I'm running fc7 (updated). I updated via yum from fc6.
Oddly, Cyrus continued to work after the upgrade (it usually breaks).
This time it was sendmail that broke, even though I'm running with a fairly stock system.
The extent of my sendmail.mc edits are below.
I get messages from sendmail saying that my client (Thunderbird on Windows Vista and FC7), well:
Sep 29 19:21:59 mail sendmail[5288]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Sep 29 19:22:23 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8]: possible SMTP attack: command=AUTH, count=4 Sep 29 19:22:30 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4 Sep 29 19:23:05 mail sendmail[5295]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
but if I turn off TLS, it seems to work ok (using username/password authentication in the clear, I guess).
Since it's TLS, I couldn't use tcpdump to read the transactions...
Here are the sendmail.mc edits. Nothing too weird:
--- sendmail.mc.orig 2006-09-05 07:27:48.000000000 -0600 +++ sendmail.mc 2007-03-08 21:26:38.000000000 -0700 @@ -41,7 +41,7 @@ dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # -dnl define(`confAUTH_OPTIONS', `A p')dnl +define(`confAUTH_OPTIONS', `A p')dnl dnl # dnl # PLAIN is the preferred plaintext authentication method and used by dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do @@ -49,18 +49,18 @@ dnl # guaranteed secure. dnl # Please remember that saslauthd needs to be running for AUTH. dnl # -dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl -dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl +TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl +define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem dnl # Complete usage: dnl # make -C /usr/share/ssl/certs usage dnl # -dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl -dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl -dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl -dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl +define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl +define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl +define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl +define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap @@ -71,8 +71,10 @@ dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl +dnl # don't apply domain search suffixes... +define(`confBIND_OPTS', `+AAONLY -DNSRCH -DEFNAMES')dnl define(`confTO_IDENT', `0')dnl -dnl FEATURE(delay_checks)dnl +FEATURE(delay_checks)dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl @@ -100,27 +102,35 @@ FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl +dnl # Anti-spam features suggested from ACME.COM +FEATURE(`greet_pause', `5000')dnl +define(`confCONNECTION_RATE_WINDOW_SIZE', `60s')dnl +FEATURE(`conncontrol')dnl +FEATURE(`ratecontrol', `nodelay', `terminate')dnl +define(`confBAD_RCPT_THROTTLE', `3')dnl +define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl +define(`confMAX_DAEMON_CHILDREN', `5')dnl EXPOSED_USER(`root')dnl dnl # dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment dnl # the following 2 definitions and activate below in the MAILER section the dnl # cyrusv2 mailer. dnl # -dnl define(`confLOCAL_MAILER', `cyrusv2')dnl -dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl +define(`confLOCAL_MAILER', `cyrusv2')dnl +define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # -DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl +dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # -dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl +DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl dnl # dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed @@ -141,18 +151,20 @@ dnl # enable both ipv6 and ipv4 in sendmail: dnl # dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') +DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl # -FEATURE(`accept_unresolvable_domains')dnl +dnl FEATURE(`accept_unresolvable_domains')dnl dnl # dnl FEATURE(`relay_based_on_MX')dnl dnl # dnl # Also accept email sent to "localhost.localdomain" as local email. dnl # LOCAL_DOMAIN(`localhost.localdomain')dnl +INPUT_MAIL_FILTER(`mimdefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m') dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com @@ -173,4 +185,4 @@ dnl MASQUERADE_DOMAIN(mydomain.lan)dnl MAILER(smtp)dnl MAILER(procmail)dnl -dnl MAILER(cyrusv2)dnl +MAILER(cyrusv2)dnl
Anyone seen anything similar to this?
I recently started experiencing this problem with Fedora 7. I think it started with a sendmail update. Like you said, TLS doesn't seem to work but it works if you set it with not encrypt no auth. I think TLS may work if I set it with no authentication, but really, I'm not into joining BotNet. This has become very troublesome as this is how my Treo sends mail (is by connecting with TLS and authenticating) preventing anyone from using my sendmail server as an open relay.
-
Philip Prindeville -
potat0