Hi.
I was hoping to get some pointers on how to do the following sysadmin chores:
* I'm running sendmail+cyrus, and I'd like to configure a milter with some simple rules (for instance, don't accept email from sites that don't have IN-ADDR.ARPA records)
* I'd also like to set up autofs, but it seems to be failing... I tried to set up an example /home mountpoint like the auto.master man page suggests, but they don't give an example of what /etc/auto.home would look like (and just coping auto.net into it doesn't work). Suggestions?
* I tried to edit /etc/sysconfig/network to have "NETWORK_IPV6=no" but it still wants to bring up IPV6 networking anyway:
eth0 Link encap:Ethernet HWaddr 00:11:09:04:D5:2A inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::211:9ff:fe04:d52a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5049 errors:0 dropped:0 overruns:0 frame:0 TX packets:5354 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1446018 (1.3 MiB) TX bytes:475699 (464.5 KiB) Interrupt:177 Base address:0xc000
is this a bug? What am I missing?
* Lastly, when I start up my mail UA, it complains about the certificate coming from the host being signed localhost.localdomain... Is there a walk-through on how to set up the various certificates required for using SSL/TLS for sending email from a client? How do I set up certificates for individual users, for instance?
/var/log/messages.1:Sep 19 19:30:30 mail sendmail[23081]: unable to open Berkeley db /etc/sasldb2: No such file or directory ... Sep 27 12:29:30 mail sendmail[5896]: NOQUEUE: connect from [192.168.1.5] Sep 27 12:29:30 mail sendmail[5896]: AUTH: available mech=DIGEST-MD5 ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Sep 27 12:29:30 mail sendmail[5896]: j8RITUIv005896: Milter: no active filter Sep 27 12:29:30 mail sendmail[5896]: STARTTLS=server, relay=[192.168.1.5], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Sep 27 12:29:30 mail sendmail[5896]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok Sep 27 12:29:30 mail sendmail[5896]: AUTH: available mech=LOGIN DIGEST-MD5 PLAIN ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Sep 27 12:29:31 mail sendmail[5896]: j8RITUIw005896: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: no secret in database Sep 27 12:29:31 mail sendmail[5896]: AUTH=server, relay=[192.168.1.5], authid=philipp, mech=PLAIN, bits=0 Sep 27 12:29:31 mail sendmail[5896]: j8RITUIw005896: from=philipp@redfish-solutions.com, size=72799, class=0, nrcpts=1, msgid=43398F8A.50903@redfish-solutions.com, proto=ESMTP, daemon=MTA-v4, relay=[192.168.1.5]
similarly, I can't send email using SSL when connecting to my sendmail server... (but TLS seems to work).
* Ditto for Cyrus. I can't use secure authentication:
Sep 27 12:38:42 mail imaps[5986]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits reused) no authentication
I'm using Thunderbird, if that makes any difference.
Any guidance appreciated.
Thanks,
-Philip
Am Di, den 27.09.2005 schrieb Philip Prindeville um 20:40:
I was hoping to get some pointers on how to do the following sysadmin chores:
- I'm running sendmail+cyrus, and I'd like to configure a milter with
some simple rules (for instance, don't accept email from sites that don't have IN-ADDR.ARPA records)
You better don't implement that because you would reject much too much false positives.
http://www.cs.niu.edu/~rickert/cf/ -> HACK(`require_rdns') "I don't recommend this. The amount of collateral damage is excessive." (Neil W. Rickert) [You know who Neil is? Co-author of the bat book.]
What you can consider is to let influence a missing reverse DNS or even bogus DNS entries (MX pointing to 127.0.0.1) for spam rating, not blind rejection. I recommend to have a close look at MimeDefang www.mimedefang.org. It is highly adjustable just with little Perl knowledge. An example: http://www.mimedefang.org/kwiki/index.cgi?CheckForMX
- I'd also like to set up autofs, but it seems to be failing... I tried
to set up an example /home mountpoint like the auto.master man page suggests, but they don't give an example of what /etc/auto.home would look like (and just coping auto.net into it doesn't work). Suggestions?
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-nfs...
- I tried to edit /etc/sysconfig/network to have "NETWORK_IPV6=no" but
it still wants to bring up IPV6 networking anyway:
eth0 Link encap:Ethernet HWaddr 00:11:09:04:D5:2A inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::211:9ff:fe04:d52a/64 Scope:Link
is this a bug? What am I missing?
Add to /etc/modprobe.conf
alias net-pf-10 off alias ipv6 off
- Lastly, when I start up my mail UA, it complains about the certificate
coming from the host being signed localhost.localdomain... Is there a walk-through on how to set up the various certificates required for using SSL/TLS for sending email from a client? How do I set up certificates for individual users, for instance?
/usr/share/doc/openssl*/FAQ There are a lot of info to be found by a google search for example for "openssl create self-signed certificates". Fedora ships the CA script and CA.pl (openssl-perl).
/var/log/messages.1:Sep 19 19:30:30 mail sendmail[23081]: unable to open Berkeley db /etc/sasldb2: No such file or directory
You offer MD5 mech which is not configured.
Sep 27 12:29:30 mail sendmail[5896]: NOQUEUE: connect from [192.168.1.5] Sep 27 12:29:30 mail sendmail[5896]: AUTH: available mech=DIGEST-MD5 ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Sep 27 12:29:30 mail sendmail[5896]: j8RITUIv005896: Milter: no active filter Sep 27 12:29:30 mail sendmail[5896]: STARTTLS=server, relay=[192.168.1.5], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Sep 27 12:29:30 mail sendmail[5896]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok Sep 27 12:29:30 mail sendmail[5896]: AUTH: available mech=LOGIN DIGEST-MD5 PLAIN ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Sep 27 12:29:31 mail sendmail[5896]: j8RITUIw005896: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: no secret in database
Your client uses CRAM-MD5 as your Sendmail setup offers that mech, but you have not configured your server to provide that. So it must fail.
Sep 27 12:29:31 mail sendmail[5896]: AUTH=server, relay=[192.168.1.5], authid=philipp, mech=PLAIN, bits=0 Sep 27 12:29:31 mail sendmail[5896]: j8RITUIw005896: from=philipp@redfish-solutions.com, size=72799, class=0, nrcpts=1, msgid=43398F8A.50903@redfish-solutions.com, proto=ESMTP, daemon=MTA-v4, relay=[192.168.1.5]
Fallback to mech PLAIN, which I guess succeeds.
similarly, I can't send email using SSL when connecting to my sendmail server... (but TLS seems to work).
SSL is something different than (START)TLS in this context. Is that above a question or statement?
- Ditto for Cyrus. I can't use secure authentication:
Sep 27 12:38:42 mail imaps[5986]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits reused) no authentication
Too few information. We can't know what you changed from default setup. Use "imtest" for testing and adjusting your setup.
I'm using Thunderbird, if that makes any difference.
Yes, Thunderbird can use MD5, while other popular MUAs can only speak PLAIN or LOGIN (Outlook, OE).
-Philip
Alexander