Unable to send emails via relay SMTP after replacing vCenter certificates
Article ID: 419549
Updated On:
Products
Issue/Introduction
Logs show errors similar to the excerpts below:
/var/log/vmware/messagesyyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sudo: vpxd : PWD=/storage/log/vmware/vpxd ; USER=root ; COMMAND=/bin/sudo_command_wrapper.sh /usr/sbin/sendmail -tf <email_adddress> yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1014) yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sendmail[2565374]: <service_account>: from=<email_adddress>, size=931, class=0, nrcpts=1, msgid=<202510081325.<service_account>@<vc_fqdn>.<domain>>, relay=root@localhost yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sendmail[2565374]: STARTTLS=client, relay=<relay>., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sendmail[2565374]: <service_account>: to=<email_adddress>, ctladdr=<email_adddress> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30931, relay=<relay>. [<ip_address>], dsn=5.7.1, reply=554 5.7.1 <<email_adddress>>: Relay access denied, stat=Service unavailable yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sendmail[2565374]: <service_account>: 598DPpuV2565374: DSN: Service unavailable yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sendmail[2565374]: ###############: to=<email_adddress>, delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=31955, relay=<relay>. [<ip_address>], dsn=5.7.1, reply=554 5.7.1 <<email_adddress>>: Relay access denied, stat=Service unavailable yyyy-mm-ddThh:mm:ss.zzz+00:00 <vc_fqdn> sendmail[2565374]: ###############: 598DPpuW2565374: return to sender: Service unavailable
Environment
VMware vCenter Server 8.x
Cause
This is a know issue affecting vCenter 8.x causing STARTTLS to not work correctly.
Issue occurs because the system certificates sendmail is configured to use are not properly updated in /etc/applmgmt/sendmail/
Resolution
The issue is resolved in vCenter 9.x.
Workaround:
- Take a snapshot of the vCenter Virtual machine. If the environment is in ELM topology check KB313886
- SSH to vCenter as root user.
- Create necessary folders and certificates by executing the following commands:
mkdir -p /etc/applmgmt/sendmailcp -L /etc/vmware/vmware-vmafd/ca.crt /etc/applmgmt/sendmail/ca.pemcp -L /etc/vmware/vmware-vmafd/machine-ssl.crt /etc/applmgmt/sendmail/server.cert.pemcp -L /etc/vmware/vmware-vmafd/machine-ssl.key /etc/applmgmt/sendmail/server.key.pemchown -R root:root /etc/applmgmt/sendmailchmod 600 /etc/applmgmt/sendmail/server.cert.pemchmod 600 /etc/applmgmt/sendmail/server.key.pemchmod 644 /etc/applmgmt/sendmail/ca.pem - Update the
sendmail.mcfile using the template below:
####################################################################### /etc/mail/sendmail.cf########################################################################divert(-1)include(`/etc/mail/m4/cf.m4')divert(0)dnlVERSIONID(`@(#)Setup for Generic Linux')dnlOSTYPE(`linux')dnldefine(`confPRIVACY_FLAGS', `noexpn,novrfy')dnldefine(`confLOG_LEVEL', `98')dnldefine(`SMART_HOST', `[<server>]')dnldefine(`RELAY_MAILER_ARGS', `TCP $h <port>')dnldefine(`ESMTP_MAILER_ARGS', `TCP $h <port>')dnl# certs for STARTTLSdefine(`confCACERT_PATH', `/etc/applmgmt/sendmail')dnldefine(`confCACERT', `/etc/applmgmt/sendmail/ca.pem')dnldefine(`confSERVER_CERT', `/etc/applmgmt/sendmail/server.cert.pem')dnldefine(`confSERVER_KEY', `/etc/applmgmt/sendmail/server.key.pem')dnldefine(`confCLIENT_CERT', `/etc/applmgmt/sendmail/server.cert.pem')dnldefine(`confCLIENT_KEY', `/etc/applmgmt/sendmail/server.key.pem')dnlLOCAL_CONFIGO CipherSuites=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256O CipherList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:AES256-SHA:AES128-SHAO ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1FEATURE(`authinfo', `cdb /etc/mail/auth/auth-info')dnldefine(`confAUTH_MECHANISMS', `login,plain')dnlTRUST_AUTH_MECH(`login,plain')dnlFEATURE(`no_default_msa')dnlFEATURE(`accept_unresolvable_domains')dnlFEATURE(`always_add_domain')dnlFEATURE(`generics_entire_domain')dnlGENERICS_DOMAIN_FILE(`-o /etc/mail/local-host-names')dnlDOMAIN(`generic')dnlMAILER(`local')dnlMAILER(`smtp')dnlMAILER(`procmail')dnlMAILER(`uucp')dnl - Make sure to update in the above the fields
<server>
with actual smtp server<port>
with actual port number
The auth mechanism
Currently the default islogin,plain
sendmail supports the following methods:plain,login,gssapi,digest-md5,cram-md5
If you need to change the method make the necessary changes in these 2 lines in the template:define(`confAUTH_MECHANISMS', `login,plain')dnl
andTRUST_AUTH_MECH(`login,plain')dnl - Save this file as
/etc/mail/sendmail.mc -
Verify the details in authinfo. Make sure that the auth info file
`/etc/mail/auth/auth-info`contains the appropriate login credentials. Then generate theauth-info.cdbfile using below command:/usr/sbin/makemap cdb /etc/mail/auth/auth-info.cdb < /etc/mail/auth/auth-info -
Rebuild the sendmail.cf file:
/usr/bin/m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf -
Restart the sendmail
/usr/bin/systemctl restart sendmail -
Trigger the mail:
TO=<TO_ADDRESS> FROM=<FROM_ADDRESS>; /usr/sbin/sendmail -i -v -Am -d -tf $FROM > /var/log/vmware/sendmail_$(date '+%FT%T%:z').log -- $TO <<ENDFROM: $FROMSubject: Sendmail Delivery Test Using Relay ServerTo: $TODelivery test [$(date '+%FT%T%:z')].ENDNote: Change the fields
<TO_ADDRESS>and<FROM_ADDRESS>to appropriate strings.
Feedback
