I am trying to start tls in sendmail, but I do not know how to use certificate. Please suggest me way
> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 <machinename> ESMTP Sendmail <version>; <date>;localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-<mahinename> Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
When and How should I use/provide the certificate?
You can't, because as soon as you start using TLS, the conversation becomes encrypted, and you probably don't speak that language ;)
Here is what you can do instead:
openssl s_client -debug -starttls smtp -crlf -connect localhost:25
OpenSSL will do the STARTTLS handshake for you and you will be able to pick up the conversation from there (decrypted automatically on the fly).
Related
I am trying to change my sendmail configuration to deliver all "user unknown" emails to a specific account (baduser).
I added the DL definition to sendmail.mc and generated test.cf.
Then I tested this new config using:
echo who | sendmail -v -Ctest.cf noone
and the email was correctly delivered to the defined account.
I then renamed test.cf to sendmail.cf (in /etc/mail) and retested with:
echo what | sendmail -Csendmail.cf noone
and again the email was delivered to the baduser account.
Happy with this, I then restarted sendmail (via systemctl) and sent yet another email to an invalid account.
Instead of the email being delivered to baduser, I received a 550 5.1.1 user unknown reject email.
What have I missed here.
(Fedora 22 & sendmail 8.14.7/8.13.3)
Here are the log entries for a reject.
Nov 27 09:59:19 server sendmail[46243]: tAQNTJQH046243: from=scldad, size=4, class=0, nrcpts=1, msgid=<201511262329.tAQNTJQH046243#server.benparts.com.au>, relay=scldad#localhost
Nov 27 09:59:19 server sendmail[46243]: tAQNTJQH046243: to=noone, ctladdr=scldad (1000/1000), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30004, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.1, stat=User unknown
-v -i log:
No domain:
[scldad#server ~]$ (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone
noone... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:29:02 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#server.benparts.com.au>
>>> DATA
550 5.1.1 <noone#server.benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
/home/scldad/dead.letter... Saved message in /home/scldad/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
With domain:
[scldad#server ~]$ (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone#benparts.com.au
noone#benparts.com.au... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:27:38 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#benparts.com.au>
>>> DATA
550 5.1.1 <noone#benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
/home/scldad/dead.letter... Saved message in /home/scldad/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
As root:
[root#server ~]# (echo subject: test; echo) | /usr/sbin/sendmail -v -i noone
noone... Connecting to [127.0.0.1] via relay...
220 server.benparts.com.au ESMTP Sendmail 8.14.7/8.13.3; Sat, 28 Nov 2015 13:30:00 +1030
>>> EHLO server.benparts.com.au
250-server.benparts.com.au Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<scldad#server.benparts.com.au> SIZE=15
250 2.1.0 <scldad#server.benparts.com.au>... Sender ok
>>> RCPT To:<noone#server.benparts.com.au>
>>> DATA
550 5.1.1 <noone#server.benparts.com.au>... User unknown
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state
>>> RSET
250 2.0.0 Reset state
scldad... Using cached ESMTP connection to [127.0.0.1] via relay...
>>> MAIL From:<> SIZE=1039
250 2.1.0 <>... Sender ok
>>> RCPT To:<scldad#server.benparts.com.au>
>>> DATA
250 2.1.5 <scldad#server.benparts.com.au>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
050 <scldad#server.benparts.com.au>... Connecting to local...
050 <scldad#server.benparts.com.au>... Sent
250 2.0.0 tAS300jh034101 Message accepted for delivery
scldad... Sent (tAS300jh034101 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.benparts.com.au closing connection
I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.
Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.
Hello I have problems sending emails from my Outlook using my server SMTP how ever if I send the emails from php all whent OK. From Outlook I get this message...
421 Cannot connect to SMTP server 74.208.230.18
But server IP and port 25 are open
Any ideas ??
[root#mipagina ~]# postfix status
postfix/postfix-script: the Postfix mail system is running: PID: 15758
[root#mipagina ~]# netstat -tulpn|grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15758/master
tcp 0 0 :::25 :::* LISTEN 15758/master
Most ISPs block port 25. Better switch to port 587.
I'm trying to authenticate myself against GMail SMTP Server by using the LOGIN authentication mechanism. AUTH LOGIN is advertised as supported in the response to the EHLO command, but when I'm trying to send AUTH LOGIN to the server, I'm getting "504 5.7.4 Unrecognized Authentication Type" response. Here is the dialog between the server and the client:
S: 220 mx.google.com ESMTP d9sm13589149wiy.2
C: EHLO client
S: 250-mx.google.com at your service, [x.x.x.x]
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN XOAUTH
s: 250 ENHANCEDSTATUSCODES
C: AUTH LOGIN
S: 504 5.7.4 Unrecognized Authentication Type d9sm13589149wiy.2
Am I doing something wrong here?
Use STARTTLS first, negociate a security exchange SSL or TLS, then recall EHLO and then you can , i guess, use the PLAIN and LOGIN machanisms
What I've found out is that once I'm using "AUTH LOGIN base64username", which is not really how LOGIN should be working, it actually seems to work:
S: 220 mx.google.com ESMTP n3sm42168657wiz.9
C: EHLO client
S: 250-mx.google.com at your service, [x.x.x.x]
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN XOAUTH
S: 250 ENHANCEDSTATUSCODES
C: AUTH LOGIN base64username
S: 334 UGFzc3dvcmQ6
C: base64password
S: 235 2.7.0 Accepted
I've been trying to use openssl to establish a connection with smtp.gmail.com port 587 or 465 with:
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp
and the authentication, mail from, rcpt to, and data were all successful. but my problem is, after i write . in a new line, no 250 OK response from the server.
here is the process:
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
(certification)
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1910 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 28E597C0025A93C82AD4A7C517F699B37D106D760597467B522C1041F1BC17C8
Session-ID-ctx:
Master-Key: 1CC83A8A4B7864DF9BBD9E9742B4E5A5937941EB2A28B88A1D4214920B77AC976D3ADC2DA7B60CF8BD6BC2B0712A42A2
Key-Arg : None
Start Time: 1296911515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 ENHANCEDSTATUSCODES
ehlo
250-mx.google.com at your service, [121.94.150.147]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH
250 ENHANCEDSTATUSCODES
auth login
334 VXNlcm5hbWU6
<my email>
334 UGFzc3dvcmQ6
<my password>
235 2.7.0 Accepted
mail from:<email>
250 2.1.0 OK t14sm1471936icd.10
rcpt to:<email>
250 2.1.5 OK t14sm1471936icd.10
data
from: someone <email>
354 Go ahead t14sm1471936icd.10
to : someone <email>
subject: test
test
test2
.
451 4.4.2 Timeout - closing connection. t14sm1471936icd.10
read:errno=0
I am using cygwin in win7 32.
I've been searching for all of the possible keywords on google but no solution comes out.
PLEASE HELP!
Maybe add the '-crlf' option to the comand line :
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp -crlf