Hello all,
I am really starting to feel quite stupid. I have no idea what the heck I'm
doing wrong. I've been tweaking on this for nearing two weeks now and still
can't get anything with OpenSSL to work right. I've given up on the Apache
web server setup (out of frustration) and have returned to the sendmail app.
I am trying (again) to set up my sendmail server so it will relay mail only
from users that I have signed a certificate for. Since last time I posted
about this I have started over from the top, deleting all of my sendmail,
openssl and sasl sources and re-extracting it all from the original tars,
recompiling everything, and going through the config files again and again.
I also deleted all of my CA stuff and regenerated everything, and installed
a new .p12 I created through openssl into my client's Outlook and IE
certificate store.
Here's where I'm at now...
When I connect with my client and try to send mail to be relayed, the
maillog shows this:
Sep 11 10:27:31 ns3 sm-mta[2078]: STARTTLS=server,
relay=dann.3db2b.com [65.89.162.134] \
(may be forged), version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5,
bits=128/128
Sep 11 10:27:36 ns3 sm-mta[2078]: h8BHRVOU002078:
ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, \
relay=dann.3db2b.com [65.89.162.134] (may be forged), reject=550
5.7.1 <[EMAIL PROTECTED]>... \
Relaying denied. IP name possibly forged [65.89.162.134]
Sep 11 10:27:38 ns3 sm-mta[2078]: h8BHRVOU002078:
from=<[EMAIL PROTECTED]>, size=0, class=0, \
nrcpts=0, proto=ESMTP, daemon=MTA, relay=dann.3db2b.com
[65.89.162.134] (may be forged)
The issue as I understand it so far is that the first message indicates
"verify=NO" which is supposed to mean that a certificate was NOT presented.
Well, of course I can't use the relay by cert option if my email client
never presents the certificate, right?
So I guess my main question is this:
Is there something in my openssl/sendmail/sasl configuration that is not
properly prompting Outlook to send a certificate? Or is there something in
Outlook that I've not set up in order to make it submit the cert?
Everything I've been able to find indicates Outlook should have no problems
doing what I'm looking for.
I've also included an ssldump of the session (below), and the way I
interpret this entry...
1 4 10.0192 (0.0000) S>C Handshake
CertificateRequest
it actually looks as though a certificate was requested by the server? Is
that correct?
And then the client seems to respond with a certificate.
1 5 10.0213 (0.0021) C>S Handshake
Certificate
ClientKeyExchange
Am I reading all of that correctly? Or, is that really the client requesting
a cert from the server and the server responding? The S>C and C<S do
indicate the direction of the request right? If I am correct, how can I tell
"why" the certificate is not being verfied as reported by sendmail?
If anyone can offer any answers or suggestions, I would be very, very
grateful.
Thank you very much,
Dann Daggett
---- Start of ssldump -------------------------------------------
New TCP connection #1: dann.3db2b.com(3161) <-> ns3.3db2b.com(25)
10.0154 (10.0154) S>C
---------------------------------------------------------------
220 ns3 ESMTP Sendmail 8.12.9/8.12.9; Thu, 11 Sep 2003 10:28:44 -0700
---------------------------------------------------------------
10.0160 (0.0005) C>S
---------------------------------------------------------------
EHLO DANNXP
---------------------------------------------------------------
10.0165 (0.0004) S>C
---------------------------------------------------------------
250-ns3 Hello dann.3db2b.com [65.89.162.134] (may be forged), pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
---------------------------------------------------------------
10.0169 (0.0004) C>S
---------------------------------------------------------------
STARTTLS
---------------------------------------------------------------
10.0172 (0.0002) S>C
---------------------------------------------------------------
220 2.0.0 Ready to start TLS
---------------------------------------------------------------
1 1 10.0184 (0.0012) C>S Handshake
ClientHello
Version 3.1
resume [32]=
2e f1 6e 2c d9 36 2b eb 43 2e 0e 17 82 fd 4d ed
43 9e 21 a0 b6 98 85 2c c8 2d e5 cd 30 ee 4b a6
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
1 2 10.0192 (0.0007) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
e7 86 d5 12 2a a3 a7 19 66 54 48 57 bc c9 93 fe
4c 84 08 de 0c a3 7f 6f 98 fa 52 bf 9e 81 11 88
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 10.0192 (0.0000) S>C Handshake
Certificate
1 4 10.0192 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_authority
30 81 88 31 0b 30 09 06 03 55 04 06 13 02 55 53
31 13 30 11 06 03 55 04 08 13 0a 43 61 6c 69 66
6f 72 6e 69 61 31 12 30 10 06 03 55 04 07 13 09
43 61 6d 61 72 69 6c 6c 6f 31 0d 30 0b 06 03 55
04 0a 13 04 47 43 49 43 31 1e 30 1c 06 03 55 04
03 13 15 47 43 49 43 20 52 6f 6f 74 20 43 65 72
74 69 66 69 63 61 74 65 31 21 30 1f 06 09 2a 86
48 86 f7 0d 01 09 01 16 12 63 65 72 74 2d 61 75
74 68 40 67 63 69 63 2e 6f 72 67
ServerHelloDone
1 5 10.0213 (0.0021) C>S Handshake
Certificate
ClientKeyExchange
1 6 10.0213 (0.0000) C>S ChangeCipherSpec
1 7 10.0213 (0.0000) C>S Handshake
1 8 10.0254 (0.0040) S>C ChangeCipherSpec
1 9 10.0254 (0.0000) S>C Handshake
1 10 10.0294 (0.0040) C>S application_data
1 11 10.0301 (0.0007) S>C application_data
1 12 10.0324 (0.0022) C>S application_data
1 13 10.0346 (0.0021) S>C application_data
1 14 10.0365 (0.0019) C>S application_data
1 15 15.0459 (5.0093) S>C application_data
1 16 18.0750 (3.0290) C>S application_data
1 18.0752 (0.0002) C>S TCP FIN
1 17 18.0753 (0.0000) S>C application_data
---- end of ssldump -------------------------------------------
--- Start of sendmail.cf data -----------------------------------
Relevant switches in my /etc/mail/sendmail.cf file
V10/Berkeley
C{E}root
C{TrustAuthMech}LOGIN PLAIN EXTERNAL
DZ8.12.9
O PrivacyOptions=goaway
O AuthMechanisms=LOGIN PLAIN DIGEST-MD5 CRAM-MD5 EXTERNAL
#O DefaultAuthInfo=/etc/mail/default-auth-info
O AuthOptions=p,y
#O AuthMaxBits
#O TLSSrvOptions
O CACertPath=/usr/local/ssl
O CACertFile=/usr/local/ssl/cacert.crt
O ServerCertFile=/usr/local/ssl/certs/mail.3db2b.com.crt
O ServerKeyFile=/usr/local/ssl/private/mail.3db2b.com.key
O ClientCertFile=/usr/local/ssl/certs/mail.3db2b.com.crt
O ClientKeyFile=/usr/local/ssl/private/mail.3db2b.com.key
--- End of sendmail.cf data -----------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
