This is one for the sendmail gurus... I am not having any real luck enabling STARTTLS with sendmail to allow authenticated mail relay from remote (dialup) clients. I'm _almost_ there, but something is missing or needs some slight tweaking. My question: Can anyone here point me in the direction of some good clear detailed "howto" documentation for doing auth/starttls so that it will work for me? Many thanks. More detailed background: This box is using ldap for local authentication, which is working very well. The ldap authentication mechanism may be the problem, but I'm not sure - there are no logs indicating any problems with sendmail/ldap. I have sendmail.cf configured to make it "ldap-aware", but not for it's routing tables (not yet - I'll do that next in the .mc file once I have the sendmail ldap database all set up and ready to use). (I've even got samba using ldap, very cool, I had it working like this when it was a rh7.3 box using a more recent rawhide src.rpm version. But I never did manage to get sendmail fully working with ssl as a rh7.3 box, similar problems). Sendmail itself is acting as the primary MX server for its own domain. It is v8.12.5 (which I also used, recompiled, when it was running rh7.3) with the most recent version of mimedefang acting as a milter. (It detects and filter out spam and viruses using NAI uvscan, File::Scan and SpamAssassin, which all works wonderful well! :) I get this response after "EHLO localhost" after netcat'ing to port 25... 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP But I see in the logs: sendmail[31042]: STARTTLS=server, relay=(deleted.host.name) [(relay.ip.address)], version=TLSv1/SSLv3, verify=NO, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168 sm-msp-queue[31041]: STARTTLS=client, relay=(deleted.host.name), version=TLSv1/SSLv3, verify=FAIL, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168 (hostnames and IPs removed to protect the guilty:) It fails every time. I'm not so worried about the client fail (the server doesn't need to act as a starttls client to another server, I will eventually stop it from doing that in /etc/mail/access). The server verify failure is the big problem... remote clients need to post their email when they are travelling and connecting from all sorts of "strange" places. So auth/starttls are enabled in the configuration, but just not working . I have set up (self-signed) certificates and pointed the relevant config directives at them. The hostname of the server matches the one in the certificate(s). When attempts are made to remotely relay through it by users who have local accounts (eg, from their laptops at home or when they are "on the road") this is what I see in the mail logs: sendmail[23746]: g967Qnrv023746: ruleset=check_rcpt, arg1=<user@some.place>, relay=(deleted.host.name) [(relay.ip.address)], reject=550 5.7.1 <user@some.destination>... Relaying denied. Proper authentication required. Not good. But when it is posted locally, this happens: sendmail[18696]: AUTH=server, relay=(local.network.host.name) [192.168.10.110], authid=(local.user.name), mech=LOGIN, bits=0 But LOGIN/PLAIN is not encrypted. (I'd like to disable PLAIN login althogether). I've been here and followed what it says: http://www.sendmail.org/~ca/email/roaming.html I've also done some google searches and found some useful information, but nothing that fully explains in a step-by-step fashion how all the AUTH/SSL stuff should be set up. (Perhaps ldap adds some wrinkles?) I have pops and imaps working very nicely on this same box. I am so, so close... I'm sure that I'm missing something very basic here - but what? Thanks (again) for any useful pointers. Cheers Tony
