Topic: problem on SME 5.5 with SMTP over SSL

[Eric Belhomme]

Hi,

I configured my SME 5.0 with the Tim Larson's howto "How to configure IMAP/POP3/SMTP over SSL on e-smith" and it worked well... So I can use my home mail server from my office safely

But this week end, I upgraded my server with SME 5.5 (the upgrade process succeded without any error And now, IMAPS still works well, but SMTPS don't authorize me to send e-mails (but SMTP works within my LAN) and I get this message from Ms Outlook Express 6 (I translated the message from french into english, so maybe it's not accurate...) :

Can't send message because one of the recipients was refused by server. The refused recipient was 'eric.belhomme@almas.fr' object : 'test', account : 'mail.ricospirit.net', Server : 'mail.ricospirit.net', Protocole : SMTP, Serveur answer : '421 Service not available, closing transmission channel', Port : 465, Secured (SSL) : Yes, Server error : 421, Error number : 0x800CCC79

I don't understand a lot about MTAs so I don't know where to look, ans what to do... So I hope somebody will help me...

Thanks,

--
Eric Belhomme

[Nathan Fowler]

When you invoked stunnel for smtps make sure you are passing the "-n smtp" argument at the end, Tim Larson's HowTo is incorrect with that respect, everything else was great.

The command:
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd

Should be changed to:
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd -n smtp

# -n proto      Negotiate SSL with specified protocol currenty supported: smtp

You must tell stunnel that the listening service is type smtp or else you will get these type of errors.  I'm not quite sure why it is necessary but without it I was unable to get smtps to function correctly.

Hope this helps,
Nathan

[Eric Belhomme]

I tried to make the change, but it still don't work Moreover, I get exactly the same error message from the server (421, service not aviable)

Thanks anyway
Eric

[Nathan Fowler]

You aren't checking the option that says "My server requires me to login" are you?  I'm able to connect to your smtps service fine.

telnet 62.4.22.83 465
 + stunnelost SMTP daemon ready.
HELO yahoo.com
Connection to host lost.

I think there may be an issue outside of stunnel because I am not able to issue the HELO command.

telnet 62.4.22.83 465
220 hole.ricospirit.net mailfront ESMTP
HELO
250 hole.ricospirit.net
EHLO
250-hole.ricospirit.net
250-8BITMIME
250 PIPELINING
BYE
500 Not implemented.
QUIT
221 Good bye.
Connection to host lost.

That's strange that you are having these issues, could it be isolated to Mailfront itself?  Did you follow the how-to exactly?

Nathan

[Shelby Moore]

This is the exact problem I mentioned in the 5.5 & obtuse-smtpd-qmail-howto thread.  I upgraded from version 5.0 S2 to 5.5.  I can confirm this to be a problem with 5.5 and the HowTo.

I have tried removing and then re-following the HowTo with no luck.  I also emailed Tim (the author of the HowTo) about it, but he is in Europe and will not have time to look at it until the end of August.

Any ideas would be helpful.  I really need to get this back up and running, and at this point am looking at returning to SME 5.0

Shelby

[Nathan Fowler]

Agreed I remember the conversations in the mentioned thread, Shelby follow this thread, we will resolve this issue or at least figure out why there are problems.

Nathan

[Shelby Moore]

Thanks Nathan, I will begin following this thread.  As I said in the other thread the mail log reports the following:

Jul 15 10:20:27 waterboy smtpd[18750]: SMTP HELO from localhost(127.0.0.1) as "dell"
Jul 15 10:20:28 waterboy smtpd[18750]: mail from
Jul 15 10:20:28 waterboy smtpd[18750]: Can not stat address check file /etc/smtpd_check_rules (No such file or directory)!
Jul 15 10:20:28 waterboy smtpd[18750]: Missing or empty address check file - Abandoning session

If you need any other info, just let me know.  Thanks,

Shelby

[Nathan Fowler]

That's what doesn't make sense.  The file smtpd_check_rules was the configuration file for ObtuseSMTPD, however, Obtuse was replaced in E-Smith 5.5 so the need to rely on that file doesn't exist.  Stunnel is nothing more than a SSL tunneling application so I'm confused as to why smtpd feels the need to check for that file.  Shelby, are the issues you are having with secure smtp or with smtp itself?

Nathan

[Shelby Moore]

Well at least we can agree it doesn't seem to make sense.  I am sure the answer is there somewhere.

Yes this is only for secure smtp, smtp on port 25 on the local lan works great.  But set it to 465 and all the problem start.

Shelby

[Nathan Fowler]

Excellent, we have a common problem.  Can you please mail the contents of /etc/services to evilghost@stickit.nu?

I think I may be close to a solution.

Nathan

[Nathan Fowler]

Have you guys tried this approach?

http://www.e-smith.org/bboard//read.php?v=t&f=4&i=957&t=957

[Eric Belhomme]

I done the configuration... It's cleaner to use xinetd, but it doesn't change anything to my problem... I'm actually at home (on my LAN side) so smtp works fine, but with ssmtp i still get this :

Impossible d'envoyer le message car l'un des destinataires a été refusé par le serveur. L'adresse de messagerie refusée était 'eric.belhomme@free.fr'. Objet 'test 2', Compte : 'mail.ricospirit.net', Serveur : 'mail.ricospirit.net', Protocole : SMTP, Réponse du serveur : '421 Service not available, closing transmission channel', Port : 465, Sécurisé (SSL) : Oui, Erreur de serveur : 421, Numéro d'erreur : 0x800CCC79

Eric

[Nathan Fowler]

I think it has to do with the stunnel redirection with mailfront.  Monkey around with some of the mailfront settings.  Mailfront is about the most UNDOCUMENTED program I've ever seen, so I wish you luck.

Nathan

[Eric Belhomme]

Many thanks for yours wishes )

Hope maybe somebody from SME staff will have time to look on this :-/ anyway I'll search when i'll get time...

Eric

[Charlie Brady]

Nathan Fowler wrote:

> Mailfront is about the most UNDOCUMENTED program
> I've ever seen

Mailfront, or specifically smtpfront-qmail, is designed to be a drop-in replacement for qmail-smtpd, with a few additional features. Mailfront's documentation is sparse because qmail-smtpd documentation is almost 100% applicable.

Regards

Charlie

[Nathan Fowler]

Eric, I think I've isolated the problem, and Charlie, if you have this information available please provide it:

What command is used to invoke the smtpd daemon on SME 5.5?

[Nathan Fowler]

Charlie, are you calling /var/qmail/bin/qmail-smtpd  in SME 5.5?

[Charlie Brady]

Nathan Fowler wrote:

> What command is used to invoke the smtpd daemon on SME 5.5?

/var/service/smtpfront-qmail/run

Charlie

[Nathan Fowler]

Thanks Charlie:

Ok, I think your solution guys is to replace this line:
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd -n smtp

With:
/usr/sbin/stunnel -d smtps -l /var/service/smtpfront-qmail/run -n smtp

Please let me know if this works.  

Thanks,
Nathan

[Charlie Brady]

Nathan Fowler wrote:

> Ok, I think your solution guys is to replace this line:
> /usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd -n smtp
>
> With:
> /usr/sbin/stunnel -d smtps -l
> /var/service/smtpfront-qmail/run -n smtp
>
> Please let me know if this works.  

Nathan, I suggest that you look at /var/service/smtpfront-qmail/run before going any further. It's a "supervise" run script, and it runs tcpserver. IOW, it's used instead of xinetd, not as a script run from xinetd. Here is the script's content, FYI:

exec 2>&1
exec /usr/bin/env - \
     /usr/local/bin/envuidgid qmaild \
     /usr/local/bin/tcpserver\
   -U \
   -R \
   -x /etc/tcprules/tcp.smtp.cdb \
   -l 0 \
   0 smtp \
   /usr/local/bin/envdir ./env \
   /usr/bin/smtpfront-qmail

Charlie

[Nathan Fowler]

Yeah, I saw that and noticed that.  Keep in mind I don't run SME 5.5 so it's hard to diagnose and address issues to a box I'm not local with.  I was hoping you were providing me the path to the raw binary.

Shelby Moore was nice enough to give me root access to his box, hopefully I should get everything up and running pretty soon.  I'm leaving work now so it'll be later tonight until I have a chance to look at it again.

Nathan

[Eric Belhomme]

I tried modyfing /etc/xinetd.conf

and now OE says that

Votre serveur a mis fin à la connexion de manière inattendue. Les causes possibles peuvent être des problèmes au niveau du serveur ou du réseau, ou une trop longue période d'inactivité. Compte : 'mail.ricospirit.net', Serveur : 'mail.ricospirit.net', Protocole : SMTP, Port : 465, Sécurisé (SSL) : Oui, Numéro d'erreur : 0x800CCC0F
Le téléchargement des en-têtes du dossier 'Boîte de réception' n'est pas terminé. Votre serveur a mis fin à la connexion de manière inattendue. Les causes possibles peuvent être des problèmes au niveau du serveur ou du réseau, ou une trop longue période d'inactivité. Compte : 'mail.ricospirit.net', Serveur : 'mail.ricospirit.net', Protocole : IMAP, Réponse du serveur : '', Port : 993, Sécurisé (SSL) : Oui, Numéro d'erreur : 0x800CCC0F

and I get this on /var/log/messages
Jul 15 23:32:19 hole identd[3893]: Successful lookup: 1127 , 21 : daemon.daemon
Jul 15 23:32:24 hole xinetd[3898]: libwrap refused connection to imaps from 192.168.1.10
Jul 15 23:32:24 hole xinetd[3899]: libwrap refused connection to imaps from 192.168.1.10
Jul 15 23:32:25 hole xinetd[3902]: libwrap refused connection to ssmtp from 192.168.1.10
Jul 15 23:32:25 hole xinetd[3903]: libwrap refused connection to ssmtp from 192.168.1.10

I tried to undo changes, but it's still broken ! I logged into admin to do a re-configuration, with no success !

Now my MTA is TOTALLY BROKEN !!!

And of course I have no ideas to repair ((

Eric, sad...

[Eric Belhomme]

Ok, Bruno Garin gave me the solution on news:alt.e-smith.fr (Message-ID: )

Edit the file /services/smtpfront-qmail/run

Search the string :
0 smtp \

Replace it with :
0 smtp-backdoor \

Now you can restart qmail daemon :
service qmail restart

Bruno said it was a rights problem, with smtp rules witch block... I don't know what (I really have to learn more about MTA...)

Eric

[Nathan Fowler]

Eric, does this solution now work with stunnel using the syntax as described in the howto?

Nathan

[Nathan Fowler]

Ok, the stunnel SMTPS command you want to use is:

/usr/sbin/stunnel -N smtps -d 465 -l /usr/bin/smtpfront-qmail -n smtp

Ensure in /etc/hosts.allow you have:
smtps:ALL

This configuration will work for SME5.5/Mailfront, from the testing I was able to do.  Please let me know if this does/does not work for you.

Special thanks to Charlie, Eric, and Shelby for their help.

Nathan

[Nathan Fowler]

Correct to above post:

/usr/sbin/stunnel -T -N smtps -d 465 -l /usr/bin/smtpfront-qmail -n smtp

You must use -T for transparent Proxying.

Nathan

[Shelby Moore]

Just to keep you all up to date, Nathan has made a wonderful effort to get this to work, but so far no luck.  The previous mentioned method does not work.

Eric if you have this working now, more info and what HowTo you have used would be helpful.

Looks like I may be rebuilding my server back to SME 5.  Thanks All!

Shelby

[Charlie Campbell]

ok so now the question is can someone make an updated HOWTO on this with the proper commands for SME 5.5? If so it would be greatly appreciated by those of us new to SME and those of us following this thread. thanks.

Charlie

[Eric Belhomme]

sorry but I didn't found the answer and at this time I really don't have time to search for !
So i disactivd it an actually I use webmail over sll :-\

[Chris O'Donovan]

If you run SMTP over stunnel doesn't that mean that you are running a open relay?

The SMTP server sees the connections as coming from 127.0.0.1 and doesn't consider it a relay.

Sure the connection is SSL encrypted but can't anyone use it?

Chris

[Shelby Moore]

Charlie as of this time I don't think anyway has a working solution.  In fact I was just getting ready to post the question how hard it is to go back to an older version of SME when a newer one is installed.

Shelby

[Charlie]

i see. What would be a good version that smtp over ssl isnt broken in?

Charlie

[Shelby Moore]

Well I spent the weekend making the transition back to SME 5.1.2.  Over all the process went very well.  Everything was restored just about right.  I have to say I am pretty impressed with the backup / restore to desktop.  It would be nice to pick and choose what was restored, but hey it worked.  Email is back up and running! Ya!

Shelby

[sqlerror]

Charlie, Using avmaigate to scan incoming e-mails needs smtp-backdoor, which effects (your) the e-smith-mailfront-1.0.0-02rbl package in that mail passed trough the antivir mailgate is deliverd without beiing tested against any rbl server.

Any comments on having e-smith-mailfront working with antivirus backdoor?


Cheers,

Sqlerror