Relaying Sendmail via SSL

This howto will hopefully get sendmail relaying to an SMTP SSL enabled server, but the same technique should also serve for other purposes. Note that this article assumes that you already know how to set up sendmail with a SMART_HOST. A little background info: My ISP was taken over by Virgin Media, and their SMTP server uses SSL on port 465. Nothing wrong with that for most email clients like Claws Mail, Thunderbird and the like that handle sending themselves. With mutt and other clients that need a separate MTA we need to get sendmail to relay to it, and that's where the problem is, because sendmail doesn't support SSL with SMART_HOST and will hang waiting for the client greeting. (Note that mutt now supports sending itself, and there are alternative applications like msmtp that mutt can use.) You may notice if you just try to telnet to port 465 you will get disconnected just by issuing a EHLO. Trying the normal port (25) will just hang indefinitely. To deal with this problem we need to create an SSL tunnel to the server and have sendmail relay through it. The application that I will use to do that is stunnel which is installed by default in Slackware - it just needs some setting up. Note that the commands outlined here need to be run as root, apart from any 'telnet' commands.


Stunnel has two modes - server and client. We will use it as a client and create what is in effect a proxy to VM's SMTP server. Create a simple config file for stunnel:
cat /etc/stunnel/virgin.conf
client = yes
accept = 2525
connect =
relay-domain is going to be our stunnel hostname defined in /etc/hosts. I'm just running it locally and I'm using for the IP. It's not necessary to edit the hosts file if you use 'localhost' instead of 'relay-domain' in the following steps. You can also have it running on a different box using its LAN IP (e.g. so that it's accessible from other machines on the LAN. 2525 will be the port that it runs on. My hosts file looks like this:
cat /etc/hosts
..  snip .. localhost relay-domain
..  snip ..
Now run stunnel with some flags:
stunnel /etc/stunnel/virgin.conf -c -d relay-domain:2525
You should now be able to telnet in via stunnel and get the proper SMTP response (the commands I type are in red):
telnet relay-domain 2525
Connected to relay-domain.
Escape character is '^]'.
220 know-smtprelay-11-imp cmsmtp ESMTP server ready
EHLO junius
250-know-smtprelay-11-imp hello [(my IP address)], pleased to meet you
250-SIZE 52000000
250 OK
221 2.0.0 know-smtprelay-11-imp cmsmtp closing connection
Connection closed by foreign host.
Success :-) Note: When I first wrote this articicle rerouted to, but this no longer seems to be the case.


BEFORE creating the new sendmail config files, *BACKUP* and in /etc/mail First we need to make an authinfo.db with our Virgin login info for relay-domain.:
cd /etc/mail
mkdir auth
chmod 700 auth
cd auth
Now make the file 'authinfo' if it doesn't already exist and add some credentials: "I:" \
  "U:root" "P:pass" "M:PLAIN" "I:" \
  "U:root" "P:pass" "M:PLAIN"
(Put these on one line each) Change '' and 'pass' to your SMTP login details. Notice I have used the full hostname of the machine hosting stunnel here ( This is the domain that you set when you installed your distro, if you were given the choice. It should be set in /etc/hosts and can also be found by running the command 'hostname -d' on the machine.
makemap hash authinfo < authinfo
chmod 600 authinfo*
The 600 permissions will ensure that the login info isn't world readable. Put yourself in /usr/share/sendmail/cf/cf and backup and edit and Substitute your distro's default files for these if you aren't using Slackware. These are the settings we need to add:
FEATURE(`authinfo',`hash -o /etc/mail/auth/authinfo.db')
define(`RELAY_MAILER_ARGS', `TCP $h 2525')
define(`ESMTP_MAILER_ARGS', `TCP $h 2525')
You may need to play with the order and where these settings are in the actual files. The Build script will whine if they are in the wrong order. Next:
cp /etc/mail/
cp /etc/mail/
/etc/rc.d/rc.sendmail restart


echo "This is a test" | mailx -s "TEST"
If all went well you should have recieved it without any problems. Add the stunnel start command to /etc/rc.d/rc.local to have it run at boot.