Strange behaviour with new sendmail.cf - configuration

I am trying to change my sendmail configuration to deliver all "user unknown" emails to a specific account (baduser).
I added the DL definition to sendmail.mc and generated test.cf.
Then I tested this new config using:
echo who | sendmail -v -Ctest.cf noone
and the email was correctly delivered to the defined account.
I then renamed test.cf to sendmail.cf (in /etc/mail) and retested with:
echo what | sendmail -Csendmail.cf noone
and again the email was delivered to the baduser account.
Happy with this, I then restarted sendmail (via systemctl) and sent yet another email to an invalid account.
Instead of the email being delivered to baduser, I received a 550 5.1.1 user unknown reject email.
What have I missed here.
(Fedora 22 & sendmail 8.14.7/8.13.3)
Here are the log entries for a reject.
Nov 27 09:59:19 server sendmail[46243]: tAQNTJQH046243: from=scldad, size=4, class=0, nrcpts=1, msgid=<201511262329.tAQNTJQH046243#server.benparts.com.au>, relay=scldad#localhost
Nov 27 09:59:19 server sendmail[46243]: tAQNTJQH046243: to=noone, ctladdr=scldad (1000/1000), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30004, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.1, stat=User unknown
-v -i log:
No domain:
[scldad#server ~]$ (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone
noone... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:29:02 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#server.benparts.com.au>
>>> DATA
550 5.1.1 <noone#server.benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
/home/scldad/dead.letter... Saved message in /home/scldad/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
With domain:
[scldad#server ~]$ (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone#benparts.com.au
noone#benparts.com.au... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:27:38 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#benparts.com.au>
>>> DATA
550 5.1.1 <noone#benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
/home/scldad/dead.letter... Saved message in /home/scldad/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
As root:
[root#server ~]# (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone
noone... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:30:00 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#server.benparts.com.au>
>>> DATA
550 5.1.1 <noone#server.benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
>>> RSET
250 2.0.0 Reset state
scldad... Using cached ESMTP connection to [127.0.0.1] via relay...
>>> MAIL From:<> SIZE=1039
250 2.1.0 <>... Sender ok
>>> RCPT To:<scldad#server.benparts.com.au>
>>> DATA
250 2.1.5 <scldad#server.benparts.com.au>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
050 <scldad#server.benparts.com.au>... Connecting to local...
050 <scldad#server.benparts.com.au>... Sent
250 2.0.0 tAS300jh034101 Message accepted for delivery
scldad... Sent (tAS300jh034101 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection

Related

fabric-ca-server connect to mysql with ssl

I read this doc https://hyperledger-fabric-ca.readthedocs.io/en/release-1.0/users-guide.html#mysql-ssl-configuration to set fabric-ca-server connect to mysql with ssl.
I use openssl generate the CA files, and copy client side files to the fabric-ca-server(by volumns in docker-compose)
here is the variables about tls in fabric-ca-server:
- FABRIC_CA_SERVER_DB_TLS_CERTFILES=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_CERTFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_KEYFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
I get logs in fabric-ca containers:
CA Files: [/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem]
2018/05/23 08:20:32 [DEBUG] Client Cert File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
2018/05/23 08:20:32 [DEBUG] Client Key File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
2018/05/23 08:20:32 [DEBUG] Check client TLS certificate for valid dates
2018/05/23 08:20:32 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[250 75 118 17 13 151 30 107 89 252 20 23 73 26 157 142 242 68 135 173 169 174 26 220 55 109 100 221 107 41 99 135]]
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey
/opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert
/opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/tls/tls.go:78 github.com/hyperledger/fabric-ca/lib/tls.GetClientTLSConfig
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/dbutil/dbutil.go:182 github.com/hyperledger/fabric-ca/lib/dbutil.NewUserRegistryMySQL
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:539 github.com/hyperledger/fabric-ca/lib.(*CA).initDB
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:155 github.com/hyperledger/fabric-ca/lib.(*CA).init
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:126 github.com/hyperledger/fabric-ca/lib.initCA
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:266 github.com/hyperledger/fabric-ca/lib.(*Server).initDefaultCA
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:97 github.com/hyperledger/fabric-ca/lib.(*Server).Init
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:116 github.com/hyperledger/fabric-ca/lib.(*Server).Start
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main
/opt/go/src/runtime/proc.go:192 runtime.main
/opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit
Caused by: Key type not recognized
2018/05/23 08:20:32 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
I also use other ways to connect to the mysql:one is starting a another mysql container as a client to connect to mysql server with ssl ;another is using MySQLWorkbench in my host machine with ssl by exposing mysql server port to my host machine.
with this state SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
enter image description here
so , I wonder the certification I generated works, but something wrong in the fabric-ca code ?

with help and trying many times, I find the solution:
first, the environment of ca in docker-compose.yml must set as
FABRIC_CA_SERVER_DB_DATASOURCE=****:****#tcp(mysql_ca:3306)/fabric_ca?parseTime=true&tls=custom
the mysql_ca is name of mysql container, and the &tls=custom must be added.
second, while generating the ssl cert, the common name must be same as the name of mysql container.also, the common name can be specified in cli:
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -subj /CN=mysql_ca -out server-req.pem

sendmail can not relay email to another server

I installed sendmail on both server1 and server2. They use the same configuration file: sendmail.mc. I can send/receive mails to/from the users on the same server using an email client from my PC. But I can not send email to the users on the other server. For example, I can not send an email to bbb#server2domain.com from aaa#server1domain.com using the email client. I've added the ip address of my PC to /etc/mail/access on server1(Connect:zz.zz.zz.zz RELAY) and rebuilt access.db. Looking into /var/log/maillog, sendmail on server1 successfully accepted the mail from the PC but waited for a long time when connecting to server2
Apr 3 07:21:06 server1 sendmail[19771]: v33BKxfr019769: SMTP outgoing connect on server1.xxxxx.com
then timeout:
Apr 3 07:26:06 server1 sendmail[19771]: v33BKxfr019769: timeout waiting for input from server2domain.com. during client greeting
Apr 3 07:26:06 server1 sendmail[19771]: v33BKxfr019769: to=, ctladdr= (501/501), delay=00:05:04, xdelay=00:05:00, mailer=esmtp, pri=121178, relay=server2domain.com. [yy.yy.yy.yy], dsn=4.0.0, stat=Deferred: Connection timed out with server2domain.com.
On server2, the log is:
Apr 3 07:18:02 server2 sendmail[20121]: v33BI2Os020121: assigned id
Apr 3 07:18:02 server2 sendmail[20121]: NOQUEUE: connect from [xx.xx.xx.xx]
Apr 3 07:18:02 server2 sendmail[20121]: AUTH: available mech=ANONYMOUS,
allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
Apr 3 07:18:02 server2 sendmail[20121]: v33BI2Os020121: Milter: no active filter
Apr 3 07:23:02 server2 sendmail[20121]: STARTTLS=server, info: fds=6/4, err=5
Apr 3 07:23:02 server2 sendmail[20121]: STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0, retry=-1, relay=[xx.xx.xx.xx]
Apr 3 07:23:02 server2 sendmail[20121]: v33BI2Os020121: disconnect level 1
Apr 3 07:23:02 server2 sendmail[20121]: v33BI2Os020121: in background, pid=20121
Apr 3 07:23:02 server2 sendmail[20121]: v33BI2Os020121: [xx.xx.xx.xx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-SSL
I can successfully send email to server2 on server1 using the openssl command and do not need to input user name/password.
The sendmail.mc is:
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCRL', `/etc/pki/tls/certs/revoke.crl')
define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.pem')
define(`confCLIENT_KEY', `/etc/pki/tls/certs/sendmail.pem')
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl
CLIENT_OPTIONS(`Family=inet')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 465')
define(`ESMTP_MAILER_ARGS', `TCP $h 465')
MAILER(smtp)dnl
MAILER(procmail)dnl
Both sendmail listen on port 465. I doubt the problem is related to auth but do not know the reason.
Please help, thank you!
After adopting Andrzej A. Filip's suggestion and removing the two lines in sendmail.mc, the following error occurs in the log on server1:
Apr 3 13:02:25 server sendmail[19927]: v33BKxfr019769: makeconnection (server2domain.com. [yy.yy.yy.yy]) failed: Connection refused by server2domain.com.
Apr 3 13:02:25 server sendmail[19927]: v33BKxfr019769: makeconnection (server2domain.com. [yy.yy.yy.yy]) failed: Connection refused by server2domain.com.
Apr 3 13:02:25 server sendmail[19927]: v33BKxfr019769: to=, ctladdr= (501/501), delay=05:41:23, xdelay=00:00:01, mailer=esmtp, pri=301178, relay=server2domain.com. [yy.yy.yy.yy], dsn=4.0.0, stat=Deferred: Connection refused by server2domain.com.
There is no message logged on server2.
I think without the two lines, sendmail on server1 will try to connect the server2 via port 25, not the port 465 that sendmail is listening.

sendmail and OUTGOING smtps (465) connections
smtps (465) starts SSL session before any SMTP level communications. AFAIR sendmail does not support it natively for outgoing connections.
Remove the following two lines, recompile your sendmail.mc into sendmail.cf, restart or (send signal) HUP your sendmail daemon.
define(`RELAY_MAILER_ARGS', `TCP $h 465')
define(`ESMTP_MAILER_ARGS', `TCP $h 465')

SMTP STARTTLS certificate negotitiation via telnet

I am trying to start tls in sendmail, but I do not know how to use certificate. Please suggest me way
> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 <machinename> ESMTP Sendmail <version>; <date>;localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-<mahinename> Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
When and How should I use/provide the certificate?

You can't, because as soon as you start using TLS, the conversation becomes encrypted, and you probably don't speak that language ;)
Here is what you can do instead:
openssl s_client -debug -starttls smtp -crlf -connect localhost:25
OpenSSL will do the STARTTLS handshake for you and you will be able to pick up the conversation from there (decrypted automatically on the fly).

GMail AUTH LOGIN SMTP Authentication

I'm trying to authenticate myself against GMail SMTP Server by using the LOGIN authentication mechanism. AUTH LOGIN is advertised as supported in the response to the EHLO command, but when I'm trying to send AUTH LOGIN to the server, I'm getting "504 5.7.4 Unrecognized Authentication Type" response. Here is the dialog between the server and the client:
S: 220 mx.google.com ESMTP d9sm13589149wiy.2
C: EHLO client
S: 250-mx.google.com at your service, [x.x.x.x]
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN XOAUTH
s: 250 ENHANCEDSTATUSCODES
C: AUTH LOGIN
S: 504 5.7.4 Unrecognized Authentication Type d9sm13589149wiy.2
Am I doing something wrong here?

Use STARTTLS first, negociate a security exchange SSL or TLS, then recall EHLO and then you can , i guess, use the PLAIN and LOGIN machanisms

What I've found out is that once I'm using "AUTH LOGIN base64username", which is not really how LOGIN should be working, it actually seems to work:
S: 220 mx.google.com ESMTP n3sm42168657wiz.9
C: EHLO client
S: 250-mx.google.com at your service, [x.x.x.x]
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN XOAUTH
S: 250 ENHANCEDSTATUSCODES
C: AUTH LOGIN base64username
S: 334 UGFzc3dvcmQ6
C: base64password
S: 235 2.7.0 Accepted

openssl client SMTP with gmail port 587, no response (250 OK) from after <crlf>.<crlf>

I've been trying to use openssl to establish a connection with smtp.gmail.com port 587 or 465 with:
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp
and the authentication, mail from, rcpt to, and data were all successful. but my problem is, after i write . in a new line, no 250 OK response from the server.
here is the process:
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
(certification)
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1910 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 28E597C0025A93C82AD4A7C517F699B37D106D760597467B522C1041F1BC17C8
Session-ID-ctx:
Master-Key: 1CC83A8A4B7864DF9BBD9E9742B4E5A5937941EB2A28B88A1D4214920B77AC976D3ADC2DA7B60CF8BD6BC2B0712A42A2
Key-Arg : None
Start Time: 1296911515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 ENHANCEDSTATUSCODES
ehlo
250-mx.google.com at your service, [121.94.150.147]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH
250 ENHANCEDSTATUSCODES
auth login
334 VXNlcm5hbWU6
<my email>
334 UGFzc3dvcmQ6
<my password>
235 2.7.0 Accepted
mail from:<email>
250 2.1.0 OK t14sm1471936icd.10
rcpt to:<email>
250 2.1.5 OK t14sm1471936icd.10
data
from: someone <email>
354 Go ahead t14sm1471936icd.10
to : someone <email>
subject: test
test
test2
.
451 4.4.2 Timeout - closing connection. t14sm1471936icd.10
read:errno=0
I am using cygwin in win7 32.
I've been searching for all of the possible keywords on google but no solution comes out.
PLEASE HELP!

Maybe add the '-crlf' option to the comand line :
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp -crlf