[OT]sendmail ssl authentication

[OT]sendmail ssl authentication

[reader]

I guess this is a little off topic but here on this group is where I'm
most likely to find someone using gnus and sendmail.

I've been using sendmail as my local mta for yrs and have struggled
through many different ISPs quirks.  But I've never had to use ssl to
connect to my ISPs smart host.

With something like thunderbird, that doesn't appear to use sendmail,
its just a matter of checking the right box.  But when I google around
about setting sendmail up for ssl I find a lot of confusing overlap
with people whos problem is authenticating remote users on a mail
server.

In my case its the other way round... I'm attempting to pass my mail
to comcast cable network server smtp.comcast.net.  So its not clear if
all the setup for a server is necessary for me.

I've been running with a working connection for months but now they
have apparently adopted ssl authentication and my old
/etc/mail/authinfo doesn't work.

Sending a message with `mail -v' and watching the smtp conversation I
see my messages get to the comcast mail server, (posted separately)
but there is no mention of any authentication problem only a
`deferred' and then timeout.

In case anyone suggests it: I don't really want to side step and use
the smtp.el package inside of gnus because I like for other mail tools
like mailx to work too.

Currently I have sendmail.mc setup to use authinfo, and as I've
mentioned it worked for mnths but now the server has changed over to
using ssl and uses a different port... I think 465.  At least that
is what popped up when I checked the ssl box on thunderbird.

sendmail.mc and authinfo are also posted  but its getting
to be quite a lot to inline here so posting 
   authinfo 
   sendmail.mc
   smtp conversation
here:
   http://www.jtan.com/~reader/sendmail/disp.cgi

Does anyone know what I need in sendmail setup to allow ssl
authentication at my ISP smtp server?

As I mentioned earlier; Googling, I see a lot of confusing overlap
with STARTLS and TLS and mention of creating certs and the like.

But in thunderbird, it only takes checking a simple box so I'm
thinking the above googled findings are more about an actual mail server
being setup for remote clients and may not be necessary for my
situation. 

Re: [OT]sendmail ssl authentication

[Dave Goldberg]

I bet your thunderbird setup is doing the equivalent of smtpmail.el plus whatever else is necessary to do the SSL bit.  There was a thread about SSL auth on the list a short while ago but I don't recall the conclusion.
-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: [OT]sendmail ssl authentication

[David]

reader@newsguy.com writes:
> Sending a message with `mail -v' and watching the smtp conversation I
> see my messages get to the comcast mail server, (posted separately)
> but there is no mention of any authentication problem only a
> `deferred' and then timeout.

There is a great tool for testing SMTP connections called "swaks":

http://www.jetmore.org/john/code/#swaks

> In case anyone suggests it: I don't really want to side step and use
> the smtp.el package inside of gnus because I like for other mail tools
> like mailx to work too.

OK. My next suggestion would then be to switch to Exim or
Postfix. They're usually easier to configure and many distributions have
scripts to create the configuration for you, based on some simple
settings (Exim on Debian, for example).

> Currently I have sendmail.mc setup to use authinfo, and as I've
> mentioned it worked for mnths but now the server has changed over to
> using ssl and uses a different port... I think 465.  At least that
> is what popped up when I checked the ssl box on thunderbird.

The problem is: there are two different ways to send mail with SSL
encryption: a correct one (SMTP+STARTTLS) and a broken one (ssmtp). The
latter is a typical Outlook-kludge (which is why many ISPs do it) and is
usually done over port 465, so it might indeed be that you're dealing
with ssmtp. If so, even switching to smtp.el won't help you since it
doesn't support ssmtp.

See this thread for details and how to test with telnet/swaks what
you're dealing with:

http://thread.gmane.org/gmane.emacs.help/52049

>Does anyone know what I need in sendmail setup to allow ssl
>authentication at my ISP smtp server?

I'd suggest you better ask that question in a group dealing with
sendmail.

-David

Re: [OT]sendmail ssl authentication

[reader]

David <de_bb@arcor.de> writes:

> reader@newsguy.com writes:
>> Sending a message with `mail -v' and watching the smtp conversation I
>> see my messages get to the comcast mail server, (posted separately)
>> but there is no mention of any authentication problem only a
>> `deferred' and then timeout.
>
> There is a great tool for testing SMTP connections called "swaks":
>
> http://www.jetmore.org/john/code/#swaks

Yes nice

>> In case anyone suggests it: I don't really want to side step and use
>> the smtp.el package inside of gnus because I like for other mail tools
>> like mailx to work too.
>
> OK. My next suggestion would then be to switch to Exim or
> Postfix. They're usually easier to configure and many distributions have
> scripts to create the configuration for you, based on some simple
> settings (Exim on Debian, for example).

I've used sendmail continuously for 7-8 yrs... and have been able to
get it sorted out thru quite a few ISP changes and sendmail updates.
I has been a chore at times... but I've found the others you mentioned
not to be nearly as well documented as sendmail... although I quickly
admit I am very much a lightweight in sendmail skills.

[...]

> See this thread for details and how to test with telnet/swaks what
> you're dealing with:
>
> http://thread.gmane.org/gmane.emacs.help/52049

Yes, quite a lot of helpful info there

>>Does anyone know what I need in sendmail setup to allow ssl
>>authentication at my ISP smtp server?
>
> I'd suggest you better ask that question in a group dealing with
> sendmail.

Yes I was doing that simultaneously and have a discussion going with
one of the heavy hitters on comp.mail.sendmail (Per Hedlund) Who so
far has been telling me to make sure STARTTLS cannot be made to work
some how before going the stunnel or some other ssl wrapper route.

And it does appear there may be some hope since I see mention of
STARTTLS in the output of swaks:
  
reader > swaks --auth --tls-on-connect -p 465 -s smtp.comcast.net   
To: reader@jtan.com
Username: My-uid
Password: My-passwd
=== Trying smtp.comcast.net:465...
=== Connected to smtp.comcast.net.
=== TLS started w/ cipher DHE-RSA-AES256-SHA
<~  220 OMTA02.emeryville.ca.mail.comcast.net comcast ESMTP server ready
 ~> EHLO reader.local.lan
<~  250-OMTA02.emeryville.ca.mail.comcast.net hello [67.162.73.42], pleased to meet you
<~  250-HELP
<~  250-AUTH LOGIN PLAIN CRAM-MD5
<~  250-SIZE 15728640
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-STARTTLS
<~  250 OK
 ~> AUTH CRAM-MD5
<~  334 PDI3MTExLjEyMTA5NTk0NzZAT01UQTAyLmVtZXJ5dmlsbGUuY2EubWFpbC5jb21jYXN0Lm5ldD4=
 ~> SGFycnlQdXRuYW0gY2VlMTBhOTJkMWQ0ZWYwZjUyMjg4NjQ0ZjdhMzM0NWE=
<~  235 2.7.0 ... authentication succeeded
 ~> MAIL FROM:<reader@reader.local.lan>
<~* 550 5.1.0 <reader@reader.local.lan> sender rejected : invalid sender domain
 ~> QUIT

It doesn't like my homemade domain name but that shouldn't happen with
sendmail since I am masquerading as my pop server newsguy.com

I guess the trick is getting sendmail to send whatever swak sends to
that port.

Re: [OT]sendmail ssl authentication

[David]

reader@newsguy.com writes:
> And it does appear there may be some hope since I see mention of
> STARTTLS in the output of swaks:
>   
> reader > swaks --auth --tls-on-connect -p 465 -s smtp.comcast.net   
> To: reader@jtan.com
> Username: My-uid
> Password: My-passwd
> === Trying smtp.comcast.net:465...
> === Connected to smtp.comcast.net.
> === TLS started w/ cipher DHE-RSA-AES256-SHA
> <~  220 OMTA02.emeryville.ca.mail.comcast.net comcast ESMTP server ready

The "--tls-on-connect" initiates a ssmtp connection, i.e. the TLS
session is started right away so that everything is already encrypted
(even the server greeting).

When I telnet to smtp.comcast.net on the SMTP standard port (25) I also
see a "250-STARTTLS" after the EHLO handshake, so this server should
support STARTTLS on the standard port, and that's the correct thing to
do for SSL encrypted authentication. You can try it with

swaks --auth -tls -p 25 -s smtp.comcast.net

If this works, configure sendmail to do authentication with STARTTLS on
the standard port 25 and don't use port 465. If it doesn't work, you
might indeed have to set up stunnel if sendmail doesn't support ssmtp
directly.

-David

Re: [OT]sendmail ssl authentication

[reader]

David <de_bb@arcor.de> writes:

> reader@newsguy.com writes:
>> And it does appear there may be some hope since I see mention of
>> STARTTLS in the output of swaks:
>>   
>> reader > swaks --auth --tls-on-connect -p 465 -s smtp.comcast.net   
>> To: reader@jtan.com
>> Username: My-uid
>> Password: My-passwd
>> === Trying smtp.comcast.net:465...
>> === Connected to smtp.comcast.net.
>> === TLS started w/ cipher DHE-RSA-AES256-SHA
>> <~  220 OMTA02.emeryville.ca.mail.comcast.net comcast ESMTP server ready
>
> The "--tls-on-connect" initiates a ssmtp connection, i.e. the TLS
> session is started right away so that everything is already encrypted
> (even the server greeting).

> When I telnet to smtp.comcast.net on the SMTP standard port (25) I also
> see a "250-STARTTLS" after the EHLO handshake, so this server should
> support STARTTLS on the standard port, and that's the correct thing to
> do for SSL encrypted authentication. You can try it with

Odd, when I do it, which is what led to my posting here, It refuses to
connect at all:
  reader > telnet smtp.comcast.net 25
Trying 76.96.30.117...
  Finally times out and server closes.
So no EHLO is possible.

I wonder if they block their own customers or something..?

However I learned it did show STARTTLS on port 587 by telnetting there
so I configured sendmail to contact port 587 and all is well.

The server I get on 587:
  OMTA14.westchester.pa.mail.comcast.net

But trying the exact name on port 25 I still cannot connect.

> If this works, configure sendmail to do authentication with STARTTLS on
> the standard port 25 and don't use port 465. If it doesn't work, you
> might indeed have to set up stunnel if sendmail doesn't support ssmtp
> directly.

See above... but there is no real configuring to do.. at least not for
clientside.. modern sendmail, if it has STARTTLS compiled in, will do
the right thing if you have the password and uid in the necessary
places.

Thanks for your input... I like swaks.  Although telnet will tell you
enough to figure it out .. swaks is nice 

Re: sendmail ssl authentication

[Adam Sjøgren]

On Fri, 16 May 2008 18:15:45 -0500, reader@newsguy.com wrote:

> Odd, when I do it, which is what led to my posting here, It refuses to
> connect at all:
>   reader > telnet smtp.comcast.net 25
> Trying 76.96.30.117...
>   Finally times out and server closes.
> So no EHLO is possible.

> I wonder if they block their own customers or something..?

That is quite common these days. Some ISPs even block _all_ port 25
traffic.

The joys of spam.


  Best regards,

    Adam

-- 
 "Du danser godt, men ude af takt"                            Adam Sjøgren
                                                         asjo@koldfront.dk

Re: sendmail ssl authentication

[reader]

asjo@koldfront.dk (Adam Sjøgren) writes:

> On Fri, 16 May 2008 18:15:45 -0500, reader@newsguy.com wrote:
>
>> Odd, when I do it, which is what led to my posting here, It refuses to
>> connect at all:
>>   reader > telnet smtp.comcast.net 25
>> Trying 76.96.30.117...
>>   Finally times out and server closes.
>> So no EHLO is possible.
>
>> I wonder if they block their own customers or something..?
>
> That is quite common these days. Some ISPs even block _all_ port 25
> traffic.

Just checking something here... about what is common.

David can telnet to my smtp server smtp.comcast.net while I cannot.

Comcast.net is my ISP.

Then I find if I ssh to a remote machine that is not on comcast ISP I
can also telnet that server.

So did you mean that it is common for ISPs to block their own users
but not users from the internet?  What would that do for them.  It
seems it would more likely help them to do it the other way round or
like you said... just block all to port 25.

But it turns out there is an smtp server running on port 25 but I
cannot get to it, but people on the internet can...

On the face of it, it sounds ridiculous, so I don't understand why
they would do that.

Re: sendmail ssl authentication

[Adam Sjøgren]

On Sat, 17 May 2008 18:46:27 -0500, reader@newsguy.com wrote:

> So did you mean that it is common for ISPs to block their own users
> but not users from the internet?  What would that do for them.

It would prevent their users from beying exploited as a spam-relay and
sending spam out through their own ISP.

> It seems it would more likely help them to do it the other way round
> or like you said... just block all to port 25.

Spam makes people do annoying things.

> But it turns out there is an smtp server running on port 25 but I
> cannot get to it, but people on the internet can...

> On the face of it, it sounds ridiculous, so I don't understand why
> they would do that.

They need to accept email from the net, obviously.

A guess would be that for their own users - to minimize the spam that
they are "responsible" for - they have a description that says how their
users should send email (probably via another port, 587 maybe, and with
a login/password) and port 25 is blocked.

It is important for some ISPs to "keep their own backyard clean" - but
they can't ask other people in the world to follow their special
guidelines (only their own customers have login/passwords).

I think it makes perfect, albeit twisted, sense.


  Best regards,

    Adam

-- 
 "Gravity is arbitrary!"                                      Adam Sjøgren
                                                         asjo@koldfront.dk

Re: sendmail ssl authentication

[reader]

asjo@koldfront.dk (Adam Sjøgren) writes:

> I think it makes perfect, albeit twisted, sense.
>

Yeah, once you explained it a bit I do see the sense in it.