Discussion:
Sendmail on FreeBSD 14, gmail problem
(too old to reply)
b***@www.zefox.net
2024-04-15 16:45:34 UTC
Permalink
I've got a FreeBSD 14 host running sendmail from packages that works perfectly
otherwise but can't be persuaded to communicate with gmail:
(reason: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.)

I've tried to follow the directions in the Handbook, but they assume a self-hosting
configuration with /usr/src available and so require some actions not available and,
I think, unnecessary.

Sendmail presently reports
***@www:~ % sendmail -d0.1
Version 8.17.1
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX
USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = www
(canonical domain name) $j = www.zefox.net
(subdomain name) $m = zefox.net
(node name) $k = www.zefox.net
========================================================

Recipient names must be specified

The reference to TLS makes me think the binary already supports authentication.

/etc/make.conf contains
***@www:~ % more /etc/make.conf
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDADD=/usr/local/lib/libsasl2.so

/etc/mail/freebsd.mc contains
# more freebsd.mc
divert(-1)
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
.....

It looks like saslauthd is running:
# ps -aux | grep -i sas
root 76778 0.0 0.1 19708 1340 - Is 6Apr24 0:00.01 /usr/local/sbin/saslauthd -a pam
root 76779 0.0 0.1 19708 1332 - I 6Apr24 0:00.00 /usr/local/sbin/saslauthd -a pam
root 76780 0.0 0.1 19708 1332 - I 6Apr24 0:00.00 /usr/local/sbin/saslauthd -a pam
root 76781 0.0 0.1 19708 1332 - I 6Apr24 0:00.00 /usr/local/sbin/saslauthd -a pam
root 76782 0.0 0.1 19708 1332 - I 6Apr24 0:00.00 /usr/local/sbin/saslauthd -a pam
root 34044 0.0 0.2 12704 1928 0 S+ 09:41 0:00.01 grep -i sas

Is there a FreeBSD expert out there who can tell me what I've missed?

Thanks for reading,

bob prohaska
Mike Scott
2024-04-15 18:26:39 UTC
Permalink
Post by b***@www.zefox.net
Is there a FreeBSD expert out there who can tell me what I've missed?
Certainly not me. Your config looks much like mine, and I see nothing in
mine that does anything unexpected. And mine happily sends to gmail.

But here's a *pure* hunch - is there an MX record for your server, and
is its EHLO/HELLO correct? Pure hunch, and 99% likely to be wrong, but
absent other ideas.......
--
Mike Scott
Harlow, England
John Levine
2024-04-15 18:31:17 UTC
Permalink
Post by b***@www.zefox.net
I've got a FreeBSD 14 host running sendmail from packages that works perfectly
(reason: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.)
Yup, that's a problem.
Post by b***@www.zefox.net
Is there a FreeBSD expert out there who can tell me what I've missed?
Not until you tell us what the domain name is so we can tell you what
you're doing wrong. Most likely your sendmail setup is fine, but your
SPF and DKIM configations are missing or wrong.
--
Regards,
John Levine, ***@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
b***@www.zefox.net
2024-04-15 21:39:47 UTC
Permalink
Post by John Levine
Post by b***@www.zefox.net
I've got a FreeBSD 14 host running sendmail from packages that works perfectly
(reason: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.)
Yup, that's a problem.
Post by b***@www.zefox.net
Is there a FreeBSD expert out there who can tell me what I've missed?
Not until you tell us what the domain name is so we can tell you what
you're doing wrong. Most likely your sendmail setup is fine, but your
SPF and DKIM configations are missing or wrong.
This hostname is www.zefox.net, which makes the domain zefox.net IIUC.
Nameservice is provided by ns1.zefox.net and ns2.zefox.net, also FreeBSD
hosts running bind9.18 from packages.

I never did set up MX records for any of my domains (zefox.net, zefox.com
and zefox.org) but it hasn't caused trouble up to now.

Thanks for writing!

bob prohaska
The Doctor
2024-04-15 22:14:21 UTC
Permalink
Post by b***@www.zefox.net
Post by John Levine
Post by b***@www.zefox.net
I've got a FreeBSD 14 host running sendmail from packages that works perfectly
(reason: 550-5.7.26 This mail has been blocked because the sender is
unauthenticated.)
Post by John Levine
Yup, that's a problem.
Post by b***@www.zefox.net
Is there a FreeBSD expert out there who can tell me what I've missed?
Not until you tell us what the domain name is so we can tell you what
you're doing wrong. Most likely your sendmail setup is fine, but your
SPF and DKIM configations are missing or wrong.
This hostname is www.zefox.net, which makes the domain zefox.net IIUC.
Nameservice is provided by ns1.zefox.net and ns2.zefox.net, also FreeBSD
hosts running bind9.18 from packages.
I never did set up MX records for any of my domains (zefox.net, zefox.com
and zefox.org) but it hasn't caused trouble up to now.
Thanks for writing!
bob prohaska
Adding the FreeBSD group.
--
Member - Liberal International This is ***@nk.ca Ici ***@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
John Levine
2024-04-16 01:41:05 UTC
Permalink
Post by b***@www.zefox.net
I never did set up MX records for any of my domains (zefox.net, zefox.com
and zefox.org) but it hasn't caused trouble up to now.
Let's take a look.

$ dig zefox.net mx

;; ANSWER SECTION:
zefox.net. 85783 IN MX 0 www.zefox.net.zefox.net.

My goodness, that's wrong.

zefox.com and zefox.org have no MX or A record. I am sure I am not the only
person who's configured his MTA to reject mail from bogus domains to which it
can't reply.

Also, none of them have any TXT records, which mean none of them have SPF records.

Set up some valid MX and SPF records and your mail will work a lot better.

Assuming the mail server at www.zefox.net is the one you want to use,
it would be a good idea to use a real SSL certificate rather than a
self-signed one. I see there's a web server on port 80, so set up an
SSL web server on port 443 and you can use the same cert.

Note that this has nothing to do with FreeBSD. If you were running on linux
or SunOS you'd have the same problems.
--
Regards,
John Levine, ***@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
Grant Taylor
2024-04-16 00:22:14 UTC
Permalink
Post by b***@www.zefox.net
I've got a FreeBSD 14 host running sendmail from packages that works
I think that Gmail, or rather Gmail's new (February this year)
requirements are the problem.
Post by b***@www.zefox.net
(reason: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.)
Gmail is now requiring authentication to accept email. That can take
the form of SPF and / or DKIM for the sending domain.

I don't see TXT records used by SPF for zefox.net nor www.zefox.net. So
you would need to use DKIM. I don't see any DKIM (milter) configuration
in the snippet of freebsd.mc.

As such I would expect that Gmail would reject messages from
<anything>@zefox.net or <anything>@www.zefox.net

I'll bet you dollars to doughnuts that there's nothing technically wrong
with your Sendmail configuration. Save for the lack of DKIM or
supporting SPF records.
--
Grant. . . .
Marco Moock
2024-04-16 06:54:14 UTC
Permalink
Post by b***@www.zefox.net
(reason: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.)
As a low volume sender, you need at least SPF or DKIM (you can do both)
for your domain.
SPF is a simple DNS TXT record, DKIM also need a milter (e.g. opendkim)
that signs the message.

Setting that up is easy, ask if you have questions.
--
kind regards
Marco

Send spam to ***@cartoonies.org
b***@www.zefox.net
2024-04-17 02:32:03 UTC
Permalink
Post by Marco Moock
Post by b***@www.zefox.net
(reason: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.)
As a low volume sender, you need at least SPF or DKIM (you can do both)
for your domain.
SPF is a simple DNS TXT record, DKIM also need a milter (e.g. opendkim)
that signs the message.
Setting that up is easy, ask if you have questions.
I think I've got the typo in the MX record fixed, but clearly
there's a lot more to be learned. It seems like maybe getting
https working with apache24 might be an easier place to start.

Thanks to all who replied, it's time to start reading.....

bob prohaska
John Levine
2024-04-17 02:57:34 UTC
Permalink
Post by b***@www.zefox.net
I think I've got the typo in the MX record fixed, but clearly
there's a lot more to be learned. It seems like maybe getting
https working with apache24 might be an easier place to start.
That's pretty easy if you use certbot. But of course now we're
a long way from sendmail.
--
Regards,
John Levine, ***@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
Grant Taylor
2024-04-17 03:45:05 UTC
Permalink
Post by John Levine
That's pretty easy if you use certbot. But of course now we're
a long way from sendmail.
That depends, are we talking about using certbot (et al.) to get a TLS
certificate to put into Sendmail? }:-)

Aside: I'm a fan of acme.sh (https://github.com/acmesh-official/acme.sh).

P.S. It helps if I hit follow-up instead of reply. Maybe I should sign
off for the night.
--
Grant. . . .
Marco Moock
2024-04-17 07:40:18 UTC
Permalink
Post by Grant Taylor
That depends, are we talking about using certbot (et al.) to get a
TLS certificate to put into Sendmail? }:-)
The only thing is to trigger a sendmail reload. certbot provides such a
mechanism.
--
kind regards
Marco

Send spam to ***@cartoonies.org
Grant Taylor
2024-04-17 14:08:38 UTC
Permalink
Post by Marco Moock
The only thing is to trigger a sendmail reload. certbot provides such
a mechanism.
I've never had any problems reloading sendmail using acme.sh.

I simply call my standard OS init script / service command to cause
Sendmail to be reloaded using the same thing that is calling acme.sh.
Namely a script that does multiple other things in addition to calling
acme.sh. I don't need yet another feature in acme.sh.

Unix philosophy: Do one thing and do it well. In this case, acme.sh
manages the certificate file. Other parts of the system manage things
that use the certificate file.
--
Grant. . . .
b***@www.zefox.net
2024-04-18 01:39:11 UTC
Permalink
Post by John Levine
Post by b***@www.zefox.net
I think I've got the typo in the MX record fixed, but clearly
there's a lot more to be learned. It seems like maybe getting
https working with apache24 might be an easier place to start.
That's pretty easy if you use certbot. But of course now we're
a long way from sendmail.
Pulling the conversation back to sendmail, if I get apache24 to
accept and work with https connections have I laid a reasonable
foundation to let sendmail authenticate with gmail?

Thanks for writing!

bob prohaska
Grant Taylor
2024-04-18 03:27:27 UTC
Permalink
Pulling the conversation back to sendmail, if I get apache24 to accept
and work with https connections have I laid a reasonable foundation
to let sendmail authenticate with gmail?
While both Apache and Sendmail use the same underlying TLS libraries;
oft OpenSSL, sometimes an alternative, what they do with it and how they
make use of them are separate.

About the only thing that Apache will bring to the email party is
infrastructure to host the policy file for MTA-STS.

You can use the same certificate file and key for both Apache and Sendmail.

"authenticate with gmail" means a couple of different things to me in 2924:

1) Requirements for senders to be /authenticated/; e.g. SPF and / or DKIM.
2) OAuth 2.0 authentication to send relay email to the world via Gmail.
Read: use Gmail as a smart host in Sendmail parlance.

Which of these are you asking about?

1.SPF is easy to do with TXT records in DNS.

1.DKIM is a bit more complicated and requires a milter to sign outgoing
messages as well as various DNS records to support DKIM.

2 is another critter entirely. I am not aware of a recipe to make this
work. I feel certain that there is on and I'm just unaware of it. I
can see some plumbing to create a new mailer that does the OAuth w/
Gmail and sends messages. I know how to add mailers to Sendmail, but I
have no idea what such a mailer would look like.

I've heard about people using -- what I think -- are called application
passwords with Gmail to make non-OAuth aware software work with Gmail.
Maybe this will work allow Sendmail to use Gmail as a smart host using
authentication using the App Password.

I've read that app passwords are still a thing but require multi-factor
to be enabled to get access to them.

I could also be a decade behind the times when it comes to OAuth.
Thanks for writing!
:-)
--
Grant. . . .
b***@www.zefox.net
2024-04-18 04:47:41 UTC
Permalink
Post by Grant Taylor
Pulling the conversation back to sendmail, if I get apache24 to accept
and work with https connections have I laid a reasonable foundation
to let sendmail authenticate with gmail?
While both Apache and Sendmail use the same underlying TLS libraries;
oft OpenSSL, sometimes an alternative, what they do with it and how they
make use of them are separate.
About the only thing that Apache will bring to the email party is
infrastructure to host the policy file for MTA-STS.
You can use the same certificate file and key for both Apache and Sendmail.
That suggests that getting apache working https will complete a necessary,
if not sufficient, step toward authentication using sendmail. For my
purposes that's a worthwhile step. If the certificat can be the one
already used for ssh, that's a bit of gravy.
Post by Grant Taylor
1) Requirements for senders to be /authenticated/; e.g. SPF and / or DKIM.
2) OAuth 2.0 authentication to send relay email to the world via Gmail.
Read: use Gmail as a smart host in Sendmail parlance.
Which of these are you asking about?
I simply want to reply, as an individual, to email received from a gmail
account.
Post by Grant Taylor
1.SPF is easy to do with TXT records in DNS.
1.DKIM is a bit more complicated and requires a milter to sign outgoing
messages as well as various DNS records to support DKIM.
Hopefully SPF will be enough to get gmail to accept my replies
Post by Grant Taylor
2 is another critter entirely. I am not aware of a recipe to make this
work. I feel certain that there is on and I'm just unaware of it. I
can see some plumbing to create a new mailer that does the OAuth w/
Gmail and sends messages. I know how to add mailers to Sendmail, but I
have no idea what such a mailer would look like.
I've heard about people using -- what I think -- are called application
passwords with Gmail to make non-OAuth aware software work with Gmail.
Maybe this will work allow Sendmail to use Gmail as a smart host using
authentication using the App Password.
I've read that app passwords are still a thing but require multi-factor
to be enabled to get access to them.
I could also be a decade behind the times when it comes to OAuth.
I fear you're giving me far more credit than I deserve! OAuth is
unknown to me.

Thanks for helping me find my bearings! I'm still kinda lost, but
am forming an inkling which way is up.

bob prohaska
Grant Taylor
2024-04-18 18:10:05 UTC
Permalink
Post by b***@www.zefox.net
That suggests that getting apache working https will complete a
necessary, if not sufficient, step toward authentication using
sendmail. For my purposes that's a worthwhile step.
Getting Apache to support HTTPS just to re-use the TLS certificate is
about the same as getting OpenLDAP to support LDAPS to re-use the TLS
certificate.

It's relatively easy to get a working TLS certificate without touching
Apache or OpenLDAP.
Post by b***@www.zefox.net
If the certificat can be the one already used for ssh, that's a bit
of gravy.
No, TLS (a.k.a. X.509) certificates are different than SSH certificates.

N.B. SSH certificates are different than SSH keys.
Post by b***@www.zefox.net
I simply want to reply, as an individual, to email received from a gmail
account.
I think you want to look at SPF as it's probably all that is required in
your use case.

You might want to explore DKIM.
Post by b***@www.zefox.net
Hopefully SPF will be enough to get gmail to accept my replies
Yes, I believe it will be.
Post by b***@www.zefox.net
I fear you're giving me far more credit than I deserve! OAuth is
unknown to me.
I know of OAuth and have read about / listened to podcasts on it a
number of times. But I've not used it much at all. I have minimal
interaction with providers that require it.

N.B. OAuth isn't needed to send email to, much less receive email from,
Gmail.
Post by b***@www.zefox.net
Thanks for helping me find my bearings! I'm still kinda lost, but
am forming an inkling which way is up.
You're welcome.
--
Grant. . . .
Loading...