Authentication without encryption is just a way to give away your login credentials to anyone who might be snooping your network traffic. Most ISPs today recognize that this is a bad idea.
So, you will probably have to make sure your sendmail will attempt encrypted connections whenever the remote server will support them.
You can verify this requirement by doing some simple tests. First, use telnet to open a plain unencrypted connection to the mail server's SMTP port:
[root@yumSRV ~]# telnet your-mailserver 25
The response should include a line like this:
220 <mail.server.full.name> ESMTP <mail_server_software_info>
You should type a response like this (replace <yumSRV.full.name> with the actual fully-qualified DNS hostname of your yumSRV host):
EHLO <yumSRV.full.name>
The next response is the important one. It will probably include multiple lines, each starting with result code "250".
For each line except the last one, the result code will have a minus sign after it; for the last line, there will be a space character instead. After that, each line will have some keywords. If authentication is supported (without encryption), there will be a line with the "AUTH" keyword and the list of supported authentication types. For example, this line indicates that DIGEST-MD5 and CRAM-MD5 authentication types are supported:
250-AUTH DIGEST-MD5 CRAM-MD5
If there is no line with the AUTH keyword, but instead a line like this:
250-STARTTLS
then the mail server supports TLS encryption and probably will not allow any (or only a very limited set of) authentication options unless an encrypted session is established first.
Type "quit" and press Enter to end the connection to the mail server.
With the OpenSSL command line tools, you can actually test an encrypted connection too.
Instead of using the telnet command, run this command:
[root@yumSRV ~]# openssl s_client -connect your-mailserver:25 -starttls smtp
Now, you'll first get a lot of SSL/TLS information from OpenSSL, and then a response from the mail server. The mail server's response will probably be prefixed with the result code "250", and it might be shorter than with the telnet test.
When I tried this with my mail server, the response was just:
250 DSN
You should again type a response like this:
EHLO <yumSRV.full.name>
Again, the mail server will output a multi-line response. If the response now includes a line with the AUTH keyword, you have confirmed that the server will only accept authentication if encryption is used too.
Example: when an encrypted connection is used, my mail server will accept a wider variety of authentication types:
250 DSN ehlo my.full.hostname 250-mail.server.full.hostname 250-PIPELINING 250-SIZE 102400000 250-VRFY 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
quit
If you get an error message from OpenSSL when trying to establish an encrypted connection, it might mean that the mail server requires your host to have a SSL certificate too. Please post the error message for further analysis in that case.
If the unencrypted EHLO response from the mail server does not include the STARTTLS keyword, then the mail server will not accept encrypted connections in port 25; another port should be used instead for encrypted connections. You can try port 465 (the port for SSL-encrypted SMTP connections) instead. Note that the -starttls option should not be used here:
# openssl s_client your-mailserver:465 [... information about the SSL certificate...] 220 <mail-server.full.name> ESMTP <mail-server-software-info> ehlo <my.host.full.name> 250-<mail-server.full.name> 250-PIPELINING 250-SIZE 102400000 250-VRFY 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
quit
Or if connections to port 465 are refused, you can try connecting to port 587. Like port 25, traffic to port 587 can be plaintext or encrypted, and the available authentication types can depend on whether encryption is used or not. The protocol is basically identical to SMTP in port 25, so use commands like these to establish a connection and then proceed as with port 25:
[root@yumSRV ~]# telnet your-mailserver 587 or [root@yumSRV ~]# openssl s_client -connect your-mailserver:587 -starttls smtp
You should attempt to find out:
- which port(s) are available for SMTP traffic in your mail server: just 25 or maybe 465 and/or 587 too?
- does the mail server require encryption before allowing authentication in ports 25 or 587? (the port 465 will always require encryption)
- which authentication type(s) are supported by the mail server?
- is certificate-based authentication required by the mail server? (unlikely but possible)
Once you know these things, it will be much easier to suggest the necessary configuration changes.