Bug 716628 - STARTTLS in sendmail-8.14.5-1.fc15.i686 with mail.gmx.net does not work anymore
Summary: STARTTLS in sendmail-8.14.5-1.fc15.i686 with mail.gmx.net does not work anymore
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sendmail
Version: 15
Hardware: i686
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 740639 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-25 19:11 UTC by Michael Weidner
Modified: 2011-11-25 02:15 UTC (History)
5 users (show)

Fixed In Version: sendmail-8.14.5-2.fc15.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-25 02:15:00 UTC
Type: ---


Attachments (Terms of Use)
Logfile sendmail-8.14.4-20.fc15.i686 (working) (15.12 KB, text/plain)
2011-07-20 17:07 UTC, Michael Weidner
no flags Details
Logfilesendmail-8.14.5-1.fc15.i686 (not working) (16.69 KB, text/plain)
2011-07-20 17:07 UTC, Michael Weidner
no flags Details

Description Michael Weidner 2011-06-25 19:11:24 UTC
In sendmail-8.14.5-1.fc15.i686 STARTTLS with mail.gmx.net does not work anymore, downgrade to sendmail-8.14.4-20.fc15.i686 fixes the problem.

Logfile output (Log-Level 14) with sendmail-8.14.5-1.fc15.i686:

--------------------------------------------------
Jun 25 19:51:38 han sendmail[25841]: STARTTLS=client, init=1
Jun 25 19:51:39 han sendmail[25842]: p5PHp9DO025823: SMTP outgoing connect on p5B25EC6A.dip.t-dialin.net
Jun 25 19:51:39 han sendmail[25842]: STARTTLS=client, start=ok
Jun 25 19:51:39 han sendmail[25842]: STARTTLS: x509 cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate
Jun 25 19:51:39 han sendmail[25842]: STARTTLS: TLS cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate
Jun 25 19:51:39 han sendmail[25842]: STARTTLS=client, relay=mail.gmx.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jun 25 19:51:39 han sendmail[25842]: STARTTLS=client, cert-subject=/C=DE/ST=Bayern/L=Munich/O=GMX+20GmbH/CN=mail.gmx.net, cert-issuer=/C=ZA/ST=Western+20Cape/L=Cape+20Town/O=Thawte+20Consulting+20cc/OU=Certification+20Services+20Division/CN=Thawte+20Premium+20Server+20CA/emailAddress=premium-server@thawte.com, verifymsg=unable to get local issuer certificate
Jun 25 19:51:40 han sendmail[25842]: p5PHp9DO025823: to=<user@domain.com>, delay=00:00:31, xdelay=00:00:02, mailer=relay, pri=120410, relay=mail.gmx.net. [213.165.64.21], dsn=5.0.0, stat=Service unavailable
Jun 25 19:51:40 han sendmail[25842]: p5PHp9DO025823: p5PHpcpp025842: DSN: Service unavailable
Jun 25 19:51:40 han sendmail[25842]: p5PHpcpp025842: done; delay=00:00:00, ntries=1
Jun 25 19:51:40 han sendmail[25842]: STARTTLS=client, SSL_shutdown failed: -1
--------------------------------------------------


And with sendmail-8.14.4-20.fc15.i686:

--------------------------------------------------
Jun 25 20:25:06 han sendmail[27768]: STARTTLS=client, init=1
Jun 25 20:25:06 han sendmail[27769]: p5PIP3eI027734: SMTP outgoing connect on p5B25EC6A.dip.t-dialin.net
Jun 25 20:25:07 han sendmail[27769]: STARTTLS=client, start=ok
Jun 25 20:25:07 han sendmail[27769]: STARTTLS: x509 cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate
Jun 25 20:25:07 han sendmail[27769]: STARTTLS: TLS cert verify: depth=0 /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=mail.gmx.net, state=0, reason=unable to get local issuer certificate
Jun 25 20:25:07 han sendmail[27769]: STARTTLS=client, relay=mail.gmx.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jun 25 20:25:07 han sendmail[27769]: STARTTLS=client, cert-subject=/C=DE/ST=Bayern/L=Munich/O=GMX+20GmbH/CN=mail.gmx.net, cert-issuer=/C=ZA/ST=Western+20Cape/L=Cape+20Town/O=Thawte+20Consulting+20cc/OU=Certification+20Services+20Division/CN=Thawte+20Premium+20Server+20CA/emailAddress=premium-server@thawte.com, verifymsg=unable to get local issuer certificate
Jun 25 20:25:07 han sendmail[27769]: AUTH=client, relay=mail.gmx.net., mech=PLAIN, bits=0
Jun 25 20:25:08 han sendmail[27769]: p5PIP3eI027734: to=<user@domain.com>, delay=00:00:04, xdelay=00:00:02, mailer=relay, pri=120392, relay=mail.gmx.net. [213.165.64.20], dsn=2.0.0, stat=Sent (Message accepted {mp066})
Jun 25 20:25:08 han sendmail[27769]: p5PIP3eI027734: done; delay=00:00:04, ntries=1
Jun 25 20:25:08 han sendmail[27769]: STARTTLS=client, SSL_shutdown failed: -1
--------------------------------------------------

I also tried an other smtp server at a different provider, this one is working with both versions, log file is the same for both versions there:

--------------------------------------------------
Jun 25 19:54:10 han sendmail[25978]: STARTTLS=client, init=1
Jun 25 19:54:11 han sendmail[25979]: p5PHs7m3025968: SMTP outgoing connect on p5B25EC6A.dip.t-dialin.net
Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, start=ok
Jun 25 19:54:11 han sendmail[25979]: STARTTLS: x509 cert verify: depth=0 /C=DE/O=smtprelaypool.ispgateway.de/OU=2726761688/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL Premium(R)/CN=smtprelaypool.ispgateway.de, state=0, reason=unable to get local issuer certificate
Jun 25 19:54:11 han sendmail[25979]: STARTTLS: TLS cert verify: depth=0 /C=DE/O=smtprelaypool.ispgateway.de/OU=2726761688/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL Premium(R)/CN=smtprelaypool.ispgateway.de, state=0, reason=unable to get local issuer certificate
Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, relay=smtprelaypool.ispgateway.de, field=cn_issuer, status=failed to extract CN
Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, relay=smtprelaypool.ispgateway.de, version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Jun 25 19:54:11 han sendmail[25979]: STARTTLS=client, cert-subject=/C=DE/O=smtprelaypool.ispgateway.de/OU=2726761688/OU=See+20www.geotrust.com/resources/cps+20+28c+2909/OU=Domain+20Control+20Validated+20-+20QuickSSL+20Premium+28R+29/CN=smtprelaypool.ispgateway.de, cert-issuer=/C=US/O=Equifax/OU=Equifax+20Secure+20Certificate+20Authority, verifymsg=unable to get local issuer certificate
Jun 25 19:54:11 han sendmail[25979]: AUTH=client, relay=smtprelaypool.ispgateway.de, mech=PLAIN, bits=0
Jun 25 19:54:12 han sendmail[25979]: p5PHs7m3025968: to=<user@domain.com>, delay=00:00:04, xdelay=00:00:02, mailer=relay, pri=120421, relay=smtprelaypool.ispgateway.de [80.67.29.4], dsn=2.0.0, stat=Sent (OK id=1QaX3b-0001uu-V4)
Jun 25 19:54:12 han sendmail[25979]: p5PHs7m3025968: done; delay=00:00:04, ntries=1
Jun 25 19:54:12 han sendmail[25979]: STARTTLS=client, SSL_shutdown failed: -1
--------------------------------------------------

Comment 1 David McCall 2011-07-19 01:45:37 UTC
on RHEL - Linux myserver 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:15 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux......
upgraded sendmail from:

Version 8.13.8
 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
                MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
                NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
                TCPWRAPPERS USERDB USE_LDAP_INIT

to:

Version 8.14.4
 Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
                STARTTLS TCPWRAPPERS USERDB XDEBUG
==================================================================
getting lots of these:

Jul 18 18:30:03 myserver sendmail[19618]: p6J1U21m019616: done; delay=00:00:01, ntries=1
Jul 18 18:30:03 myserver sendmail[19642]: p6J1U2eI019640: done; delay=00:00:00, ntries=1
Jul 18 18:30:03 universe sendmail[19626]: p6J1U2gt019624: to=<blah@gmail.com>, ctladdr=<me@myserver.edu> (1000/1000), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=233772, relay=gmail
-smtp-in.l.google.com. [209.85.225.27], dsn=2.0.0, stat=Sent (OK 1311039003 vg10si13266176icb.120)
Jul 18 18:30:03 myserver sendmail[19626]: p6J1U2gt019624: done; delay=00:00:01, ntries=1
Jul 18 18:30:03 myserver sendmail[19630]: p6J1U25K019628: to=<blah@gmail.com>, ctladdr=<me@myserver.edu> (1000/1000), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=232724, relay=gmail
-smtp-in.l.google.com. [209.85.225.27], dsn=2.0.0, stat=Sent (OK 1311039003 k6si5795841ibl.32)
Jul 18 18:30:03 myserver sendmail[19630]: p6J1U25K019628: done; delay=00:00:01, ntries=1
Jul 18 18:30:03 myserver sendmail[19626]: STARTTLS=client, SSL_shutdown failed: -1
Jul 18 18:30:03 myserver sendmail[19630]: STARTTLS=client, SSL_shutdown failed: -1
Jul 18 18:30:04 universe sendmail[19650]: STARTTLS=client, SSL_shutdown failed: -1

Is this the same problem as above?  I've never seen these before.  I did make new certs after the upgrade also.  (do I need anymore information?)

-dmc

Comment 2 David McCall 2011-07-19 01:58:05 UTC
oops, didn't mean to cancel need info.......

ps: the errors above don't seem to block any emails from being sent or received.

dmc

Comment 3 David McCall 2011-07-19 02:45:19 UTC
oops, didn't mean to cancel need info.......

ps: the errors above don't seem to block any emails from being sent or received.

dmc

Comment 4 David McCall 2011-07-19 23:52:39 UTC
something else is odd:

/root # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 universe.sonoma.edu ESMTP Sendmail 8.14.4/8.13.8; Tue, 19 Jul 2011 16:44:32 -0700
ehlo localhost
250-myserver.mylocation.edu Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
                 notice the absence of STARTTLS

================================================================================

log entry:
Jul 19 16:44:15 myserver sendmail[2910]: starting daemon (8.14.4): SMTP+queueing@01:00:00
Jul 19 16:44:15 myserver sm-msp-queue[2918]: starting daemon (8.14.4): queueing@01:00:00
Jul 19 16:44:16 myserver sendmail[2910]: STARTTLS=server, Diffie-Hellman init, key=1024 bit (1)
Jul 19 16:44:16 myserver sendmail[2910]: STARTTLS=server, init=1
Jul 19 16:44:16 myserver sendmail[2910]: started as: /usr/sbin/sendmail -bd -q1h

Jul 19 16:44:32 myserver sendmail[2960]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
Jul 19 16:44:32 myserver sendmail[2960]: AUTH: available mech=LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jul 19 16:44:32 myserver sendmail[2960]: p6JNiW5g002960: Milter: no active filter
Jul 19 16:44:32 myserver sendmail[2960]: p6JNiW5g002960: --- 220 myserver.mylocation.edu ESMTP Sendmail 8.14.4/8.13.8; Tue, 19 Jul 2011 16:44:32 -0700
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: <-- ehlo localhost
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-myserver.mylocation.edu Hello localhost.localdomain [127.0.0.1], pleased to meet you
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-ENHANCEDSTATUSCODES
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-PIPELINING
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-8BITMIME
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-SIZE
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-DSN
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-ETRN
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-AUTH LOGIN PLAIN
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250-DELIVERBY
Jul 19 16:44:37 myserver sendmail[2960]: p6JNiW5g002960: --- 250 HELP

Comment 5 Jaroslav Škarvada 2011-07-20 09:01:19 UTC
(In reply to comment #4)
I cannot reproduce:
...
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250-HELP

I used:
sendmail-8.14.5-1.fc15.x86_64
sendmail-cf-8.14.5-1.fc15.noarch

I will retest with the i686 later.

I used the default sendmail.mc with the following addition:

define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

I generated the sendmail.pem by:
# cd /etc/pki/tls/certs
# make sendmail.pem

Comment 6 Jaroslav Škarvada 2011-07-20 09:10:45 UTC
Maybe there is something wrong with our openssl? Try to verify by:
# rpm -qV openssl
# rpm -qV sendmail

Comment 7 David McCall 2011-07-20 09:25:23 UTC
I was thinking the same so I punted from 1.0.0d, back to OpenSSL 0.9.8r 8 Feb 2011.  Then I redid the certs.  

here's my sendmail.mc

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`Cosmos Mailer Appliance')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl # define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:14'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p y')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH',`/etc/ssl/certs')dnl
define(`confCACERT',`/etc/ssl/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT',`/etc/ssl/certs/server.pem')dnl
define(`confSERVER_KEY',`/etc/ssl/certs/server.pem')dnl
define(`confCLIENT_CERT',`/etc/ssl/certs/server.pem')dnl
define(`confCLIENT_KEY',`/etc/ssl/certs/server.pem')dnl
define(`confCRL',`/etc/ssl/certs/revoke.crl')dnl
define(`confLOG_LEVEL', `12')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
define(`confQUEUE_LA', `18')dnl
define(`confREFUSE_LA', `24')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`relay_hosts_only')dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
#dnl FEATURE(`accept_unresolvable_domains')dnl
dnl #
#dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`universe.sonoma.edu')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
FEATURE(allmasquerade)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(mydomainalias.com)dnl
MASQUERADE_DOMAIN(mydomain.lan)dnl
dnl #INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter.sock, F=T, T=S:4m;R:4m')
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://www.spamhaus.org')dnl
FEATURE(`dnsbl',`dob.sibl.support-intelligence.net',`Rejected - see http://support-intelligence.com/day-old-bread.html ')dnl
FEATURE(`dnsbl',`combined.njabl.org',`Message from $&{client_addr} rejected - see http://njabl.org/lookup?$&{client_addr}')dnl
FEATURE(`dnsbl',`rhsbl.ahbl.org',`Rejected - see http://www.ahbl.org ')dnl
dnl #FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl


also forgot to mention I'm getting the errors with the STARTTLS-client only,
and it's not on every smtp server, but only about 1/3 of them............

Comment 8 Michael Weidner 2011-07-20 09:41:21 UTC
[root@han ~]# rpm -qV openssl  

[root@han ~]# rpm -qV sendmail 
5S.T.....  c /etc/mail/Makefile
5S.T.....  c /etc/mail/access
5S.T.....  c /etc/mail/local-host-names
5S.T.....  c /etc/mail/sendmail.cf
5S.T.....  c /etc/mail/sendmail.mc
5S.T.....  c /etc/mail/submit.cf
5S.T.....  c /etc/mail/submit.mc
5S.T.....  c /etc/mail/trusted-users
5S.T.....  c /etc/mail/virtusertable
5S.T.....  c /etc/sysconfig/sendmail


Here is my sendmail.mc:

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
define(`confLOG_LEVEL', `10')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
define(`SMART_HOST', `smtp.micha-steffi.de')dnl
dnl #
define(`confDEF_USER_ID', ``8:14'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTO_IDENT', `0')dnl
define(`confTO_COMMAND', `2m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`QUEUE_DIR', `/var/tmp/mqueue')dnl
define(`UUCP_MAILER_MAX', `50000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `novrfy,noexpn,restrictqrun')dnl
define(`confMAX_MESSAGE_SIZE',`50000000')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl # 
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH. 
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /etc/pki/tls/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /etc/pki/tls/certs usage
dnl #
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/client.cert')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/client.key')dnl
define(`confCRL', `/etc/pki/tls/certs/revoke.crl')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept 
dnl # incoming messages or process its message queues to 20.) sendmail refuses 
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead 
dnl # incurred due to forking new sendmail processes. May be useful against 
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address 
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
define(`confLOCAL_MAILER', `cyrusv2')dnl
define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl # 
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl # 
LOCAL_DOMAIN(`localhost.localdomain')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFile')dnl
FEATURE(`authinfo',`hash /etc/mail/authinfo')dnl
FEATURE(`smarttable')dnl
LDAPROUTE_DOMAIN(`gmx.de')dnl
LDAPROUTE_DOMAIN(`micha-steffi.de')dnl
LDAPROUTE_DOMAIN(`t-online.de')dnl
LDAPROUTE_DOMAIN(`bigfoot.com')dnl
FEATURE(`ldap_routing',`null', `hash /etc/mail/mail_routing.db', `passthru')dnl
MAILER(smtp)dnl
dnl MAILER(procmail)dnl
MAILER(cyrusv2)dnl


And my submit.mc:

divert(-1)
#
# Copyright (c) 2001-2003 Sendmail, Inc. and its suppliers.
#       All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

#
#  This is the prototype file for a set-group-ID sm-msp sendmail that
#  acts as a initial mail submission program.
#

divert(0)dnl
sinclude(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`linux setup')dnl
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
define(`confPID_FILE', `/var/run/sm-client.pid')dnl
define(`STATUS_FILE', `/var/tmp/clientmqueue/sm-client.st')dnl
define(`MSP_QUEUE_DIR', `/var/tmp/clientmqueue')dnl
dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
FEATURE(`use_ct_file')dnl
dnl
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
FEATURE(`msp', `[127.0.0.1]')dnl

My error only occurs on mail.gmx.net with STARTTLS-client, without STARTTLS mail.gmx.net works. Other SMTP-servers (tried two other) also working with STARTTLS.

I also recreated the certs, no change, error still there.

Only solution at the moment downgrade to sendmail-8.14.4-20.fc15.i686, then it is working again with everything else unchanged.

Comment 9 Jaroslav Škarvada 2011-07-20 16:24:33 UTC
Michael, could you provide your mailog? I checked both configs on i686 machine and I still have STARTTLS on server. Unfortunately I am unable to get the SMTP account on mail.gmx.net (I am not residential in Germany) so I cannot test the client.

Comment 10 Michael Weidner 2011-07-20 17:07:03 UTC
Created attachment 514061 [details]
Logfile sendmail-8.14.4-20.fc15.i686 (working)

Requested Logfile

Comment 11 Michael Weidner 2011-07-20 17:07:54 UTC
Created attachment 514062 [details]
Logfilesendmail-8.14.5-1.fc15.i686 (not working)

Requested Logfile

Comment 12 Michael Weidner 2011-07-20 17:09:18 UTC
The both Logfiles attached are created with the same client and the same mail with Loglevel 99.

Comment 13 David McCall 2011-07-20 17:28:51 UTC
ul 20 08:05:59 myserver sendmail[24189]: p6KF5xTe024187: SMTP outgoing connect
on universe
ul 20 08:05:59 myserver sendmail[24189]: STARTTLS=client, init=1
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS=client, start=ok
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS=client, info: fds=11/10,
err=2
ul 20 08:06:00 myserver last message repeated 8 times
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=0
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Forefront Online
Protection for Exchange/CN=mail.global.frontbridg
.com/emailAddress=support@frontbridge.com, state=0, reason=unable to get
certificate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=1
/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority,
state=0, reason=unable to get certificate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=2
/CN=Microsoft Internet Authority, state=0, reason=unable to get certificate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: x509 cert verify: depth=3
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root, state=0, reason=unable to get cert
ficate CRL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS: internal error:
tls_verify_cb: ssl == NULL
ul 20 08:06:00 myserver sendmail[24189]: STARTTLS=client, info: fds=11/10,
err=2
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=client, get_verify: 0
get_peer: 0xa5e7630
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=client,
relay=mail.messaging.microsoft.com., version=TLSv1/SSLv3, verify=OK,
cipher=AES128-SHA, bits=128/128
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=client,
cert-subject=/C=US/ST=Washington/L=Redmond/O=Microsoft+20Corporation/OU=Forefront+20Online+20Protection+20for+20Exchange/CN=mail.global.frontb
idge.com/emailAddress=support@frontbridge.com,
cert-issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft+20Secure+20Server+20Authority,
verifymsg=ok
ul 20 08:06:01 myserver sendmail[24189]: STARTTLS=read, info: fds=11/10, err=2
ul 20 08:06:01 myserver last message repeated 3 times
ul 20 08:06:01 myserver sendmail[24187]: p6KF5xTf024187: <-- QUIT
ul 20 08:06:01 myserver sendmail[24187]: p6KF5xTf024187: --- 221 2.0.0
myserver.mylocation.edu closing connection
ul 20 08:06:02 myserver sendmail[24189]: p6KF5xTe024187:
to=<yilen.gomez@Vanderbilt.Edu>, ctladdr=<myname@myserver.mylocation.edu>
(1000/1000), delay=00:00:03, xdelay=00:00:03, mailer=esmtp, pri=128822, re
ay=mail.messaging.microsoft.com. [94.245.120.86], dsn=2.0.0, stat=Sent
(<002b01cc46ee$88e2afa0$9aa80ee0$@myserver.mylocation.edu> [InternalId=1696492]
Queued mail for delivery)
ul 20 08:06:02 myserver sendmail[24189]: p6KF5xTe024187: done; delay=00:00:03,
ntries=1
ul 20 08:06:02 myserver sendmail[24189]: STARTTLS=read, info: fds=11/10, err=2
ul 20 08:06:02 myserver sendmail[24189]: STARTTLS=client, SSL_shutdown failed:
-1


===============================================================================

openssl test on port:
/etc/mail # openssl s_client -crlf -connect localhost:465
CONNECTED(00000003)
depth & verify info here

Server certificate - With a bunch of lines missing......
-----BEGIN CERTIFICATE-----
MIID4DCCA0mgAwIBAgIJANYFZH6im0OVMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFJvaG5lcnQgUGFyazEgMB4G
A1UEChMXU29ub21hIFN0YXRlIFVuaXZlcnNpdHkxEjAQBgNVBAsTCU5BU0EgRS9Q
TzEOMAwGA1UEAxMFYWRtaW4xLjAsBgkqhkiG9w0BCQEWH3Bvc3RtYWFzdGVyQHVu
aXZlcnNlLnNvbm9tYS5lZHUwHhcNMTEwNzIwMDAyNTE1WhcNMTYwNzE4MDAyNTE1
WjCBpzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSb2huZXJ0
IFBhcmsxIDAeBgNVBAoTF1Nvbm9tYSBTdGF0ZSBVbml2ZXJzaXR5MRIwEAYDVQQL
EwlOQVNBIEUvUE8xDjAMBgNVBAMTBWFkbWluMS4wLAYJKoZIhvcNAQkBFh9wb3N0
bWFhc3RlckB1bml2ZXJzZS5zb25vbWEuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GN
1F7Wkn9dmqyone5sNacwX+FW2SFsYyn788zYmg/Ps331t4cT
-----END CERTIFICATE-----
---
SSL handshake has read 16030 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
C76CFE17AB7306582A1589A0092703CBCE648FBC4C8BA5A49217711AF364C544
    Session-ID-ctx:
    Master-Key:
EE48DA1A6DCD56DB1D07EF917187A6A0989907DED85999A7B2A9232708AF77FC9C38DC1F8C3BF8D0F5E4187DB37A0134
    Key-Arg   : None
    Start Time: 1311178917
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 myserver.mylocation.edu ESMTP Sendmail 8.14.5/8.13.8; Wed, 20 Jul 2011
09:21:57 -0700

Comment 14 Jaroslav Škarvada 2011-07-20 17:44:29 UTC
Interesting, could you retest the following build?:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3215805

Comment 15 David McCall 2011-07-20 17:55:08 UTC
Version 8.14.5
 Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASLv2 SCANF
                STARTTLS TCPWRAPPERS USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============

i don't use .rpm's actually i've always built everything from the .tar.gz file.

can you point me to the .tar.gz file for that build?

Comment 16 Michael Weidner 2011-07-20 18:56:11 UTC
Your new build does not change anything for me, same error as before.

Comment 17 Jaroslav Škarvada 2011-07-21 07:15:14 UTC
I will try to revert the TLS changes, so hopefully we will be able to isolate the problem. Stay tuned, I will provide another test build. Do you encounter this problem on servers other than gmx? Maybe this is problem on their site.

Comment 18 Michael Weidner 2011-07-21 07:22:26 UTC
Only at gmx at the moment, but I have only 3 accounts to test (gmx, t-online and domainfactory), and it works if I use the older sendmail (sendmail-8.14.4-20.fc15.i686) or Thunderbird with STARTTLS directly (without my local sendmail in between), so it is not likely a error at gmx I think.

Comment 19 Jaroslav Škarvada 2011-07-22 15:13:32 UTC
Reverted back the following changes:
* Per RFC 6176, when operating as a TLS client, do not offer SSLv2.
* Since TLS session resumption is never used as a client, disable use of RFC 4507-style session tickets.

Please try the following test build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3223144

David you can grab the sources from the src.rpm from the link above, apply the included patches and build as usual.

Comment 20 Jaroslav Škarvada 2011-07-22 16:34:42 UTC
Also please try this test build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3223347

And let me know if any of these testing builds fixes your problem.

Comment 21 Michael Weidner 2011-07-22 17:22:19 UTC
http://koji.fedoraproject.org/koji/taskinfo?taskID=3223347 does fix the problem with gmx.


With http://koji.fedoraproject.org/koji/taskinfo?taskID=3223144 the problem is still there.

Comment 22 David McCall 2011-07-22 19:12:24 UTC
please send me the working patched sendmail.8.14.5-1.tar.gz file...

thx

david

Comment 23 Jaroslav Škarvada 2011-07-22 21:48:24 UTC
David, no problem, the patched sources are here:
http://jskarvad.fedorapeople.org/sendmail/sendmail-8.14.5-3.tar.bz2

Comment 24 Jaroslav Škarvada 2011-07-22 22:02:38 UTC
Michael thanks for testing, the F15 update will be pushed soon to updates-testing.

Comment 25 Fedora Update System 2011-07-22 22:06:23 UTC
sendmail-8.14.5-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sendmail-8.14.5-3.fc15

Comment 26 David McCall 2011-07-23 00:10:16 UTC
    devtools/site.linux.m4

    APPENDDEF(`confENVDEF',`-DSTARTTLS')
    APPENDDEF(`confLIBS',`-lssl -lcrypto')
    APPENDDEF(`confLIBDIRS',`-L/usr/local/ssl/lib')
    APPENDDEF(`confINCDIRS',`-I/usr/local/ssl/include')
    APPENDDEF(`confENVDEF',`-DSASL')
    APPENDDEF(`confLIBS',`-lsasl2')
    APPENDDEF(`confLIBDIRS',`-L/usr/lib64/sasl2')
    APPENDDEF(`confINCDIRS',`-I/usr/include/sasl')
    APPENDDEF(`confENVDEF',`-DTCPWRAPPERS')
    APPENDDEF(`confLIBS',`-lwrap')


    #  sigh!  :-(


    make[1]: Entering directory
    `/usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/sendmail'
    cp /dev/null statistics
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o main.o main.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o alias.o alias.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o arpadate.o arpadate.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o bf.o bf.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o collect.o collect.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o conf.o conf.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o control.o control.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o convtime.o convtime.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o daemon.o daemon.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o deliver.o deliver.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o domain.o domain.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o envelope.o envelope.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o err.o err.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o headers.o headers.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o macro.o macro.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o map.o map.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o mci.o mci.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o milter.o milter.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o mime.o mime.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o parseaddr.o parseaddr.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o queue.o queue.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o ratectrl.o ratectrl.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o readcf.o readcf.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o recipient.o recipient.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o sasl.o sasl.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o savemail.o savemail.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o sfsasl.o sfsasl.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o shmticklib.o shmticklib.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o sm_resolve.o sm_resolve.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o srvrsmtp.o srvrsmtp.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o stab.o stab.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o stats.o stats.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o sysexits.o sysexits.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o timers.o timers.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o tls.o tls.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o trace.o trace.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o udb.o udb.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o usersmtp.o usersmtp.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o util.o util.c
    cc -O2 -fpie -I. -I../../include  -I/usr/local/ssl/include -I/usr/include/sasl
    -DNEWDB  -DSTARTTLS -DSASL -DTCPWRAPPERS      -c -o version.o version.c
    cc -o sendmail  -L/usr/local/ssl/lib -L/usr/lib64/sasl2 main.o alias.o
    arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o
    domain.o envelope.o err.o headers.o macro.o map.o mci.o m
    ilter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o sasl.o
    savemail.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o
    sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util
    .o version.o     
    /usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/libsmutil/libsmutil.a
    /usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/libsm/libsm.a 
    -ldb -lresolv -lcrypt
    -lnsl -pie -ldl -lssl -lcrypto -lsasl2 -lwrap
    /usr/bin/ld: /usr/local/ssl/lib/libssl.a(s23_srvr.o): relocation R_X86_64_32
    against `a local symbol' can not be used when making a shared object; recompile
    with -fPIC
    /usr/local/ssl/lib/libssl.a: could not read symbols: Bad value
    collect2: ld returned 1 exit status
    make[1]: *** [sendmail] Error 1
    make[1]: Leaving directory
    `/usr/local/src/sendmail-8.14.5/obj.Linux.2.6.18-92.el5.x86_64/sendmail'

Comment 27 Fedora Update System 2011-07-23 02:05:56 UTC
Package sendmail-8.14.5-3.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sendmail-8.14.5-3.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/sendmail-8.14.5-3.fc15
then log in and leave karma (feedback).

Comment 28 Paul Egan 2011-09-15 06:42:38 UTC
I had the same issue when relaying through dreamhost.com.  I had hoped to test the fix discussed here but the sendmail-8.14.5-3 package doesn't seem to be available any more, so I've downgraded to sendmail-8.14.4-20.fc15.x86_64 and all works well again.

I see the fix is available on f16 (sendmail-8.14.5-5.fc16); will it be applied to f15 too?
http://pkgs.fedoraproject.org/gitweb/?p=sendmail.git;a=commit;h=6ae4af377b63ee68f2baa9486302f9e9e251c824

Comment 29 Fedora Update System 2011-09-15 08:13:40 UTC
sendmail-8.14.5-2.fc15.1 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sendmail-8.14.5-2.fc15.1

Comment 30 Jaroslav Škarvada 2011-09-15 08:18:29 UTC
(In reply to comment #28)
We got into trouble with f15-f16 broken upgrade path (the sysv to systemd upgrade), so we had to remove the sendmail-8.14.5-3.fc15 from testing. The sendmail-8.14.5-2.fc15.1 should fix your issue, sorry for inconvenience.

Comment 31 Paul Egan 2011-09-15 14:29:42 UTC
I've installed sendmail-8.14.5-2.fc15 and can confirm it fixes the issue for me.  Thanks.

Comment 32 Jaroslav Škarvada 2011-09-25 17:53:28 UTC
*** Bug 740639 has been marked as a duplicate of this bug. ***

Comment 33 Fedora Update System 2011-10-24 12:36:19 UTC
sendmail-8.14.5-2.fc15.2 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sendmail-8.14.5-2.fc15.2

Comment 34 Fedora Update System 2011-11-25 02:15:00 UTC
sendmail-8.14.5-2.fc15.2 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.