Bug 716628
| Summary: | STARTTLS in sendmail-8.14.5-1.fc15.i686 with mail.gmx.net does not work anymore | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael Weidner <micha> | ||||||
| Component: | sendmail | Assignee: | Jaroslav Škarvada <jskarvad> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 15 | CC: | david, jskarvad, mlichvar, paulegan, piergiorgio.sartor | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i686 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | sendmail-8.14.5-2.fc15.2 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-11-25 02:15:00 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
on RHEL - Linux myserver 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:15 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux......
upgraded sendmail from:
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
to:
Version 8.14.4
Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
STARTTLS TCPWRAPPERS USERDB XDEBUG
==================================================================
getting lots of these:
Jul 18 18:30:03 myserver sendmail[19618]: p6J1U21m019616: done; delay=00:00:01, ntries=1
Jul 18 18:30:03 myserver sendmail[19642]: p6J1U2eI019640: done; delay=00:00:00, ntries=1
Jul 18 18:30:03 universe sendmail[19626]: p6J1U2gt019624: to=<blah>, ctladdr=<me> (1000/1000), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=233772, relay=gmail
-smtp-in.l.google.com. [209.85.225.27], dsn=2.0.0, stat=Sent (OK 1311039003 vg10si13266176icb.120)
Jul 18 18:30:03 myserver sendmail[19626]: p6J1U2gt019624: done; delay=00:00:01, ntries=1
Jul 18 18:30:03 myserver sendmail[19630]: p6J1U25K019628: to=<blah>, ctladdr=<me> (1000/1000), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=232724, relay=gmail
-smtp-in.l.google.com. [209.85.225.27], dsn=2.0.0, stat=Sent (OK 1311039003 k6si5795841ibl.32)
Jul 18 18:30:03 myserver sendmail[19630]: p6J1U25K019628: done; delay=00:00:01, ntries=1
Jul 18 18:30:03 myserver sendmail[19626]: STARTTLS=client, SSL_shutdown failed: -1
Jul 18 18:30:03 myserver sendmail[19630]: STARTTLS=client, SSL_shutdown failed: -1
Jul 18 18:30:04 universe sendmail[19650]: STARTTLS=client, SSL_shutdown failed: -1
Is this the same problem as above? I've never seen these before. I did make new certs after the upgrade also. (do I need anymore information?)
-dmc
oops, didn't mean to cancel need info....... ps: the errors above don't seem to block any emails from being sent or received. dmc oops, didn't mean to cancel need info....... ps: the errors above don't seem to block any emails from being sent or received. dmc something else is odd:
/root # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 universe.sonoma.edu ESMTP Sendmail 8.14.4/8.13.8; Tue, 19 Jul 2011 16:44:32 -0700
ehlo localhost
250-myserver.mylocation.edu Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
notice the absence of STARTTLS
================================================================================
log entry:
Jul 19 16:44:15 myserver sendmail[2910]: starting daemon (8.14.4): SMTP+queueing@01:00:00
Jul 19 16:44:15 myserver sm-msp-queue[2918]: starting daemon (8.14.4): queueing@01:00:00
Jul 19 16:44:16 myserver sendmail[2910]: STARTTLS=server, Diffie-Hellman init, key=1024 bit (1)
Jul 19 16:44:16 myserver sendmail[2910]: STARTTLS=server, init=1
Jul 19 16:44:16 myserver sendmail[2910]: started as: /usr/sbin/sendmail -bd -q1h
Jul 19 16:44:32 myserver sendmail[2960]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
Jul 19 16:44:32 myserver sendmail[2960]: AUTH: available mech=LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jul 19 16:44:32 myserver sendmail[2960]: p6JNiW5g002960: Milter: no active filter
Jul 19 16:44:32 myserver sendmail[2960]: p6JNiW5g002960: --- 220 myserver.mylocation.edu ESMTP Sendmail 8.14.4/8.13.8; Tue, 19 Jul 2011 16:44:32 -0700
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: <-- ehlo localhost
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-myserver.mylocation.edu Hello localhost.localdomain [127.0.0.1], pleased to meet you
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-ENHANCEDSTATUSCODES
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-PIPELINING
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-8BITMIME
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-SIZE
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-DSN
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-ETRN
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-AUTH LOGIN PLAIN
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-DELIVERBY
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250 HELP
(In reply to comment #4) I cannot reproduce: ... 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250-HELP I used: sendmail-8.14.5-1.fc15.x86_64 sendmail-cf-8.14.5-1.fc15.noarch I will retest with the i686 later. I used the default sendmail.mc with the following addition: define(`confAUTH_OPTIONS', `A p')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl I generated the sendmail.pem by: # cd /etc/pki/tls/certs # make sendmail.pem Maybe there is something wrong with our openssl? Try to verify by: # rpm -qV openssl # rpm -qV sendmail I was thinking the same so I punted from 1.0.0d, back to OpenSSL 0.9.8r 8 Feb 2011. Then I redid the certs. here's my sendmail.mc divert(-1)dnl dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl # include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`Cosmos Mailer Appliance')dnl OSTYPE(`linux')dnl dnl # dnl # default logging level is 9, you might want to set it higher to dnl # debug the configuration dnl # dnl # dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # dnl # define(`SMART_HOST',`smtp.your.provider') dnl # define(`confDEF_USER_ID',``8:14'')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl dnl # dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # dnl define(`confAUTH_OPTIONS', `A p y')dnl dnl # dnl # PLAIN is the preferred plaintext authentication method and used by dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do dnl # use LOGIN. Other mechanisms should be used if the connection is not dnl # guaranteed secure. dnl # Please remember that saslauthd needs to be running for AUTH. dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem dnl # Complete usage: dnl # make -C /usr/share/ssl/certs usage dnl # define(`confCACERT_PATH',`/etc/ssl/certs')dnl define(`confCACERT',`/etc/ssl/certs/ca-bundle.crt')dnl define(`confSERVER_CERT',`/etc/ssl/certs/server.pem')dnl define(`confSERVER_KEY',`/etc/ssl/certs/server.pem')dnl define(`confCLIENT_CERT',`/etc/ssl/certs/server.pem')dnl define(`confCLIENT_KEY',`/etc/ssl/certs/server.pem')dnl define(`confCRL',`/etc/ssl/certs/revoke.crl')dnl define(`confLOG_LEVEL', `12')dnl dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap dnl # dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl dnl # dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl define(`confQUEUE_LA', `18')dnl define(`confREFUSE_LA', `24')dnl define(`confTO_IDENT', `0')dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`relay_hosts_only')dnl dnl # dnl # The following limits the number of processes sendmail can fork to accept dnl # incoming messages or process its message queues to 12.) sendmail refuses dnl # to accept connections once it has reached its quota of child processes. dnl # dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl dnl # dnl # Limits the number of new connections per second. This caps the overhead dnl # incurred due to forking new sendmail processes. May be useful against dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address dnl # limit would be useful but is not available as an option at this writing.) dnl # dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl dnl # dnl # The -t option will retry delivery if e.g. the user runs over his quota. dnl # FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # dnl # dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. dnl # dnl # For this to work your OpenSSL certificates must be configured. dnl # DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl # dnl # The following causes sendmail to additionally listen on the IPv6 loopback dnl # device. Remove the loopback address restriction listen to the network. dnl # dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl dnl # dnl # enable both ipv6 and ipv4 in sendmail: dnl # dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl # #dnl FEATURE(`accept_unresolvable_domains')dnl dnl # #dnl FEATURE(`relay_based_on_MX')dnl dnl # dnl # Also accept email sent to "localhost.localdomain" as local email. dnl # LOCAL_DOMAIN(`localhost.localdomain')dnl dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # MASQUERADE_AS(`universe.sonoma.edu')dnl dnl # dnl # masquerade not just the headers, but the envelope as well dnl # FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl dnl # dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well dnl # dnl FEATURE(masquerade_entire_domain)dnl dnl # MASQUERADE_DOMAIN(localhost)dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl MASQUERADE_DOMAIN(mydomain.lan)dnl dnl #INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter.sock, F=T, T=S:4m;R:4m') FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://www.spamhaus.org')dnl FEATURE(`dnsbl',`dob.sibl.support-intelligence.net',`Rejected - see http://support-intelligence.com/day-old-bread.html ')dnl FEATURE(`dnsbl',`combined.njabl.org',`Message from $&{client_addr} rejected - see http://njabl.org/lookup?$&{client_addr}')dnl FEATURE(`dnsbl',`rhsbl.ahbl.org',`Rejected - see http://www.ahbl.org ')dnl dnl #FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl MAILER(smtp)dnl MAILER(procmail)dnl also forgot to mention I'm getting the errors with the STARTTLS-client only, and it's not on every smtp server, but only about 1/3 of them............ [root@han ~]# rpm -qV openssl [root@han ~]# rpm -qV sendmail 5S.T..... c /etc/mail/Makefile 5S.T..... c /etc/mail/access 5S.T..... c /etc/mail/local-host-names 5S.T..... c /etc/mail/sendmail.cf 5S.T..... c /etc/mail/sendmail.mc 5S.T..... c /etc/mail/submit.cf 5S.T..... c /etc/mail/submit.mc 5S.T..... c /etc/mail/trusted-users 5S.T..... c /etc/mail/virtusertable 5S.T..... c /etc/sysconfig/sendmail Here is my sendmail.mc: divert(-1)dnl dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl # include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for linux')dnl OSTYPE(`linux')dnl dnl # dnl # Do not advertize sendmail version. dnl # dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl dnl # dnl # default logging level is 9, you might want to set it higher to dnl # debug the configuration dnl # define(`confLOG_LEVEL', `10')dnl dnl # dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # define(`SMART_HOST', `smtp.micha-steffi.de')dnl dnl # define(`confDEF_USER_ID', ``8:14'')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTO_IDENT', `0')dnl define(`confTO_COMMAND', `2m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`QUEUE_DIR', `/var/tmp/mqueue')dnl define(`UUCP_MAILER_MAX', `50000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `novrfy,noexpn,restrictqrun')dnl define(`confMAX_MESSAGE_SIZE',`50000000')dnl dnl # dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # dnl define(`confAUTH_OPTIONS', `A p')dnl dnl # dnl # PLAIN is the preferred plaintext authentication method and used by dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do dnl # use LOGIN. Other mechanisms should be used if the connection is not dnl # guaranteed secure. dnl # Please remember that saslauthd needs to be running for AUTH. dnl # dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # cd /etc/pki/tls/certs; make sendmail.pem dnl # Complete usage: dnl # make -C /etc/pki/tls/certs usage dnl # define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/cacert.pem')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_CERT', `/etc/pki/tls/certs/client.cert')dnl define(`confCLIENT_KEY', `/etc/pki/tls/certs/client.key')dnl define(`confCRL', `/etc/pki/tls/certs/revoke.crl')dnl define(`confTLS_SRV_OPTIONS', `V')dnl dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap dnl # dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl dnl # dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl define(`confTO_IDENT', `0')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl # dnl # The following limits the number of processes sendmail can fork to accept dnl # incoming messages or process its message queues to 20.) sendmail refuses dnl # to accept connections once it has reached its quota of child processes. dnl # dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl dnl # dnl # Limits the number of new connections per second. This caps the overhead dnl # incurred due to forking new sendmail processes. May be useful against dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address dnl # limit would be useful but is not available as an option at this writing.) dnl # dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl dnl # dnl # The -t option will retry delivery if e.g. the user runs over his quota. dnl # FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl # dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment dnl # the following 2 definitions and activate below in the MAILER section the dnl # cyrusv2 mailer. dnl # define(`confLOCAL_MAILER', `cyrusv2')dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl dnl # dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. dnl # dnl # For this to work your OpenSSL certificates must be configured. dnl # dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl # dnl # The following causes sendmail to additionally listen on the IPv6 loopback dnl # device. Remove the loopback address restriction listen to the network. dnl # dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl dnl # dnl # enable both ipv6 and ipv4 in sendmail: dnl # dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl # FEATURE(`accept_unresolvable_domains')dnl dnl # dnl FEATURE(`relay_based_on_MX')dnl dnl # dnl # Also accept email sent to "localhost.localdomain" as local email. dnl # LOCAL_DOMAIN(`localhost.localdomain')dnl define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFile')dnl FEATURE(`authinfo',`hash /etc/mail/authinfo')dnl FEATURE(`smarttable')dnl LDAPROUTE_DOMAIN(`gmx.de')dnl LDAPROUTE_DOMAIN(`micha-steffi.de')dnl LDAPROUTE_DOMAIN(`t-online.de')dnl LDAPROUTE_DOMAIN(`bigfoot.com')dnl FEATURE(`ldap_routing',`null', `hash /etc/mail/mail_routing.db', `passthru')dnl MAILER(smtp)dnl dnl MAILER(procmail)dnl MAILER(cyrusv2)dnl And my submit.mc: divert(-1) # # Copyright (c) 2001-2003 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # # # # This is the prototype file for a set-group-ID sm-msp sendmail that # acts as a initial mail submission program. # divert(0)dnl sinclude(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`linux setup')dnl define(`confCF_VERSION', `Submit')dnl define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet define(`confTIME_ZONE', `USE_TZ')dnl define(`confDONT_INIT_GROUPS', `True')dnl define(`confPID_FILE', `/var/run/sm-client.pid')dnl define(`STATUS_FILE', `/var/tmp/clientmqueue/sm-client.st')dnl define(`MSP_QUEUE_DIR', `/var/tmp/clientmqueue')dnl dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl FEATURE(`use_ct_file')dnl dnl dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1] FEATURE(`msp', `[127.0.0.1]')dnl My error only occurs on mail.gmx.net with STARTTLS-client, without STARTTLS mail.gmx.net works. Other SMTP-servers (tried two other) also working with STARTTLS. I also recreated the certs, no change, error still there. Only solution at the moment downgrade to sendmail-8.14.4-20.fc15.i686, then it is working again with everything else unchanged. Michael, could you provide your mailog? I checked both configs on i686 machine and I still have STARTTLS on server. Unfortunately I am unable to get the SMTP account on mail.gmx.net (I am not residential in Germany) so I cannot test the client. Created attachment 514061 [details]
Logfile sendmail-8.14.4-20.fc15.i686 (working)
Requested Logfile
Created attachment 514062 [details]
Logfilesendmail-8.14.5-1.fc15.i686 (not working)
Requested Logfile
The both Logfiles attached are created with the same client and the same mail with Loglevel 99. ul 20 08:05:59 myserver sendmail[24189]: p6KF5xTe024187: SMTP outgoing connect
on universe
ul 20 08:05:59 myserver sendmail[24189]: STARTTLS=client, init=1
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS=client, start=ok
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS=client, info: fds=11/10,
err=2
ul 20 08:06:00 myserver last message repeated 8 times
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=0
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Forefront Online
Protection for Exchange/CN=mail.global.frontbridg
.com/emailAddress=support, state=0, reason=unable to get
certificate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=1
/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority,
state=0, reason=unable to get certificate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=2
/CN=Microsoft Internet Authority, state=0, reason=unable to get certificate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=3
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root, state=0, reason=unable to get cert
ficate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: internal error:
tls_verify_cb: ssl == NULL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS=client, info: fds=11/10,
err=2
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=client, get_verify: 0
get_peer: 0xa5e7630
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=client,
relay=mail.messaging.microsoft.com., version=TLSv1/SSLv3, verify=OK,
cipher=AES128-SHA, bits=128/128
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=client,
cert-subject=/C=US/ST=Washington/L=Redmond/O=Microsoft+20Corporation/OU=Forefront+20Online+20Protection+20for+20Exchange/CN=mail.global.frontb
idge.com/emailAddress=support,
cert-issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft+20Secure+20Server+20Authority,
verifymsg=ok
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=read, info: fds=11/10, err=2
ul 20 08:06:01 myserver last message repeated 3 times
ul 20 08:06:01 myserver sendmail[24187]: p6KF5xTf024187: <-- QUIT
ul 20 08:06:01 myserver sendmail[24187]: p6KF5xTf024187: --- 221 2.0.0
myserver.mylocation.edu closing connection
ul 20 08:06:02 myserver sendmail[24189]: p6KF5xTe024187:
to=<yilen.gomez>, ctladdr=<myname.edu>
(1000/1000), delay=00:00:03, xdelay=00:00:03, mailer=esmtp, pri=128822, re
ay=mail.messaging.microsoft.com. [94.245.120.86], dsn=2.0.0, stat=Sent
(<002b01cc46ee$88e2afa0$9aa80ee0$@myserver.mylocation.edu> [InternalId=1696492]
Queued mail for delivery)
ul 20 08:06:02 myserver sendmail[24189]: p6KF5xTe024187: done; delay=00:00:03,
ntries=1
ul 20 08:06:02 myserver sendmail[24189]: STARTTLS=read, info: fds=11/10, err=2
ul 20 08:06:02 myserver sendmail[24189]: STARTTLS=client, SSL_shutdown failed:
-1
===============================================================================
openssl test on port:
/etc/mail # openssl s_client -crlf -connect localhost:465
CONNECTED(00000003)
depth & verify info here
Server certificate - With a bunch of lines missing......
-----BEGIN CERTIFICATE-----
MIID4DCCA0mgAwIBAgIJANYFZH6im0OVMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFJvaG5lcnQgUGFyazEgMB4G
A1UEChMXU29ub21hIFN0YXRlIFVuaXZlcnNpdHkxEjAQBgNVBAsTCU5BU0EgRS9Q
TzEOMAwGA1UEAxMFYWRtaW4xLjAsBgkqhkiG9w0BCQEWH3Bvc3RtYWFzdGVyQHVu
aXZlcnNlLnNvbm9tYS5lZHUwHhcNMTEwNzIwMDAyNTE1WhcNMTYwNzE4MDAyNTE1
WjCBpzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSb2huZXJ0
IFBhcmsxIDAeBgNVBAoTF1Nvbm9tYSBTdGF0ZSBVbml2ZXJzaXR5MRIwEAYDVQQL
EwlOQVNBIEUvUE8xDjAMBgNVBAMTBWFkbWluMS4wLAYJKoZIhvcNAQkBFh9wb3N0
bWFhc3RlckB1bml2ZXJzZS5zb25vbWEuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GN
1F7Wkn9dmqyone5sNacwX+FW2SFsYyn788zYmg/Ps331t4cT
-----END CERTIFICATE-----
---
SSL handshake has read 16030 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
C76CFE17AB7306582A1589A0092703CBCE648FBC4C8BA5A49217711AF364C544
Session-ID-ctx:
Master-Key:
EE48DA1A6DCD56DB1D07EF917187A6A0989907DED85999A7B2A9232708AF77FC9C38DC1F8C3BF8D0F5E4187DB37A0134
Key-Arg : None
Start Time: 1311178917
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 myserver.mylocation.edu ESMTP Sendmail 8.14.5/8.13.8; Wed, 20 Jul 2011
09:21:57 -0700
Interesting, could you retest the following build?: http://koji.fedoraproject.org/koji/taskinfo?taskID=3215805 Version 8.14.5
Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
STARTTLS TCPWRAPPERS USERDB XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
i don't use .rpm's actually i've always built everything from the .tar.gz file.
can you point me to the .tar.gz file for that build?
Your new build does not change anything for me, same error as before. I will try to revert the TLS changes, so hopefully we will be able to isolate the problem. Stay tuned, I will provide another test build. Do you encounter this problem on servers other than gmx? Maybe this is problem on their site. Only at gmx at the moment, but I have only 3 accounts to test (gmx, t-online and domainfactory), and it works if I use the older sendmail (sendmail-8.14.4-20.fc15.i686) or Thunderbird with STARTTLS directly (without my local sendmail in between), so it is not likely a error at gmx I think. Reverted back the following changes: * Per RFC 6176, when operating as a TLS client, do not offer SSLv2. * Since TLS session resumption is never used as a client, disable use of RFC 4507-style session tickets. Please try the following test build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3223144 David you can grab the sources from the src.rpm from the link above, apply the included patches and build as usual. Also please try this test build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3223347 And let me know if any of these testing builds fixes your problem. http://koji.fedoraproject.org/koji/taskinfo?taskID=3223347 does fix the problem with gmx. With http://koji.fedoraproject.org/koji/taskinfo?taskID=3223144 the problem is still there. please send me the working patched sendmail.8.14.5-1.tar.gz file... thx david David, no problem, the patched sources are here: http://jskarvad.fedorapeople.org/sendmail/sendmail-8.14.5-3.tar.bz2 Michael thanks for testing, the F15 update will be pushed soon to updates-testing. sendmail-8.14.5-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/sendmail-8.14.5-3.fc15
devtools/site.linux.m4
APPENDDEF(`confENVDEF',`-DSTARTTLS')
APPENDDEF(`confLIBS',`-lssl -lcrypto')
APPENDDEF(`confLIBDIRS',`-L/usr/local/ssl/lib')
APPENDDEF(`confINCDIRS',`-I/usr/local/ssl/include')
APPENDDEF(`confENVDEF',`-DSASL')
APPENDDEF(`confLIBS',`-lsasl2')
APPENDDEF(`confLIBDIRS',`-L/usr/lib64/sasl2')
APPENDDEF(`confINCDIRS',`-I/usr/include/sasl')
APPENDDEF(`confENVDEF',`-DTCPWRAPPERS')
APPENDDEF(`confLIBS',`-lwrap')
# sigh! :-(
make[1]: Entering directory
`/usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/sendmail'
cp /dev/null statistics
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o main.o main.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o alias.o alias.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o arpadate.o arpadate.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o bf.o bf.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o collect.o collect.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o conf.o conf.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o control.o control.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o convtime.o convtime.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o daemon.o daemon.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o deliver.o deliver.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o domain.o domain.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o envelope.o envelope.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o err.o err.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o headers.o headers.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o macro.o macro.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o map.o map.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o mci.o mci.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o milter.o milter.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o mime.o mime.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o parseaddr.o parseaddr.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o queue.o queue.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o ratectrl.o ratectrl.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o readcf.o readcf.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o recipient.o recipient.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o sasl.o sasl.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o savemail.o savemail.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o sfsasl.o sfsasl.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o shmticklib.o shmticklib.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o sm_resolve.o sm_resolve.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o srvrsmtp.o srvrsmtp.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o stab.o stab.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o stats.o stats.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o sysexits.o sysexits.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o timers.o timers.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o tls.o tls.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o trace.o trace.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o udb.o udb.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o usersmtp.o usersmtp.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o util.o util.c
cc -O2 -fpie -I. -I../../include -I/usr/local/ssl/include -I/usr/include/sasl
-DNEWDB -DSTARTTLS -DSASL -DTCPWRAPPERS -c -o version.o version.c
cc -o sendmail -L/usr/local/ssl/lib -L/usr/lib64/sasl2 main.o alias.o
arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o
domain.o envelope.o err.o headers.o macro.o map.o mci.o m
ilter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o sasl.o
savemail.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o
sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util
.o version.o
/usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/libsmutil/libsmutil.a
/usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/libsm/libsm.a
-ldb -lresolv -lcrypt
-lnsl -pie -ldl -lssl -lcrypto -lsasl2 -lwrap
/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s23_srvr.o): relocation R_X86_64_32
against `a local symbol' can not be used when making a shared object; recompile
with -fPIC
/usr/local/ssl/lib/libssl.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[1]: *** [sendmail] Error 1
make[1]: Leaving directory
`/usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/sendmail'
Package sendmail-8.14.5-3.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sendmail-8.14.5-3.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/sendmail-8.14.5-3.fc15 then log in and leave karma (feedback). I had the same issue when relaying through dreamhost.com. I had hoped to test the fix discussed here but the sendmail-8.14.5-3 package doesn't seem to be available any more, so I've downgraded to sendmail-8.14.4-20.fc15.x86_64 and all works well again. I see the fix is available on f16 (sendmail-8.14.5-5.fc16); will it be applied to f15 too? http://pkgs.fedoraproject.org/gitweb/?p=sendmail.git;a=commit;h=6ae4af377b63ee68f2baa9486302f9e9e251c824 sendmail-8.14.5-2.fc15.1 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/sendmail-8.14.5-2.fc15.1 (In reply to comment #28) We got into trouble with f15-f16 broken upgrade path (the sysv to systemd upgrade), so we had to remove the sendmail-8.14.5-3.fc15 from testing. The sendmail-8.14.5-2.fc15.1 should fix your issue, sorry for inconvenience. I've installed sendmail-8.14.5-2.fc15 and can confirm it fixes the issue for me. Thanks. *** Bug 740639 has been marked as a duplicate of this bug. *** sendmail-8.14.5-2.fc15.2 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/sendmail-8.14.5-2.fc15.2 sendmail-8.14.5-2.fc15.2 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
In sendmail-8.14.5-1.fc15.i686 STARTTLS with mail.gmx.net does not work anymore, downgrade to sendmail-8.14.4-20.fc15.i686 fixes the problem. Logfile output (Log-Level 14) with sendmail-8.14.5-1.fc15.i686: -------------------------------------------------- Jun 25 19:51:38 han sendmail[25841]: STARTTLS=client, init=1 Jun 25 19:51:39 han sendmail[25842]: p5PHp9DO025823: SMTP outgoing connect on p5B25EC6A.dip.t-dialin.net Jun 25 19:51:39 han sendmail[25842]: STARTTLS=client, start=ok Jun 25 19:51:39 han sendmail[25842]: STARTTLS: x509 cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate Jun 25 19:51:39 han sendmail[25842]: STARTTLS: TLS cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate Jun 25 19:51:39 han sendmail[25842]: STARTTLS=client, relay=mail.gmx.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jun 25 19:51:39 han sendmail[25842]: STARTTLS=client, cert-subject=/C=DE/ST=Bayern/L=Munich/O=GMX+20GmbH/CN=mail.gmx.net, cert-issuer=/C=ZA/ST=Western+20Cape/L=Cape+20Town/O=Thawte+20Consulting+20cc/OU=Certification+20Services+20Division/CN=Thawte+20Premium+20Server+20CA/emailAddress=premium-server, verifymsg=unable to get local issuer certificate Jun 25 19:51:40 han sendmail[25842]: p5PHp9DO025823: to=<user>, delay=00:00:31, xdelay=00:00:02, mailer=relay, pri=120410, relay=mail.gmx.net. [213.165.64.21], dsn=5.0.0, stat=Service unavailable Jun 25 19:51:40 han sendmail[25842]: p5PHp9DO025823: p5PHpcpp025842: DSN: Service unavailable Jun 25 19:51:40 han sendmail[25842]: p5PHpcpp025842: done; delay=00:00:00, ntries=1 Jun 25 19:51:40 han sendmail[25842]: STARTTLS=client, SSL_shutdown failed: -1 -------------------------------------------------- And with sendmail-8.14.4-20.fc15.i686: -------------------------------------------------- Jun 25 20:25:06 han sendmail[27768]: STARTTLS=client, init=1 Jun 25 20:25:06 han sendmail[27769]: p5PIP3eI027734: SMTP outgoing connect on p5B25EC6A.dip.t-dialin.net Jun 25 20:25:07 han sendmail[27769]: STARTTLS=client, start=ok Jun 25 20:25:07 han sendmail[27769]: STARTTLS: x509 cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate Jun 25 20:25:07 han sendmail[27769]: STARTTLS: TLS cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate Jun 25 20:25:07 han sendmail[27769]: STARTTLS=client, relay=mail.gmx.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jun 25 20:25:07 han sendmail[27769]: STARTTLS=client, cert-subject=/C=DE/ST=Bayern/L=Munich/O=GMX+20GmbH/CN=mail.gmx.net, cert-issuer=/C=ZA/ST=Western+20Cape/L=Cape+20Town/O=Thawte+20Consulting+20cc/OU=Certification+20Services+20Division/CN=Thawte+20Premium+20Server+20CA/emailAddress=premium-server, verifymsg=unable to get local issuer certificate Jun 25 20:25:07 han sendmail[27769]: AUTH=client, relay=mail.gmx.net., mech=PLAIN, bits=0 Jun 25 20:25:08 han sendmail[27769]: p5PIP3eI027734: to=<user>, delay=00:00:04, xdelay=00:00:02, mailer=relay, pri=120392, relay=mail.gmx.net. [213.165.64.20], dsn=2.0.0, stat=Sent (Message accepted {mp066}) Jun 25 20:25:08 han sendmail[27769]: p5PIP3eI027734: done; delay=00:00:04, ntries=1 Jun 25 20:25:08 han sendmail[27769]: STARTTLS=client, SSL_shutdown failed: -1 -------------------------------------------------- I also tried an other smtp server at a different provider, this one is working with both versions, log file is the same for both versions there: -------------------------------------------------- Jun 25 19:54:10 han sendmail[25978]: STARTTLS=client, init=1 Jun 25 19:54:11 han sendmail[25979]: p5PHs7m3025968: SMTP outgoing connect on p5B25EC6A.dip.t-dialin.net Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, start=ok Jun 25 19:54:11 han sendmail[25979]: STARTTLS: x509 cert verify: depth=0 /C=DE/O=smtprelaypool.ispgateway.de/OU=2726761688/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL Premium(R)/CN=smtprelaypool.ispgateway.de, state=0, reason=unable to get local issuer certificate Jun 25 19:54:11 han sendmail[25979]: STARTTLS: TLS cert verify: depth=0 /C=DE/O=smtprelaypool.ispgateway.de/OU=2726761688/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL Premium(R)/CN=smtprelaypool.ispgateway.de, state=0, reason=unable to get local issuer certificate Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, relay=smtprelaypool.ispgateway.de, field=cn_issuer, status=failed to extract CN Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, relay=smtprelaypool.ispgateway.de, version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256 Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, cert-subject=/C=DE/O=smtprelaypool.ispgateway.de/OU=2726761688/OU=See+20www.geotrust.com/resources/cps+20+28c+2909/OU=Domain+20Control+20Validated+20-+20QuickSSL+20Premium+28R+29/CN=smtprelaypool.ispgateway.de, cert-issuer=/C=US/O=Equifax/OU=Equifax+20Secure+20Certificate+20Authority, verifymsg=unable to get local issuer certificate Jun 25 19:54:11 han sendmail[25979]: AUTH=client, relay=smtprelaypool.ispgateway.de, mech=PLAIN, bits=0 Jun 25 19:54:12 han sendmail[25979]: p5PHs7m3025968: to=<user>, delay=00:00:04, xdelay=00:00:02, mailer=relay, pri=120421, relay=smtprelaypool.ispgateway.de [80.67.29.4], dsn=2.0.0, stat=Sent (OK id=1QaX3b-0001uu-V4) Jun 25 19:54:12 han sendmail[25979]: p5PHs7m3025968: done; delay=00:00:04, ntries=1 Jun 25 19:54:12 han sendmail[25979]: STARTTLS=client, SSL_shutdown failed: -1 --------------------------------------------------