MUA's time out - Sendmail + SASL2 : "no shared cipher" and more...

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Dec 22 11:13:08 PST 2003 

On Mon, Dec 22, 2003 at 12:40:46PM -0600, Kevin D. Kinsey, DaleCo, S.P. wrote:
> Don't know if anyone can or wants to help, I've
> scanned a lot of search results and followed
> 3 different "how to's" (starting with the Handbook)
> and though I'm closer, perhaps, I'm still not there.
> 
> I need an SSL-capable POP3 and SMTP as our
> needs expand.  POP3 I've accomplished with
> imap-uw; Sendmail has been some trouble
> for 3 days now, and at least one client is really
> needing to be able to send with M$ OE ASAP....

I've got one colleague who uses OE to read e-mail off my server via UW
IMAPS, a second that uses both OE and Mozilla and a third who has
never managed to get OE to authenticate properly.  I guess it's
something to do with the OE version...
 
> Both OE and the Mozilla mail client (and Mutt *on*
> the server, last I checked) are timing out attempting
> to use "SMTP Auth".  With Sendmail set to "LogLevel=25",
> here's a snippet of where I *think* the problem lies...
> 
> ----------------------------------------------------------------------------------------
> Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212:
>                --- 451 0.131.27.69.rel....osirusoft.com.: Name server 
> timeout

Osirusoft is dead and gone.  You should take that out of your
MTA/anti-spam configuration.

> Dec 22 12:20:51 ezekiel sm-mta[94212]: AUTH: available mech=NTLM
>                LOGIN ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5, allowed 
> mech=PLAIN LOGIN
> Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: Milter: no active 
> filter
> Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server,
>                error: accept failed=-1, SSL_error=1, timedout=0, errno=0
> Dec 22 12:20:51 ezekiel sm-mta[94212]: STARTTLS=server: 
> 94212:error:1408A0C1:SSL
>                 routines:SSL3_GET_CLIENT_HELLO:no shared  
> cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:886:
> Dec 22 12:20:51 ezekiel sm-mta[94212]: hBMIG1ka094212: [66.27.130.10]
>                    did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to TLSMTA
> Dec 22 12:21:02 ezekiel sm-mta[94238]: NOQUEUE: connect from [66.27.130.10]
> Dec 22 12:22:08 ezekiel sm-mta[94238]: hBMIL2ka094238: ---
>                    451 0.131.27.69.bl.spamcop.net.: Name server timeout
> Dec 22 12:24:30 ezekiel sm-mta[94224]: hBMIJVka094224: ---
>                    451 119.204.136.216....osirusoft.com.: Name server 
> timeout
> --------------------------------------------------------------------------------------------
> There are a few curiosities here in my mind, (Milter (?) and timeouts
> looking for the spamcop NS's, but the issue seems most likely to
> be the SSL error ("accept failed=-1" and "no shared cipher".
> 
> What have I misconfigured?  I've tried all possible combinations of
> checkboxes on the clients ... at least I think so.  They just hang forever;
> OE during the "securing" phase.  If someone knows the incantations
> I don't know for Sendmail, I'd appreciate a look at your spell book....

Hmmm... SASL related stuff from my config:

/etc/make.conf:

    SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
    SENDMAIL_LDFLAGS=-L/usr/local/lib
    SENDMAIL_LDADD=-lsasl2

SASL ports:

    % pkg_info -I '*sasl*'
    cyrus-sasl-2.1.17_1 RFC 2222 SASL (Simple Authentication and Security Layer)
    cyrus-sasl-saslauthd-2.1.17_1 SASL authentication server for cyrus-sasl2

/etc/mail/`hostname`.mc:

    dnl ## Set SASL options
    TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
    define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
    define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
    define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl

    [...]

    define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
    define(`confCACERT_PATH', `CERT_DIR')dnl
    define(`confCACERT', `CERT_DIR/cacert.pem')dnl
    define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
    define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
    define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
    define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

I'm using a self-signed cert generated according to these instructions:

    http://www.sendmail.org/~ca/email/other/cagreg.html

and you may find this page useful, although using client certificates
is possibly overkill (the standard LOGIN that OE uses should be
sufficient):

    http://www.ofb.net/%7Ejheiss/sendmail/tlsandrelay.shtml

Note the bit about making sure the certificate signer (CN of
cacert.pem) is different to the common name of the certificate.

Not having a windows box anywhere available I can't remember off-hand
exactly how to set up the OE end, but it's not too difficult if you
work through the available options.

	Cheers,

	Matthew

PS.  Reply only to list, as your mailer bounces messages from my site
for no apparent reason.

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031222/2188aade/attachment.bin

More information about the freebsd-questions mailing list