Topic: problem on SME 5.5 with SMTP over SSL

[Eric Belhomme]

Hi,

I configured my SME 5.0 with the Tim Larson's howto "How to configure IMAP/POP3/SMTP over SSL on e-smith" and it worked well... So I can use my home mail server from my office safely

But this week end, I upgraded my server with SME 5.5 (the upgrade process succeded without any error And now, IMAPS still works well, but SMTPS don't authorize me to send e-mails (but SMTP works within my LAN) and I get this message from Ms Outlook Express 6 (I translated the message from french into english, so maybe it's not accurate...) :

Can't send message because one of the recipients was refused by server. The refused recipient was 'eric.belhomme@almas.fr' object : 'test', account : 'mail.ricospirit.net', Server : 'mail.ricospirit.net', Protocole : SMTP, Serveur answer : '421 Service not available, closing transmission channel', Port : 465, Secured (SSL) : Yes, Server error : 421, Error number : 0x800CCC79

I don't understand a lot about MTAs so I don't know where to look, ans what to do... So I hope somebody will help me...

Thanks,

--
Eric Belhomme

[Nathan Fowler]

When you invoked stunnel for smtps make sure you are passing the "-n smtp" argument at the end, Tim Larson's HowTo is incorrect with that respect, everything else was great.

The command:
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd

Should be changed to:
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd -n smtp

# -n proto      Negotiate SSL with specified protocol currenty supported: smtp

You must tell stunnel that the listening service is type smtp or else you will get these type of errors.  I'm not quite sure why it is necessary but without it I was unable to get smtps to function correctly.

Hope this helps,
Nathan

[Eric Belhomme]

I tried to make the change, but it still don't work Moreover, I get exactly the same error message from the server (421, service not aviable)

Thanks anyway
Eric

[Nathan Fowler]

You aren't checking the option that says "My server requires me to login" are you?  I'm able to connect to your smtps service fine.

telnet 62.4.22.83 465
 + stunnelost SMTP daemon ready.
HELO yahoo.com
Connection to host lost.

I think there may be an issue outside of stunnel because I am not able to issue the HELO command.

telnet 62.4.22.83 465
220 hole.ricospirit.net mailfront ESMTP
HELO
250 hole.ricospirit.net
EHLO
250-hole.ricospirit.net
250-8BITMIME
250 PIPELINING
BYE
500 Not implemented.
QUIT
221 Good bye.
Connection to host lost.

That's strange that you are having these issues, could it be isolated to Mailfront itself?  Did you follow the how-to exactly?

Nathan

[Shelby Moore]

This is the exact problem I mentioned in the 5.5 & obtuse-smtpd-qmail-howto thread.  I upgraded from version 5.0 S2 to 5.5.  I can confirm this to be a problem with 5.5 and the HowTo.

I have tried removing and then re-following the HowTo with no luck.  I also emailed Tim (the author of the HowTo) about it, but he is in Europe and will not have time to look at it until the end of August.

Any ideas would be helpful.  I really need to get this back up and running, and at this point am looking at returning to SME 5.0

Shelby

[Nathan Fowler]

Agreed I remember the conversations in the mentioned thread, Shelby follow this thread, we will resolve this issue or at least figure out why there are problems.

Nathan

[Shelby Moore]

Thanks Nathan, I will begin following this thread.  As I said in the other thread the mail log reports the following:

Jul 15 10:20:27 waterboy smtpd[18750]: SMTP HELO from localhost(127.0.0.1) as "dell"
Jul 15 10:20:28 waterboy smtpd[18750]: mail from
Jul 15 10:20:28 waterboy smtpd[18750]: Can not stat address check file /etc/smtpd_check_rules (No such file or directory)!
Jul 15 10:20:28 waterboy smtpd[18750]: Missing or empty address check file - Abandoning session

If you need any other info, just let me know.  Thanks,

Shelby

[Nathan Fowler]

That's what doesn't make sense.  The file smtpd_check_rules was the configuration file for ObtuseSMTPD, however, Obtuse was replaced in E-Smith 5.5 so the need to rely on that file doesn't exist.  Stunnel is nothing more than a SSL tunneling application so I'm confused as to why smtpd feels the need to check for that file.  Shelby, are the issues you are having with secure smtp or with smtp itself?

Nathan

[Shelby Moore]

Well at least we can agree it doesn't seem to make sense.  I am sure the answer is there somewhere.

Yes this is only for secure smtp, smtp on port 25 on the local lan works great.  But set it to 465 and all the problem start.

Shelby

[Nathan Fowler]

Excellent, we have a common problem.  Can you please mail the contents of /etc/services to evilghost@stickit.nu?

I think I may be close to a solution.

Nathan

[Nathan Fowler]

Have you guys tried this approach?

http://www.e-smith.org/bboard//read.php?v=t&f=4&i=957&t=957

[Eric Belhomme]

I done the configuration... It's cleaner to use xinetd, but it doesn't change anything to my problem... I'm actually at home (on my LAN side) so smtp works fine, but with ssmtp i still get this :

Impossible d'envoyer le message car l'un des destinataires a été refusé par le serveur. L'adresse de messagerie refusée était 'eric.belhomme@free.fr'. Objet 'test 2', Compte : 'mail.ricospirit.net', Serveur : 'mail.ricospirit.net', Protocole : SMTP, Réponse du serveur : '421 Service not available, closing transmission channel', Port : 465, Sécurisé (SSL) : Oui, Erreur de serveur : 421, Numéro d'erreur : 0x800CCC79

Eric

[Nathan Fowler]

I think it has to do with the stunnel redirection with mailfront.  Monkey around with some of the mailfront settings.  Mailfront is about the most UNDOCUMENTED program I've ever seen, so I wish you luck.

Nathan

[Eric Belhomme]

Many thanks for yours wishes )

Hope maybe somebody from SME staff will have time to look on this :-/ anyway I'll search when i'll get time...

Eric

[Charlie Brady]

Nathan Fowler wrote:

> Mailfront is about the most UNDOCUMENTED program
> I've ever seen

Mailfront, or specifically smtpfront-qmail, is designed to be a drop-in replacement for qmail-smtpd, with a few additional features. Mailfront's documentation is sparse because qmail-smtpd documentation is almost 100% applicable.

Regards

Charlie