Void's Forums

[Basher52]

(SPA=Secure Password Authenticartion)

I'll try and install the Evolution again, but later on the *real* server I don't think I'm gonna install X so I cant use Evolution.
The OS is CentOS 4.5 this time and I know I installed a text based client but I can't remember its name, lol and I'm sure there are better once out there.
You got any text based mail clients I can use? it could be a good thing to be able to get mail even if I have to be loged into the server, incase of network errors on the internet side.

I'll have to get this thing to work with OE since they can't use other things than windoze. Hopefully I can make them to use Thunderbird instead, maybe I'll try that one from the MS machine.

[Void Main]

Don't you have a Linux desktop you can test from?

[Basher52]

Not right now no, but I can install one on a computer and test from there but on the other hand, since the machine I'm testing all this on isn't the hardware I'm gonna use(we're gonna buy some new stuff for this) I can install it on the server anyways.

I was just trying to fix all the problems without using X, eventhough I have it installed, incase I needed it there are things I haven't done enough times to remember it, easy things like configure 'ifcfg-ethx' manually.

[Basher52]

Here I was thinking that winblows REALLY sux...

I installed Thunderbird and tried that instead of OE
and as you said: "I would say it's a Microsoft issue" and i thought, dang, he was right, winblows sux even more than I thought

and just to be sure... I tried OE again... and now it worked... AGAIN

Does MS software need like a day to figure out how to work?
It was the exact same thing last time(last install), it didn't work and the next day it did. Talk about slow software, lol
Or... is there something happening somewhere when I try other clients?
OE didn't work first but later after I tried Evolution, it just started to work.

Sounds like OE(and prolly all other MS crap) installs some sort of snoops to figure out how everyone else work and by that configure itself and after that is done, fixes itself and starts to work

Microsoft!!... LMAO what a joke




[OffTopic]
PS, don't know if this is a joke translated from you English talking dudes or...

But do you know who came up with the name Microsoft?
....... no?
I do
[/OffTopic]

[Void Main]

The only thing I can think of is it might be tripping over the invalid certificate. You might want to generate a new self-signed certificate that isn't expired and matches your host name. Unless you got it signed by a CA you would still have that warning but you could even set up your own CA and import your CA's public key into IE/OE so it would be a 100% valid certificate to the apps that you imported your CA's public key to. That's the only thing I can think of. Of course the first thing you should check is the /var/log/maillog to see if there is any server side error when you get that client error.

[Basher52]

The only thing I can think of is it might be tripping over the invalid certificate.

well if this was the case it wouln't take the certificate ever, would it?
but it does, either the next day(but this I can't believe) or after I used some other program that can handle this thing with certificate better, I have no idea what can be the issue???

But after all this hussle with OE, I'm gonna ask, no... TELL!! them to use at least Thunderbird and no shi*ty OE


PS. no answer to the joke?

[Basher52]

UPDATE(Just made this new post incase you've already read the other one)

I installed TB(ThunderBird) and I can connect to the server and get the servers folders and stuff, but i can't send through it?
it's somewthing wrong with the settings somewhere of or for the sendmail service.

btw, is it called service in Linux too? or is this name also stolen from Linux into windoze? isn't the name deamon more appropriate?

[Void Main]

I installed TB(ThunderBird) and I can connect to the server and get the servers folders and stuff, but i can't send through it?
it's somewthing wrong with the settings somewhere of or for the sendmail service.

Probably a setting needs to be added to /etc/mail/access. Your /var/log/maillog will tell the tail. You will likely find error messages like "relaying not allowed from xxx.xxx.xxx.xxx" etc. Also in case you didn't know you have not configured encrypted sending of mail, only receiving. So at this point make sure you are configuring for plain smtp with no authorization on the sending of the mail.

btw, is it called service in Linux too? or is this name also stolen from Linux into windoze? isn't the name deamon more appropriate?

Technically/traditionally "services" in Linux and UNIX are not the same as daemons or what are called services in Windows, however, most everyone pretty much now calls daemons services as well and Red Hat's command to start and stop the daemons is even called "service". 6 of one, half dozen of another.

And no, I don't know the answer to you joke.

[Basher52]

Sorry I didn't write that but You should know me by know, I still can't give enough data until someone asks

I have fixed the /etc/mail/access file with the IP addresses I'm trying to send from.


the maillog says:

Code: Select all

Jun 16 02:14:24 ddp imap-login: Login: basher52 [::ffff:xx.xxx.xxx.xx]
Jun 16 02:14:46 ddp sendmail[5700]: l5G0EZob005700: x-xx-xxxx-xx-xx-x.xxx.xx [xx.xxx.xxx.xx]: possible SMTP attack: command=AUTH, count=6
Jun 16 02:14:49 ddp sendmail[5700]: l5G0EZob005700: x-xx-xxxx-xx-xx-x.xxx.xx [xx.xxx.xxx.xx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA


The access file:

Code: Select all

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
xx.xxx.xxx.xx                   RELAY
xxx.xxx.xx                      RELAY


I can use just three "groups" when writing this, can I?
like xxx.xxx.xx? not the entire IP address?
(think I did that last time, but I'm to tired/see too fuzzy, to look through the old posts)

[Void Main]

It looks to me like you are trying to authenticate your SMTP connection when you are not set up for SMTP authentication. Can you describe how you configured your "sending mail (smtp)" section in your mail client? You didn't put in a username and password did you? Because it shouldn't have one, unless you have configured sendmail for authentication which I don't believe you have to this point.

[Basher52]

how the he** do you know these things????
yeah evne this time you were correct
I can only kneel before you.. again, lol
under: Tools\Account Settings\Outgoing Server(SMTP) and under the button 'edit' told the client to use username and password to use: 'Security and Authentication' and it started to work whenIO removed it.
but I cant 'Use secure connection' like SSL cos I get the same error.

The firewall is open for port : 465 but there is nothing in the maillog

[Void Main]

Like I said, you haven't yet configured sendmail for authentication or an encrypted connection. You can not use that until you do.

http://www.joreybump.com/code/howto/smtpauth.html
http://www.madboa.com/geek/sendmail-auth/
http://www.cyberciti.biz/faq/howto-conf ... ate-email/
http://ist.uwaterloo.ca/security/howto/2006-08-03/

Right now you are restricting based on source IP address and sending domain only with no encryption and no authentication.

Basically all you have to do is create your certificate:

Code: Select all

# cd /etc/pki/tls/certs
# make sendmail.pem


answer the questions and then edit your /etc/mail/sendmail.mc and change this:

Code: Select all

define(`confAUTH_OPTIONS', `A')dnl


to this:

Code: Select all

define(`confAUTH_OPTIONS', `A p y')dnl


and uncomment these lines and make them look like this:

Code: Select all

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')


Start your saslauthd and restart sendmail:

Code: Select all

# chkconfig saslauthd on
# service saslauthd start
# service sendmail restart


Now, you should be able to use TLS encryption and provide an ID for authentication on sending mail (SMTP). If you want to force authentication for your users just remove the RELAY lines you added to your /etc/mail/access (and restart sendmail).

Now, this will still use port 25 and not 465. I believe that is exactly what you are going to want, however there are options for the other ports:

Code: Select all

dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl


Before messing with any of that last section above (leave them commented with the leading 'dnl') I would see if everything works the way you want it prior to that point.

[Basher52]

Code: Select all

# cd /etc/pki/tls/certs
# make sendmail.pem


What am I missing if I don't have the /etc/pki directory?


oh, btw, is the certificae better, I mean can I use that instead of the IP address in the access file?
My sister is on ADSL and that IP address changes like everytime she logs in.

[Void Main]

Code: Select all

# cd /etc/pki/tls/certs
# make sendmail.pem


What am I missing if I don't have the /etc/pki directory?

Then you probably have a "/usr/share/ssl/certs" directory (the old path). Either that or you don't have openssl installed (type "openssl" on the command line). I'm sure you have openssl installed or your dovecot cert wouldn't have been generated. In fact you could use the same certificate that your dovecot server uses (probably something like "/usr/share/ssl/private/dovecot.pem") which would mean you would use the same cert for both send and receive.

oh, btw, is the certificae better, I mean can I use that instead of the IP address in the access file?

A certificate is only required if you want to use encryption. You don't have to use encryption but if you are using a dynamic IP address then you'll probably want to use "authentication" (username/password) instead of adding an IP address to your access file. AND if you are going to use authentication then you really should also use encryption so your username/password that you use to authenticate with can not be sniffed.

My sister is on ADSL and that IP address changes like everytime she logs in.

If you get it set up like I suggest you should be able to authenticate your smtp connection from any IP address and not be restricted to what you list in /etc/mail/access. Any address you put in there will be for unauthenticated relay addresses (you shouldn't need anything more than "localhost/127.0.0.1" in there).

[Basher52]

If you get it set up like I suggest you should be able to authenticate your smtp connection from any IP address and not be restricted to what you list in /etc/mail/access. Any address you put in there will be for unauthenticated relay addresses (you shouldn't need anything more than "localhost/127.0.0.1" in there).

I wonder, does this mean that any IP address will work for getting in?
but in that case, anyone anywhere can try can't they?

And I wonder, is it possible to have the public cert only transfered hand to hand and installed on the other PC manually thus making no one at all able to login since they dont have the key.
I may be way off here, but I still dont really get how this private/public key things work, I'm slow and old you know but you don't have to explain that, I think I'll get it some day.

UPDATE: I did all these things and I can get an EMail out if i use
'No secure' or TLS, but not SSL
Is that correct or is it SSL I "want"?
I always thought that TLS is better