Re: Sendmail and TLS, was: Re: Using dma for external incoming mail
- In reply to: bob prohaska : "Sendmail and TLS, was: Re: Using dma for external incoming mail"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 13 Jul 2024 17:15:07 UTC
On 2024-07-13 09:33, bob prohaska wrote: > On Wed, Jul 10, 2024 at 12:40:31PM -0400, TIM KELLERS wrote: >> On 7/10/24 11:49 AM, Miroslav Lachman wrote: >> > > [snip] >> > So I think it is very easy to be blocked by Gmail. It is not about >> > domain, but by the IP of the server I think. >> > >> >> Miroslav is correct. I have 2 domains hosted by Digital Ocean and one >> falls >> into an address range that Gmail rejects and another that Gmail accepts. >> >> mxtoolbox.com will check and alert you if your sending domain has any >> blacklist flags attached to it. UCEPROTECTL3 and UCEPROTECTL2 are the most >> common and they come from using a non-compliant host. > > That was informative. No blacklist, but my mx record is somehow wrong. > The intent was to direct any mail for *.zefox.net to host www.zefox.net. > That seems to be considered an error. Once that is fixed, I'll do the same > for zefox.com and zefox.org Have a look at: local-host-names, mailertable && virtusertable local-host-names: host/domain(s) I exchange mail for mailertable: who MX is for fe; zefox.net esmtp:[www.zefox.net] zefox.org esmtp:[www.zefox.net] zefox.com esmtp:[www.zefox.net] meaning... www.zefox.net is the MX for zefox.(org|net|com) virtusertable: is a bit of a routing table. somewhat akin to aliases. >> >> You also have to be careful about using a DHCP address. Gmail may flag >> email you send even if it is Smarthosted through a compliant static IP >> mailserver if it detects that the originating address is DHCP. >> > All addresses are static, no DHCP. > >> Gmail likes to deliver mail from one of my servers to their Junk/Spam >> folder, another of my servers gets email delivered fine. >> > I'd be delighted to get that far 8-) > >> I've been through a lot of trial and error making gmail happy. >> > >> These current sendmail features I'm using (updated 2 days ago) seem to do >> the trick the best: >> # sendmail -d0.1 -bv root | grep SASL >> PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS TLS_EC > > Something different in my case, no SASL in the output. Instead: > bob@pelorus:~ % sendmail -d0.1 -bv root > Version 8.18.1 > Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER > MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS > PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX > USERDB XDEBUG > > ============ SYSTEM IDENTITY (after readcf) ============ > (short domain name) $w = pelorus > (canonical domain name) $j = pelorus.zefox.org > (subdomain name) $m = zefox.org > (node name) $k = pelorus.zefox.org > ======================================================== These are what sendmail sees on your local box. So it assumes it's short (host) name is pelorus domain name is zefox.org && full name is pelorus.zefox.org IOW mailertable might read: zefox.org esmtp:[pelorus.zefox.org] zefox.net esmtp:[pelorus.zefox.org] zefox.com esmtp:[pelorus.zefox.org] You're not restricted to that. But that's what sendmail assumes -- that pelorus.zefox.org is the most likely candidate for MX. I've been using sendmail for some ~163 domains for ~3 decades. Feel free to contact me off list if you want. > > Notice: -bv may give misleading output for non-privileged user > bob@www.zefox.net... deliverable: mailer esmtp, host www.zefox.net., user > bob@www.zefox.net > > STARTTLS is present, but no SASLv2. Does it matter? I'm baffled where the > reference to bob@www.zefox.net came from, unless it's the MX record. > > In the meantime I found a very old "cookbook" for TLS and sendmail at > https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html > Is it hopelessly out of date? Certificate and key generation seem > particularly obscure. > > The plan is to test on pelorus.zefox.org, when TLS works rename the > host to www.zefox.net after migrating user files. I'm guessing this > will require a repeat of sendmail/TLS configuration. Is that right? > > It's been suggested elsewhere that postfix is a better MTA these days. > I've no deep preference for sendmail, might postfix be easier, or at > least more accessibly documented? I swear by sendmail. m4(1) seems to scare some away. But honestly, on FreeBSD, you almost need to do nothing, to get a fully functioning MX. Once you're done. You won't likely need to touch a config again. Sendmail has a l-o-n-g lineage, and as a result; massive amounts of documentation and tips and tricks posted by users over the years. > > Thank you very much! > > bob prohaska -- --Chris Hutchinson