From owner-freebsd-net  Mon Feb  3 14:55:32 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A810037B401; Mon,  3 Feb 2003 14:55:30 -0800 (PST)
Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 16F7143FC1; Mon,  3 Feb 2003 14:55:23 -0800 (PST)
	(envelope-from mi+mx@aldan.algebra.com)
Received: from mi.us.murex.com (250-217.customer.cloud9.net [168.100.250.217])
	by corbulon.video-collage.com (8.12.7/8.12.7) with ESMTP id h13MtClp061350
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL);
	Mon, 3 Feb 2003 17:55:16 -0500 (EST)
	(envelope-from mi+mx@aldan.algebra.com)
Content-Type: text/plain;
  charset="us-ascii"
From: Mikhail Teterin <mi+mx@aldan.algebra.com>
Organization: Virtual Estates, Inc.
To: questions@FreeBSD.org, net@FreeBSD.org
Subject: sendmail and SSL-based relaying
Date: Mon, 3 Feb 2003 17:55:37 -0500
User-Agent: KMail/1.4.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200302031755.37824.mi+mx@aldan.algebra.com>
X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang)
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hello!

I set things up once some time ago for one of my machines to relay
e-mail from another -- based on SSL-certificate presented. I'm my
own issuer. The setup was working for a while, but broke recently --
the relay-to-be now rejects relaying, even though it verifies the
certificate Ok.

Here are the relevant log messages:

Feb  3 17:36:57 aldan sm-mta[6650]: STARTTLS=server, 
relay=centurion@corbulon.video-collage.com [64.35.99.179], 
version=TLSv1/SSLv3, verify=OK, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168
Feb  3 17:36:57 aldan sm-mta[6650]: STARTTLS=server, 
cert-subject=/C=US/ST=Massachusetts/L=Jamaica+20Plain/O=Video+20Collage,+20Inc./OU=Mail+20Server/CN=corbulon.video-collage.com/emailAddress=m, 
cert-issuer=/C=US/ST=Massachusetts/L=Jamaica+20Plain/O=Video+20Collage,+20Inc./OU=SSL+20Certificate+20Authority/CN=Video+20Collage+20CA/emai
[...]
Feb  3 17:49:24 aldan sm-mta[6699]: h13MnNBO006699: <-- RCPT To:<x@mail.ru>
Feb  3 17:49:24 aldan sm-mta[6699]: h13MnNBO006699: --- 550 5.7.1 
<x@mail.ru>... Relaying denied

The (my own) authority's certificate did not change in months, and
neither did the the /etc/mail/access. What changed was the sendmail's
version on both ends (sendmail-tls-8.12.7_2 on the sender, and 8.12.6 on
the relay) and the .cf files, which were re-made from the old .mc ones.

Any clues? Thanks!

	-mi



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message