a laptop it is normal that there are some changes in > resolv.conf during the live, for example: > > boot time: no network available > start of PPP over UMTS: resolv.conf from provider > start VPN to connect to company: resolv.conf from company > ... > > it seems that sendmail is not aware of such changes in the resolv.conf > and always get stuck with the old DNS and ofc does not work on incoming > mails (provided by fetchmail). A restart helps, but is there some better > way to let sendmail switch to the new DNS environment when resolv.conf > changes? > > Thanks > My very wide guess would be that Sendmail starts before system obtain network settings from DHCP. But I do not remember Sendmail settings well enough. -- bEsT rEgArDs| "Confidence is what you have before you tomasz dereszynski | understand the problem." -- Woody Allen | Spes confisa Deo| "In theory, theory and practice are much numquam confusa recedit | the same. In practice they are very | different." -- Albert Einstein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail rdns question
In freebsd-questions Digest, Vol 325, Issue 5, Message: 4
On Tue, 24 Aug 2010 12:06:33 +0100 Paul Macdonald wrote:
> Hi,
>
> Sorry for posting on a bsd list but i figure there's more than a few
> sendmail experts here.
>
> I would like to run reverse dns checks on one of my boxes but the
> check_rnds macro looks a bit overkill to me.
>
> I want to reject the mail if there's no reverse dns, but not if there is
> rdns but the PTR loop isn't closed (which is very common).
>
> So accepting these types:
>
> reject=451 4.1.8 Possibly forged hostname for
>
> but rejecting these types
>reject=550 5.7.1 <>... Fix reverse DNS for
> ...
>
> In sendmail, FEATURE(`require_rdns')dnl seems to do both.
Well yes, it does just that, which is usually what's desired.
Eg from the other day, reformatted for readability:
Aug 24 19:13:43 x sm-mta[22564]: ruleset=check_relay,
arg1=[220.229.138.147], arg2=220.229.138.147,
relay=adsl-220-229-138-147.TC.sparqnet.net [220.229.138.147] (may be forged),
reject=451 4.1.8 Possibly forged hostname for 220.229.138.147
% dig +short -x 220.229.138.147
adsl-220-229-138-147.TC.sparqnet.net.
% dig +short adsl-220-229-138-147.TC.sparqnet.net.
%
(RDNS, but the supplied RDNS does not resolve - no 'closed loop' as you
put it - so deferred. It's a good clue to the (genuine) sender to fix
it, but you'll find that 99% of these will be spam anyway)
Aug 24 22:40:59 x sm-mta[33233]: ruleset=check_relay,
arg1=[217.107.186.83], arg2=217.107.186.83,
relay=[217.107.186.83], reject=550 5.7.1 Fix reverse DNS for 217.107.186.83
% dig +short -x 217.107.186.83
%
(no RDNS - so rejected)
In sendmail.cf you'll see something like this (tabs lost in cut'n'paste)
R$* $: $&{client_addr} $| $&{client_resolve}
R$=R $* $@ RELAYWe relay for these
R$* $| OK $@ OK Resolves.
R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not
resolve
R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
You could make the FORGED ones return '$@ OK' also .. NOT recommended!
You'd be much better off whitelisting particular senders that for some
reason can't fix their broken RNS, by adding 'some...@somewhere OK' to
your /etc/mail/access file.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail, queue intervals and ETRN
In the last episode (Aug 18), David Allen said: > I've had the following setup at home for a number of years: > >mailhub <> smarthost <---> intarwebs > > Everything works as intended, of course, but I'd like to change the setup > to accomodate the mailhub host being powered off at night. After it's > restarted in the morning (or whenever), the mailhub should issue an ETRN > command for any queued mail, and any changes made to the smarthost's > configuration the night before are undone. > > Is there a simple answer to this? What I'm after is a solution that > avoids MAILER DAEMON messages, etc. as a result of the mailhub host being > unavailable. Easiest way would be to raise the warning timeout on your smarthost to be longer than your expected poweroff duration. define(`confTO_QUEUEWARN', `1d')dnl -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail - One Trick Pony
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/07/2010 16:12:36, J wrote: > I'd like to set up Sendmail to facilitate e-mail (with attached jpeg) > delivery to an internet account from my wireless IP camera. That's > all I want it to do, nothing more. I've been a very satisfied > FreeBSD user for a few years and am reasonably comfortable with OS > and software configuration, but I have literally no knowledge of mail > servers or configuring Sendmail. Some people suggest using other > programs such as Postfix, but I'd rather get this work with Sendmail. > I did install the cyrus-sasl2 port as well as saslauthd, since I > thought I might have an authentication problem. Beyond that the only > other things I've done are: Right: by enabling sendmail to accept e-mail from one remote client, you open the possibility of any client being able to e-mail via your server, so you should put some thought into how you're going to secure that. Personally, I'd be writing firewall rules to block incoming traffic to ports 25 and 587 from anywhere other than your camera. > 1. sendmail_enable="YES" > in rc.conf > 2. (camera's ip address) RELAY > in /etc/mail/access > > I'm seeing my webmail account information (address and relay server) > in maillog and when I use sendmail verbose, I see what looks like a > successful transaction but the mail never gets delivered. So it > would seem that the camera is communication fine with my FreeBSD > server, but the mail isn't getting transmitted out to the internet. > > Any suggestions are appreciated. You want your sendmail instance to act as a mail client and authenticate to your webmail provider? That's certainly possible, but usually you can avoid it. If you need client-side auth, see the section "Using sendmail as a client with AUTH" in: http://www.sendmail.org/~ca/email/auth.html You will need to recompile sendmail with appropriate AUTH capabilities, as you would for providing server-side authentication. In any case, if you need client-side auth or not, start by making sure that you can send e-mail from your FreeBSD box to your webmail account manually --- use the mail(1) command like so: % mail -v -s "test message" your-n...@webmail.provider Test message . (Ie. type in the text of a message and finish with a dot on it's own on a separate line) Once that part works, look at relaying the e-mail from your camera. The '-v' flag should show you a verbose transcript of the SMTP dialogue involved when sending the message. Unfortunately nowadays that's just the interaction with the MSP instance of sendmail, and not the delivery to the webmail server. Anyhow, follow the progress of the message through to delivery by following the logging in /var/log/maillog. You can also examine the mail queues by: # mailq -v (Shows the main sendmail mail queue) # mailq -Ac -v (Shows the MSP sendmail mail queue) Usually you would have to be exceptionally fast and lucky to catch a message actually in the MSP mail queue. Messages getting stuck there indicates a problem with your local sendmail setup. One thing to check is that your ISP does not block outgoing traffic to port 25 -- this is frequently done as an anti-spam measure. In that case, you will need to relay all mail via your ISPs servers by using the smarthost setting described in another answer. Beyond that, you should now see one of three results: * Mail accepted by your webmail provider and shows up in your mailbox. Job done. * Mail rejected by your webmail provider. Hopefully with some sort of error message that will tell you why the message was rejected. In this case, you're looking at making sure the messages generated from your camera don't look like spam. Generally this boils down to making sure that the addresses in the message headers can be looked up in the DNS both forwards and backwards, and that your FreeBSD server also identifies itself (in the EHLO part of the SMTP dialogue) with a similarly verifiable name. * Mail accepted by your webmail provider, but then disappears without trace. In principle this shouldn't happen, but in practice as a SMTP service provider it's hard to avoid completely and still provide a competent anti-spam and anti-virus filter. In this case, you need to talk to the webmail provider and get them to examine the mail logs and tell you what the problem was with your message. It could be the same sort of DNS address verification stuff as above, or it could be something to do with the actual content you're sending. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Versi
Re: Sendmail - One Trick Pony
On Thu, 1 Jul 2010, J wrote: I'd like to set up Sendmail to facilitate e-mail (with attached jpeg) delivery to an internet account from my wireless IP camera. That's all I want it to do, nothing more. I've been a very satisfied FreeBSD user for a few years and am reasonably comfortable with OS and software configuration, but I have literally no knowledge of mail servers or configuring Sendmail. Some people suggest using other programs such as Postfix, but I'd rather get this work with Sendmail. I did install the cyrus-sasl2 port as well as saslauthd, since I thought I might have an authentication problem. Beyond that the only other things I've done are: 1. sendmail_enable="YES" in rc.conf 2. (camera's ip address) RELAY in /etc/mail/access I'm seeing my webmail account information (address and relay server) in maillog and when I use sendmail verbose, I see what looks like a successful transaction but the mail never gets delivered. So it would seem that the camera is communication fine with my FreeBSD server, but the mail isn't getting transmitted out to the internet. Probably you need to set SMART_HOST to use your ISP's mail server. As root, # cd /etc/mail # make That will create your hostname.mc file if it's not already there. Locate the SMART_HOST line, remove the dnl to uncomment it, and enter the name of your ISP's mail server. After that, # make all install restart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail: My unqualified host name
On 28/06/2010 23:21, Polytropon wrote: On Mon, 28 Jun 2010 23:12:38 +0100, Michael wrote: Yes but I don't quite understand why. It's my laptop system and I don't really need or want sendmail there. You may want to reconsider this statement. :-) I did just that :) So far I thought sendmail is a big hairy thing that is completely useless on desktop systems. Now I learned that it is kind of crucial to proper system workings so in fact I do need it. Plus messages that it tried to deliver are important so I definitely do want it. It was all fine and quiet for months and started just recently. So THAT is really strange. So mystery is now solved since I got sendmail working locally. It turned out that ports update went wrong and messed up one program. That program was being run every minute via root's crontab... Thank you so much. M. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail: My unqualified host name
On 6/28/10 6:21 PM, Polytropon wrote: But how can I find out exactly what is trying to use sendmail (which fails and complaints)? I think it's sendmail itself that complains on startup (running as local-only delivery system). That's certainly what it looks like. The only change in the system I can think of is that I replaced pf with ipfw. I doubt that has anything to do with it. Unless the change blocked access to DNS and reverse DNS was being used to look up the system name. -- --Jon Radel j...@radel.com
Re: sendmail: My unqualified host name
On Mon, 28 Jun 2010 23:12:38 +0100, Michael wrote: > Yes but I don't quite understand why. It's my laptop system and I don't > really need or want sendmail there. You may want to reconsider this statement. :-) > I guess it must be some script > trying to send email instead of logging to a file. The sendmail facility is used by the system to deliver status messages (e. g. by the daily/monthly/weekly periodic scripts, sometimes by the printing subsystem), so it depends on an at least locally working installation. There may be other services that rely on sendmail to provide output directed to a system's mail box (usually root). Check /etc/defaults/rc.conf for the sendmail_* family of options. > But how can I find out exactly what is trying to use sendmail (which > fails and complaints)? I think it's sendmail itself that complains on startup (running as local-only delivery system). > My configuration (8.0-RELEASE-p3): > /etc/rc.conf > hostname="prime" > sendmail_enable="NONE" > /etc/hosts > ::1 localhost prime > 127.0.0.1 localhost prime Try to additionally define a domainname ".local" or ".lan", e. g. 127.0.0.1 localhost 127.0.0.1 prime.local prime See "man 5 hosts" for details, I think it explains it very well (it's right in the 1st paragraph). Also give the full name in /etc/rc.conf: hostname="prime.local". Then make sure to have visited /etc/mail doing "make all install". This will make sure sendmail picks up all neccessary configuration items. > It was all fine and quiet for months and started just recently. So THAT is really strange. > The only > change in the system I can think of is that I replaced pf with ipfw. I doubt that has anything to do with it. > Still don't understand what is so urgent that sendmail keeps trying > every minute. It fails to start properly because of a missing configuration item. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail: My unqualified host name
On 28/06/2010 22:43, Polytropon wrote: On Mon, 28 Jun 2010 21:51:46 +0100, Michael wrote: My console is being flooded with this kind of messages: Jun 28 15:49:02 prime sendmail[57268]: My unqualified host name (localhost) unknown; sleeping for retry Jun 28 15:49:06 prime sendmail[21451]: unable to qualify my own domain name (localhost) -- using short name It seems that it's your *sendmail* that is complaining. Check your settings regarding hostname (hostname= in /etc/rc.conf, corresponding entry in /etc/hosts), also check sendmail configuration in /etc/mail. Yes but I don't quite understand why. It's my laptop system and I don't really need or want sendmail there. I guess it must be some script trying to send email instead of logging to a file. But how can I find out exactly what is trying to use sendmail (which fails and complaints)? My configuration (8.0-RELEASE-p3): /etc/rc.conf hostname="prime" sendmail_enable="NONE" /etc/hosts ::1 localhost prime 127.0.0.1 localhost prime /etc/nsswitch.conf hosts: files dns /etc/periodic.conf daily_output="/var/log/dper.log" daily_clean_hoststat_enable="NO" daily_backup_aliases_enable="NO" daily_status_mailq_enable="NO" daily_status_include_submit_mailq="NO" daily_status_mail_rejects_enable="NO" daily_queuerun_enable="NO" daily_submit_queuerun="NO" daily_status_security_output="/var/log/dsec.log" weekly_output="/var/log/wper.log" monthly_output="/var/log/mper.log" It was all fine and quiet for months and started just recently. The only change in the system I can think of is that I replaced pf with ipfw. Still don't understand what is so urgent that sendmail keeps trying every minute. M. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail: My unqualified host name
On Mon, 28 Jun 2010 21:51:46 +0100, Michael wrote: > Hello. > > My console is being flooded with this kind of messages: > > Jun 28 15:49:02 prime sendmail[57268]: My unqualified host name > (localhost) unknown; sleeping for retry > Jun 28 15:49:06 prime sendmail[21451]: unable to qualify my own domain > name (localhost) -- using short name > Jun 28 15:50:02 prime sendmail[85031]: My unqualified host name > (localhost) unknown; sleeping for retry > Jun 28 15:50:06 prime sendmail[57268]: unable to qualify my own domain > name (localhost) -- using short name > > Is there any way to find out who/what is trying to use sendmail? It seems that it's your *sendmail* that is complaining. Check your settings regarding hostname (hostname= in /etc/rc.conf, corresponding entry in /etc/hosts), also check sendmail configuration in /etc/mail. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sendmail access
On Thu, Jun 10, 2010 at 3:40 PM, kalin m wrote: > > > > hi all... > reading > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html > > i did get an access file set up. it doesn't do anything thought... > i have only entry like this: > > some.domain.com OK > > and did make. then changed /etc/defaults/rc.conf to > sendmail_enable="YES" > > restarted sendmail. cool. so far. now mail is a accepted from everywhere not > only the entry in access: some.domain.com > > why? > As far as I understand it, the access file makes more fine-grained "decisions." That is, sendmail allows everything and the access file allows you to discriminate more precisely. Notice that the example has (something like) : spam.com REJECT . . . okay.spam.com OK So, if you only want to allow emails only from some.domain.com then you have to REJECT all other domains . . . good luck ;-) > thanks... > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
On Fri, 02 Apr 2010 12:46:24 -0400 Jon Radel wrote: >On 4/2/10 11:49 AM, David Allen wrote: >> >> On 4/2/10, Jon Radel wrote: >>> On 4/2/10 8:33 AM, David Allen wrote: >>> [much stuff deleted --SB] >> >> Interesting reading. Thanks for elaborating. >> >> So the IDENT protocol was relied on in the time of the dinosaurs, it's >> value today is "so much less" (a polite way of saying "not used at >> all"?), and IDENT packets are commonly dropped by firewalls. Do I >> have that right? > >Yes, except for the "not used at all" bit. Well, as a mid-Triassic dinosaur who didn't reach the rapidly growing continent of UNIXia until the mid-Jurassic (SysVR1.05->4.3BSD), long after the breakup of Panibmea had begun, I'd like to say in our defense that when authd and identd first made their appearances as the latest fashion statements, those of us who had evolved properly suspicious natures due to exposure to our own user communities long before becoming networked, looked at each other, rolled our eyeballs, chuckled, and proceeded not to install either. > >> If so, then a reasonable conclusion is that the >> default sendmail behaviour with respect to IDENT (sending queries and >> then waiting for a reply) is an anachronism. And the workaround >> (setting a timeout of zero) is a fix for that anachronism. Should I >> consider those two points as "features", or should I just get off your >> lawn before I get yelled at? ;-) >> > >People who get all bent out of shape about 5 second delays in e-mail >delivery deserve to suffer, therefore I personally think the default >behavior is fine the way it is. But as I said, you can find many >sendmail "cookbooks" on the Internet that recommend that you set it to 0 >sec and get on with your life. Indeed. :-) > >Or you could just set all your firewalls to reject the traffic with much >the same end result. > In the same day's digest, on Fri, 02 Apr 2010 18:37:38 +0100, Matthew Seaman wrote: >On 02/04/2010 15:12:33, Jon Radel wrote: >> This is why there's a school of thought that even if your default for >> firewall configuration is to quietly drop unwanted packets, IDENT is a >> protocol that you should actively reject. It makes things move along >> more quickly. Nonsense. When a system is harassed by useless crap like that, it is indeed appropriate to drop the packets. I remain grateful to this day to the person on this list who long ago pointed out blackhole(4) to me in response to my queries about how to deal with my system's kernel issuing console complaints that it was limiting the sending of RSTs to 200 per second. Let the buggers eat silence, I say. It can help to slow down their assaults. > >That, and the fact that the ident protocol is utterly pointless -- it's >trivially easy for a server to lie about the owner of the other end of a >TCP connection. In fact, doing that is a standard part of the >functionality of identd implementations. Just a waste of packets. > Precisely. So are the RSTs in such cases. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
Lowell Gilbert wrote: > Matthew Seaman writes: > > Ident queries like this will cause a delay if the other side > > doesn't respond respond to the ident query ... > I consider it polite for firewalls to actively refuse to open > the connection (TCP reset) rather than just dropping the request, > though. There's really no downside to doing so. Other than giving port-scanners an affirmative indication that there is a device of some sort at the IP address involved. Some firewalls even drop pings for exactly this reason. If the request comes from an address to which I've recently* initiated a connection -- so he already knows that my address is currently alive -- I ought to either respond per protocol or reset. If it comes from who-knows-where, it may be safer to drop it. The ident protocol is useful for the purpose for which it was designed: to pass "whom to blame" info between servers which have reason to trust one another's identity (based on, e.g., stable IP addresses) and administration. Granted the circumstances in which these conditions are met are a lot less prevalent than they once were. * for some resonable definition of recently ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
Matthew Seaman writes: > Ident queries like this will cause a delay if the other side doesn't > respond respond to the ident query. That's typical behaviour for most > machines that run firewalls nowadays. Given that ident is broken as > designed (see rant in other post) turning it off is a good idea in my book. I consider it polite for firewalls to actively refuse to open the connection (TCP reset) rather than just dropping the request, though. There's really no downside to doing so. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/04/2010 13:33:09, David Allen wrote:
> Secondly, it seems the cause of the OP's problem was a delay associated
> with an IDENT query. Specificially
>
> confTO_IDENT Timeout.ident [5s] The timeout waiting for a
>response to an IDENT query.
>
> If he had local DNS configured, there would be no query, and therefore no
> issue, but setting the timeout to 0 seconds using
Ident queries like this will cause a delay if the other side doesn't
respond respond to the ident query. That's typical behaviour for most
machines that run firewalls nowadays. Given that ident is broken as
designed (see rant in other post) turning it off is a good idea in my book.
Note that the 5s delay produced by ident-flail doesn't prevent ultimate
delivery of the message. FEATURE('greet_pause', ...) does when the
other side is rude enough not to play by the rules.
As far as I know, the ident protocol doesn't depend on the availability
of DNS -- mind you, SMTP really really does depend on working DNS, so it
would be pretty broken anyhow.
> define(`confTO_IDENT', 0s)
>
> does remove the delay, but not the underlying problem.
Should disable use of the ident protocol with sendmail.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAku2Ll0ACgkQ8Mjk52CukIybUQCfUS1juVDpbmEVuZ1K9LhZGiBo
PxwAoJSXWMl0wPqIx/co7cNjp2dNXyoU
=+PB0
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/04/2010 15:12:33, Jon Radel wrote: > This is why there's a school of thought that even if your default for > firewall configuration is to quietly drop unwanted packets, IDENT is a > protocol that you should actively reject. It makes things move along > more quickly. That, and the fact that the ident protocol is utterly pointless -- it's trivially easy for a server to lie about the owner of the other end of a TCP connection. In fact, doing that is a standard part of the functionality of identd implementations. Just a waste of packets. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku2K2IACgkQ8Mjk52CukIyriQCfWZc/AzYIS/38IVFScCG6jkYb tTMAoItnWUk1g2ClDTR/CWMk47lTdj1B =WYGc -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
On 4/2/10 11:49 AM, David Allen wrote: On 4/2/10, Jon Radel wrote: On 4/2/10 8:33 AM, David Allen wrote: Secondly, it seems the cause of the OP's problem was a delay associated with an IDENT query. Specificially confTO_IDENT Timeout.ident [5s] The timeout waiting for a response to an IDENT query. If he had local DNS configured, there would be no query, and therefore no issue, but setting the timeout to 0 seconds using define(`confTO_IDENT', 0s) does remove the delay, but not the underlying problem. You sure? IDENT has nothing to do with DNS, and I don't know of any program that does an IDENT query solely if DNS data is not available. I can't see why that would make any sense. Well, I'm sure that on a network with functional DNS, sendmail sends no IDENT queries. And by extension, there are no delays due to timeouts of unaswered queries . Very odd. Why on earth would that be the case? What is most likely the OP's root problem is that he's sending e-mail from a machine that's on the other side of a firewall that blocks IDENT traffic but doesn't actively reject it. So sendmail has to sit around and wait for the query to time out. That much I get, but the question is why sendmail, by default sends those queries? Historical reasons. So that you know, when bad mail is sent to you from the Math Dept. server by Jimbob playing around with his own SMTP program, whom to yell at. (See below for references.) Please don't make out like I'm advocating as this being of much utility these days; I'm not. You can find all sorts of recommendations to turn this off if you look around. This is why there's a school of thought that even if your default for firewall configuration is to quietly drop unwanted packets, IDENT is a protocol that you should actively reject. It makes things move along more quickly. Fair enough. But that reasoning is based on a premise that IDENT is widely depended upon (and implicitly widely used), yes? It's still deployed enough to result in tedious discussions, such as this one, coming up fairly frequently. None of this is a problem until you have people who drop ident packets *and* get upset that there are servers out there that wait for a timeout. And just think, we could be in the bad old days, when you *had* to wait for the IP stack to timeout and sendmail didn't have a handy place to set the timeout to a short value. To paraphrase: One of the underlying rules of getting along on the Internet is to be strict in what you send and forgiving in what you accept. So do something sensible with IDENT requests or expect odd delays, and don't waste time wondering why there are still servers out there that do things that don't really make a lot of sense anymore. Put another way, I'm wondering why IDENT queries are made? My knowledge of that protocol is superficial, but my understanding is that running an identity service is widely considered a security problem. FreeBSD doesn't run identd by default, for example, but it's possible that some Linux distros do. The Wikipedia article suggests "It's an IRC thing", but that doesn't address the default sendmail behavior. Things can make more sense when you realize that TCP/IP networks have changed over the years. Long ago, when dinosaurs roamed the earth, and timesharing servers were big things with professional admins and lots of users, it could be helpful to know that if you got an irritating connection from the Math Dept. server using source port X, and IDENT said the owner of the process that was using port X was a user called Jimbob, that you could go to the admin of that server and tell him to slap Jimbob upside the head. After all, if his IDENT server had been subverted, he would have mentioned it when you had a beer with him last night. These days, when so much traffic comes from individual workstations where the user can frequently arrange for an IDENT server to return any fool information they want, if they have it running at all, the value added is much less. Do remember that some of these things date from back when Linus was still in diapers (well, actually, he was about 15 when the earliest RFC with the genesis of IDENT was published), so trying to figure out why they make sense based solely on what Linux does can be futile. ;-) Interesting reading. Thanks for elaborating. So the IDENT protocol was relied on in the time of the dinosaurs, it's value today is "so much less" (a polite way of saying "not used at all"?), and IDENT packets are commonly dropped by firewalls. Do I have that right? Yes, except for the "not used at all" bit. If so, then a reasonable conclusion is that the default sendmail behaviour with respect to IDENT (sending queries and then waiting for a reply) is an anachronism. And the workaround (setting a timeout of zero) is a fix for that anachronism. Should I consider those two points as "features", or should I just get o
Re: Sendmail Five Second Greeting Delay
On 4/2/10, Jon Radel wrote: > On 4/2/10 8:33 AM, David Allen wrote: > >> Secondly, it seems the cause of the OP's problem was a delay associated >> with an IDENT query. Specificially >> >>confTO_IDENT Timeout.ident [5s] The timeout waiting for a >> response to an IDENT query. >> >> If he had local DNS configured, there would be no query, and therefore no >> issue, but setting the timeout to 0 seconds using >> >>define(`confTO_IDENT', 0s) >> >> does remove the delay, but not the underlying problem. > > You sure? IDENT has nothing to do with DNS, and I don't know of any > program that does an IDENT query solely if DNS data is not available. I > can't see why that would make any sense. Well, I'm sure that on a network with functional DNS, sendmail sends no IDENT queries. And by extension, there are no delays due to timeouts of unaswered queries . > What is most likely the OP's root problem is that he's sending e-mail > from a machine that's on the other side of a firewall that blocks IDENT > traffic but doesn't actively reject it. So sendmail has to sit around > and wait for the query to time out. That much I get, but the question is why sendmail, by default sends those queries? > This is why there's a school of thought that even if your default for > firewall configuration is to quietly drop unwanted packets, IDENT is a > protocol that you should actively reject. It makes things move along > more quickly. Fair enough. But that reasoning is based on a premise that IDENT is widely depended upon (and implicitly widely used), yes? >> Put another way, I'm wondering why IDENT queries are made? My knowledge >> of that protocol is superficial, but my understanding is that running an >> identity service is widely considered a security problem. FreeBSD doesn't >> run identd by default, for example, but it's possible that some Linux >> distros do. The Wikipedia article suggests "It's an IRC thing", but that >> doesn't address the default sendmail behavior. > > Things can make more sense when you realize that TCP/IP networks have > changed over the years. Long ago, when dinosaurs roamed the earth, and > timesharing servers were big things with professional admins and lots of > users, it could be helpful to know that if you got an irritating > connection from the Math Dept. server using source port X, and IDENT > said the owner of the process that was using port X was a user called > Jimbob, that you could go to the admin of that server and tell him to > slap Jimbob upside the head. After all, if his IDENT server had been > subverted, he would have mentioned it when you had a beer with him last > night. > > These days, when so much traffic comes from individual workstations > where the user can frequently arrange for an IDENT server to return any > fool information they want, if they have it running at all, the value > added is much less. > > Do remember that some of these things date from back when Linus was > still in diapers (well, actually, he was about 15 when the earliest RFC > with the genesis of IDENT was published), so trying to figure out why > they make sense based solely on what Linux does can be futile. ;-) Interesting reading. Thanks for elaborating. So the IDENT protocol was relied on in the time of the dinosaurs, it's value today is "so much less" (a polite way of saying "not used at all"?), and IDENT packets are commonly dropped by firewalls. Do I have that right? If so, then a reasonable conclusion is that the default sendmail behaviour with respect to IDENT (sending queries and then waiting for a reply) is an anachronism. And the workaround (setting a timeout of zero) is a fix for that anachronism. Should I consider those two points as "features", or should I just get off your lawn before I get yelled at? ;-) -- David Off to reconfigure the firewall not to silently drop port 113 traffic. And 70 and 79, just in case. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
On April 2, 2010, Jon Radel wrote: > On 4/2/10 8:33 AM, David Allen wrote: > > Secondly, it seems the cause of the OP's problem was a delay associated > > with an IDENT query. Specificially > > > >confTO_IDENT Timeout.ident [5s] The timeout waiting for a > > response to an IDENT query. > > > > If he had local DNS configured, there would be no query, and therefore no > > issue, but setting the timeout to 0 seconds using > > > >define(`confTO_IDENT', 0s) > > > > does remove the delay, but not the underlying problem. > > You sure? IDENT has nothing to do with DNS, and I don't know of any > program that does an IDENT query solely if DNS data is not available. I > can't see why that would make any sense. > > What is most likely the OP's root problem is that he's sending e-mail > from a machine that's on the other side of a firewall that blocks IDENT > traffic but doesn't actively reject it. So sendmail has to sit around > and wait for the query to time out. Allow me to clarify the scenario. The intent is for a local Windows box to relay outgoing SMTP through the FreeBSD box. Both machines are on the same LAN segment. No intervening Firewalls (except software firewalls on the boxes). Without the IDENT timeout, this is the traffic. FreeBSD box on 172.16.0.3, Windows box on 172.16.0.11. No. TimeSourceDestination Protocol Info 10844 18.153005 172.16.0.11 172.16.0.3TCP 55100 > smtp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 10845 18.153031 172.16.0.3172.16.0.11 TCP smtp > 55100 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 10846 18.153306 172.16.0.11 172.16.0.3TCP 55100 > smtp [ACK] Seq=1 Ack=1 Win=64240 Len=0 10847 18.153944 172.16.0.3172.16.0.254 DNS Standard query PTR 11.0.16.172.in-addr.arpa 10849 18.163505 172.16.0.254 172.16.0.3DNS Standard query response PTR tiggr.lan.provenpath.ca 10850 18.163690 172.16.0.3172.16.0.254 DNS Standard query PTR 3.0.16.172.in-addr.arpa 10856 18.173804 172.16.0.254 172.16.0.3DNS Standard query response PTR proven.lan.provenpath.ca 10857 18.173943 172.16.0.3172.16.0.254 DNS Standard query A tiggr.lan.provenpath.ca 10860 18.176306 172.16.0.254 172.16.0.3DNS Standard query response A 172.16.0.11 10861 18.176532 172.16.0.3172.16.0.11 TCP 57889 > ident [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=142487140 TSER=0 12402 21.156922 172.16.0.3172.16.0.11 TCP 57889 > ident [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=142490140 TSER=0 13637 23.145692 172.16.0.3172.16.0.11 SMTP S: 220 proven.lan.provenpath.ca ESMTP Sendmail 8.14.4/8.14.4; Fri, 2 Apr 2010 08:26:47 -0700 (PDT) 13741 23.337234 172.16.0.11 172.16.0.3TCP 55100 > smtp [ACK] Seq=1 Ack=98 Win=64143 Len=0 Basically, sendmail performs and IDENT even though the DNS lookup seems to have succeeded. The Windows box does not reject the IDENT. Cheers, -- Norbert Papke. npa...@acm.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sendmail Five Second Greeting Delay
On 4/2/10 8:33 AM, David Allen wrote: Secondly, it seems the cause of the OP's problem was a delay associated with an IDENT query. Specificially confTO_IDENT Timeout.ident [5s] The timeout waiting for a response to an IDENT query. If he had local DNS configured, there would be no query, and therefore no issue, but setting the timeout to 0 seconds using define(`confTO_IDENT', 0s) does remove the delay, but not the underlying problem. You sure? IDENT has nothing to do with DNS, and I don't know of any program that does an IDENT query solely if DNS data is not available. I can't see why that would make any sense. What is most likely the OP's root problem is that he's sending e-mail from a machine that's on the other side of a firewall that blocks IDENT traffic but doesn't actively reject it. So sendmail has to sit around and wait for the query to time out. This is why there's a school of thought that even if your default for firewall configuration is to quietly drop unwanted packets, IDENT is a protocol that you should actively reject. It makes things move along more quickly. Put another way, I'm wondering why IDENT queries are made? My knowledge of that protocol is superficial, but my understanding is that running an identity service is widely considered a security problem. FreeBSD doesn't run identd by default, for example, but it's possible that some Linux distros do. The Wikipedia article suggests "It's an IRC thing", but that doesn't address the default sendmail behavior. Things can make more sense when you realize that TCP/IP networks have changed over the years. Long ago, when dinosaurs roamed the earth, and timesharing servers were big things with professional admins and lots of users, it could be helpful to know that if you got an irritating connection from the Math Dept. server using source port X, and IDENT said the owner of the process that was using port X was a user called Jimbob, that you could go to the admin of that server and tell him to slap Jimbob upside the head. After all, if his IDENT server had been subverted, he would have mentioned it when you had a beer with him last night. These days, when so much traffic comes from individual workstations where the user can frequently arrange for an IDENT server to return any fool information they want, if they have it running at all, the value added is much less. Do remember that some of these things date from back when Linus was still in diapers (well, actually, he was about 15 when the earliest RFC with the genesis of IDENT was published), so trying to figure out why they make sense based solely on what Linux does can be futile. ;-) -- --Jon Radel j...@radel.com
Re: Sendmail Five Second Greeting Delay
On 4/1/10, Matthew Seaman wrote:
>
> On 02/04/2010 01:51:27, Norbert Papke wrote:
>> When I connect to sendmail on a local interface, sendmail responds to the
>> connection with its "220" greeting immediately. If I connect to sendmail
>> from
>> another machine on my (home) LAN, sendmail delays five seconds before
>> sending
>> the greeting. I would like it to respond immediately.
>
>> A quick search turned up a "greet_delay" feature in sendmail that would
>> cause
>> this type of behavior. To the best of my knowledge, I do not use this
>> feature. Just to be sure, I tried to explicitly enable it with both a
>> default
>> 0 second timeout and an explicit 0 second access rule. This did not the
>> resolve the issue.
>
> For the sake of the archives, I'd like to note that the `greet_pause'
> feature is actually a pretty effective and very cheap to implement
> anti-spam measure. You need:
>
> FEATURE(greet_pause, `5000')dnl ## 5 seconds
>
> in your $(hostname).mc file -- this gives you a default 5 second delay.
> If you also have
>
> FEATURE(`access_db')
>
> you can override that value for particular IP ranges or domain names.
>
> This is also a handy addition to the .mc file:
>
> LOCAL_RULESETS
> SLocal_greet_pause
> R$* $: $&{daemon_flags}
> R$* a $*$# 0
>
> This turns off greet_pause on network ports where authentication is
> required, ie. if you use port 587 for submitting new mail and reserve
> port 25 for MTA to MTA mail transfers.
>
> The way this works is that it requires the sending side to wait until
> your system prints out the greeting banner. If the sending side starts
> speaking before then, sendmail will refuse to accept any mail during
> that session. All real MTAs will get this right, as it is part of the
> SMTP specification in the RFCs. Many spambots on the other hand, send
> e-mail by simply replaying one side of a recorded SMTP conversation
> without reguard for what the other side says. This feature weeds out
> that sort of spambot with very little effort.
Useful reading. Two questions ...
First, I'm wondering what is logged as a result of using greet_pause when
getting slammed by a bot. Is it something along the lines of "User did
not issue...", "LA LA LA I wasn't listening", or nothing at all?
Secondly, it seems the cause of the OP's problem was a delay associated
with an IDENT query. Specificially
confTO_IDENT Timeout.ident [5s] The timeout waiting for a
response to an IDENT query.
If he had local DNS configured, there would be no query, and therefore no
issue, but setting the timeout to 0 seconds using
define(`confTO_IDENT', 0s)
does remove the delay, but not the underlying problem.
Put another way, I'm wondering why IDENT queries are made? My knowledge
of that protocol is superficial, but my understanding is that running an
identity service is widely considered a security problem. FreeBSD doesn't
run identd by default, for example, but it's possible that some Linux
distros do. The Wikipedia article suggests "It's an IRC thing", but that
doesn't address the default sendmail behavior.
Thanks.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
