[gentoo-user] [OT] sendmail relay to gmail smtp server

[gentoo-user] [OT] sendmail relay to gmail smtp server

[Harry Putnam]

NOTE: Sorry if I've gone sort of hog wild posting this question
various places but it is a perplexing problem and I suspect there may
be help available here.  Not to mention that many groups are slow due
to Christmas holidays.

-------        ---------       ---=---       ---------      -------- 

First let me say, I'm not interested in switching mta's, just incase
someone feels like posting the usual, `hey switch to NAME OF MTA' type
post.

I want to use gmails' smtp server as Smart Host for my single user
linux box running sendmail-8.14.4

I'm hooked up to an ISP called direcpath.tv in Atlanta that uses gmail
smtp servers for its clients with addresses like reader@direcpath.tv

They have terrible to non-existent support and no support of linux/sendmail

They use smtp.gmail.com But before I get into the extra complication
of their direcpath.tv overlay, and since I do have a normal gmail
account I thought I'd first try to get the authentication for smtp
working for that username.  hputnam3@gmail.com

So after dozens of small edits and restarts and makemaps ... cutting
to the chase:

/etc/mail/authinfo

(password obfuscated)
,----
| Athinfo:smtp.gmail.com "U:root" "I:hputnam3@gmail.com" "P:??XX??" "M: LOGIN PLAIN"
| Athinfo:smtp.gmail.com:587 "U:root" "I:hputnam3@gmail.com" "P:??XX??" "M: LOGIN PLAIN"
`----

-------        ---------       ---=---       ---------      -------- 

And I think what are the most relevant sendmail.mc settings (the whole
*mc is inlined at the end).

/etc/mail/sendmail.mc

,----
| define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
| define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
| 
| FEATURE(`authinfo', `hash /etc/mail/authinfo')dnl 
| 
| define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
| TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
| 
| define(`SMART_HOST',`smtp.gmail.com')dnl
`----

(And for the record, I did try bracketing the Smart Host like:
 define(`SMART_HOST',`[smtp.gmail.com]')dnl)

I have some old masquerade settings that I doubt are causing a
problem. I do have an account with them too.  I think the error would
be different if they were causing problems, but here those are:

(Note, that removing those only gets the same error messages)
,----
| MASQUERADE_AS(`newsguy.com')dnl
| FEATURE(`allmasquerade')dnl
| FEATURE(`masquerade_envelope')dnl
| dnl # [HP 111006_211813  Testing local_no_masquerade #]dnl
| FEATURE(`local_no_masquerade')dnl
`----

-------        ---------       ---=---       ---------      -------- 

Relevant verbose smtp logs:
,----
| 050 >>> EHLO reader.local.lan
| 050 250-mx.google.com at your service, [65.50.57.227]
| 050 250-SIZE 35882577
| 050 250-8BITMIME
| 050 250-AUTH LOGIN PLAIN XOAUTH
| 050 250 ENHANCEDSTATUSCODES
| 050 >>> MAIL From:<reader@newsguy.com> SIZE=563 AUTH=<>
| 050 530-5.5.1 Authentication Required. Learn more at                              
| 050 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 py4sm63515568igc.2
`----

The `learn more' address given just above is not all that helpful.

-------        ---------       ---=---       ---------      -------- 

I think these are the sendmail logs that contain the relevant error:

(I'm not sure if the `verify=FAIL' means what it suggests)

,----
| Dec 26 21:41:38 reader sm-mta[24243]: STARTTLS=client,
| relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL,
| cipher=RC4-SHA, bits=128/12
| 
| Dec 26 21:41:38 reader sm-mta[24243]: pBR2fbLX024243:
|   to=<reader@newsguy.com>, ctladdr=<reader@reader.local.lan>
|   (1000/1000), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30563,
|   relay=smtp.gmail.com [209.85.225.109], dsn=5.0.0, 
|   stat=Service unavailable
| 
| Dec 26 21:41:38 reader sm-mta[24243]: pBR2fbLX024243: pBR2fbLY024243: DSN: Service unavailable
`----

-------        ---------       ---=---       ---------      -------- 

Full sendmail.mc

divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: current.mc,v 1.13 2011/12/26 17:38:01 reader Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=

define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl

FEATURE(`authinfo', `hash /etc/mail/authinfo')dnl 
FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')dnl
define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`SMART_HOST',`smtp.gmail.com')dnl
FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')dnl

FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS', `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl

FEATURE(`always_add_domain')dnl
MASQUERADE_AS(`newsguy.com')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`local_no_masquerade')dnl

EXPOSED_USER(`root')dnl

MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(procmail)dnl
MAILER(`smtp')dnl

Re: [gentoo-user] [OT] sendmail relay to gmail smtp server

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 8383 bytes --]

On Tuesday 27 Dec 2011 15:55:45 Harry Putnam wrote:

> I want to use gmails' smtp server as Smart Host for my single user
> linux box running sendmail-8.14.4

That's eminently doable.


> I'm hooked up to an ISP called direcpath.tv in Atlanta that uses gmail
> smtp servers for its clients with addresses like reader@direcpath.tv
> 
> They have terrible to non-existent support and no support of linux/sendmail
> 
> They use smtp.gmail.com But before I get into the extra complication
> of their direcpath.tv overlay, and since I do have a normal gmail
> account I thought I'd first try to get the authentication for smtp
> working for that username.  hputnam3@gmail.com

I hope that relaying from your box --> via your gmail account  --> via the 
ISP's gmail account will not end up in a pickle for some reason, but assuming 
that Google will not block all that relaying around via its servers here we 
go.


> So after dozens of small edits and restarts and makemaps ... cutting
> to the chase:
> 
> /etc/mail/authinfo

I am going from memory here (no access to the server at this moment) but I 
recall that this entry should be in /etc/mail/client-info instead, and you 
will need of course to create the client-info.db after your changes:

makemap -r hash client-info.db < client-info

and reference this in your sendmail.mc


> (password obfuscated)
> ,----
> 
> | Athinfo:smtp.gmail.com "U:root" "I:hputnam3@gmail.com" "P:??XX??" "M:
> | LOGIN PLAIN" Athinfo:smtp.gmail.com:587 "U:root" "I:hputnam3@gmail.com"
> | "P:??XX??" "M: LOGIN PLAIN"
> 
> `----

Did you try just "M: PLAIN" without the "LOGIN" ?

If PLAIN doesn't do it, then use just LOGIN.

Unless you have a typo in there, try starting the stanzas with:  "AuthInfo:"
                                                                   ^   

Not sure that you need to define the port here on a second line, when it is 
already defined in sendmail.mc.  A single line ought to do the trick.  
Increase the verbosity in the log if you need to troubleshoot this (although 
ports are shown anyway at the default log level from what I recall).

> -------        ---------       ---=---       ---------      --------
> 
> And I think what are the most relevant sendmail.mc settings (the whole
> *mc is inlined at the end).
> 
> /etc/mail/sendmail.mc
> 
> ,----
> 
> | define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
> | define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
> | 
> | FEATURE(`authinfo', `hash /etc/mail/authinfo')dnl
> | 
> | define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> | PLAIN')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN
> | PLAIN')dnl
> | 
> | define(`SMART_HOST',`smtp.gmail.com')dnl
> 
> `----
> 
> (And for the record, I did try bracketing the Smart Host like:
>  define(`SMART_HOST',`[smtp.gmail.com]')dnl)

I never used brackets with gmail, or other smtp relays, so you could leave 
these out.

Don't forget (like I often did! ) after any changes to run:  m4 sendmail.mc > 
sendmail.cf


> I have some old masquerade settings that I doubt are causing a
> problem. I do have an account with them too.  I think the error would
> be different if they were causing problems, but here those are:
> 
> (Note, that removing those only gets the same error messages)
> ,----
> 
> | MASQUERADE_AS(`newsguy.com')dnl
> | FEATURE(`allmasquerade')dnl
> | FEATURE(`masquerade_envelope')dnl
> | dnl # [HP 111006_211813  Testing local_no_masquerade #]dnl
> | FEATURE(`local_no_masquerade')dnl
> 
> `----

I can't comment on masquerade - never used it.  I'd make sure however, that 
your mx record is correct for the IP address you're on, or your ISP may drop 
relay attempts if they have configured their sendmail to only accept 
resolvable domains.

 
> -------        ---------       ---=---       ---------      --------
> 
> Relevant verbose smtp logs:
> ,----
> 
> | 050 >>> EHLO reader.local.lan
> | 050 250-mx.google.com at your service, [65.50.57.227]
> | 050 250-SIZE 35882577
> | 050 250-8BITMIME
> | 050 250-AUTH LOGIN PLAIN XOAUTH
> | 050 250 ENHANCEDSTATUSCODES
> | 050 >>> MAIL From:<reader@newsguy.com> SIZE=563 AUTH=<>
> | 050 530-5.5.1 Authentication Required. Learn more at
> | 050 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257
> | py4sm63515568igc.2
> 
> `----
> 
> The `learn more' address given just above is not all that helpful.
> 
> -------        ---------       ---=---       ---------      --------
> 
> I think these are the sendmail logs that contain the relevant error:
> 
> (I'm not sure if the `verify=FAIL' means what it suggests)
> 
> ,----
> 
> | Dec 26 21:41:38 reader sm-mta[24243]: STARTTLS=client,
> | relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL,
> | cipher=RC4-SHA, bits=128/12

Don't worry about this, you can disregard it.  Your box is telling you that 
the smtp.gmail.com SSL certificate is not in the list of your trusted 
certificates.  You can try adding it in ~/.gnupg/trustlist.txt if you want 
this error to go away (I think).


> | Dec 26 21:41:38 reader sm-mta[24243]: pBR2fbLX024243:
> |   to=<reader@newsguy.com>, ctladdr=<reader@reader.local.lan>
> |   (1000/1000), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30563,
> |   relay=smtp.gmail.com [209.85.225.109], dsn=5.0.0,
> |   stat=Service unavailable
> | 
> | Dec 26 21:41:38 reader sm-mta[24243]: pBR2fbLX024243: pBR2fbLY024243:
> | DSN: Service unavailable
> 
> `----
> 
> -------        ---------       ---=---       ---------      --------
> 
> Full sendmail.mc
> 
> divert(-1)dnl
> divert(0)dnl
> define(`_USE_ETC_MAIL_')dnl
> include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
> VERSIONID(`$Id: current.mc,v 1.13 2011/12/26 17:38:01 reader Exp $')
> OSTYPE(`debian')dnl
> DOMAIN(`debian-mta')dnl
> undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
> 
> define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
> define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
> define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
> 
> FEATURE(`authinfo', `hash /etc/mail/authinfo')dnl
> FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')dnl
> define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`SMART_HOST',`smtp.gmail.com')dnl
> FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')dnl
> 
> FEATURE(`no_default_msa')dnl
> DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
> DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea,
> Addr=127.0.0.1')dnl define(`confPRIVACY_FLAGS',
> `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobody
> return,authwarnings')dnl define(`confCONNECTION_RATE_THROTTLE', `15')dnl
> define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
> FEATURE(`use_cw_file')dnl
> FEATURE(`greet_pause', `1000')dnl 1 seconds
> FEATURE(`delay_checks', `friend', `n')dnl
> define(`confBAD_RCPT_THROTTLE',`3')dnl
> FEATURE(`conncontrol', `nodelay', `terminate')dnl
> FEATURE(`ratecontrol', `nodelay', `terminate')dnl
> include(`/etc/mail/m4/dialup.m4')dnl
> include(`/etc/mail/m4/provider.m4')dnl
> 
> FEATURE(`always_add_domain')dnl
> MASQUERADE_AS(`newsguy.com')dnl
> FEATURE(`allmasquerade')dnl
> FEATURE(`masquerade_envelope')dnl
> FEATURE(`local_no_masquerade')dnl
> 
> EXPOSED_USER(`root')dnl
> 
> MAILER_DEFINITIONS
> MAILER(`local')dnl
> MAILER(procmail)dnl
> MAILER(`smtp')dnl

I can't see any entries about mailertable.db, virtusertable.db which I recall 
using to control access to sendmail - although your problem is not related to 
this.

Also I can't see any entries about SSL certificate paths?  Again this is not 
be important unless you want to offer secure connections to your sendmail 
(Port=smtps) for clients out there.

All this said and done, I'd start with the errors in the syntax 
/etc/mail/authinfo and would move it into client-info before looking at 
anything else.

Good luck!

PS.  The sendmail IRC is usually helpful, although they all seem to have PhDs 
in the darn thing and their advice needs translating to plain English once or 
twice before it makes sense to common mortals!  :-))
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: [OT] sendmail relay to gmail smtp server

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:

[...]

>> | Athinfo:smtp.gmail.com "U:root" "I:hputnam3@gmail.com" "P:??XX??" "M:
>> | LOGIN PLAIN" Athinfo:smtp.gmail.com:587 "U:root" "I:hputnam3@gmail.com"
>> | "P:??XX??" "M: LOGIN PLAIN"
>> 
>> `----
>
> Did you try just "M: PLAIN" without the "LOGIN" ?
>
> If PLAIN doesn't do it, then use just LOGIN.
>
> Unless you have a typo in there, try starting the stanzas with:  "AuthInfo:"

It was that silly typo causing my grief.  The various kinds of login
do not seem to make any difference it just works now.

[...]

Mick Wrote:
> I am going from memory here (no access to the server at this moment) but I 
> recall that this entry should be in /etc/mail/client-info instead, and you 
> will need of course to create the client-info.db after your changes:

It seems not to matter where inside /etc/mail you keep authinfo as
long as there is a line in sendmail.mc pointing to the location like
mine does.

>>  FEATURE(`authinfo', `hash /etc/mail/authinfo')dnl

Many thanks for the helpful input.  Your sharp I spotted the one fatal
problem.  I doubt if I would have found that in a month of Sundays.

Re: [gentoo-user] Re: [OT] sendmail relay to gmail smtp server

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1414 bytes --]

On Saturday 31 Dec 2011 00:40:23 Harry Putnam wrote:
> Mick <michaelkintzios@gmail.com> writes:
> 
> [...]
> 
> >> | Athinfo:smtp.gmail.com "U:root" "I:hputnam3@gmail.com" "P:??XX??" "M:
> >> | LOGIN PLAIN" Athinfo:smtp.gmail.com:587 "U:root"
> >> | "I:hputnam3@gmail.com" "P:??XX??" "M: LOGIN PLAIN"
> >> 
> >> `----
> > 
> > Did you try just "M: PLAIN" without the "LOGIN" ?
> > 
> > If PLAIN doesn't do it, then use just LOGIN.
> > 
> > Unless you have a typo in there, try starting the stanzas with: 
> > "AuthInfo:"
> 
> It was that silly typo causing my grief.  The various kinds of login
> do not seem to make any difference it just works now.
> 
> [...]
> 
> Mick Wrote:
> > I am going from memory here (no access to the server at this moment) but
> > I recall that this entry should be in /etc/mail/client-info instead, and
> > you
> 
> > will need of course to create the client-info.db after your changes:
> It seems not to matter where inside /etc/mail you keep authinfo as
> long as there is a line in sendmail.mc pointing to the location like
> mine does.
> 
> >>  FEATURE(`authinfo', `hash /etc/mail/authinfo')dnl
> 
> Many thanks for the helpful input.  Your sharp I spotted the one fatal
> problem.  I doubt if I would have found that in a month of Sundays.

Glad you got it sorted and that I could be of help.

Happy New Year to all!
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]