VMware Cloud Community
Zahni
Contributor
Contributor

Sendmail not working

HI,

since latest VC 7 updates (I think so) our VCSA 7 won't relay mails to our internal SMTP relay.

Sendmail launches with

2023-01-10T09:25:04.844323+01:00 OurVCSA sendmail[41873]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied

 

2023-01-10T09:25:04.826623+01:00 OurVCSA systemd[1]: Stopping Sendmail Mail Transport Agent...
2023-01-10T09:25:04.829456+01:00 OurVCSA systemd[1]: Stopped Sendmail Mail Transport Agent.
2023-01-10T09:25:04.829531+01:00 OurVCSA systemd[1]: Starting Sendmail Mail Transport Agent...
2023-01-10T09:25:04.840458+01:00 OurVCSA systemd-resolved[1618]: Grace period over, resuming full feature set (TLS+EDNS0) for DNS server 127.0.0.1.
2023-01-10T09:25:04.843836+01:00 OurVCSA sendmail[41873]: starting daemon (8.17.1): SMTP+queueing@01:00:00
2023-01-10T09:25:04.844323+01:00 OurVCSA sendmail[41873]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied
2023-01-10T09:25:04.844653+01:00 OurVCSA systemd[1]: Started Sendmail Mail Transport Agent.

I had already refreshed the machine certificates, but it wont help.  

I suspect that the crt file has too much permissions in the file system.

 

Reply
0 Kudos
15 Replies
maksym007
Expert
Expert

Which SMTP server have you entered? 
via ssh vcenter exist option [curl -v telnet] how to check connection. 

Reply
0 Kudos
Zahni
Contributor
Contributor

I had a longer appointment with Vmware support. It looks like one of the last updates deleted a config file of sendmail (on 2 VCSA). I am waiting for a feedback.

Reply
0 Kudos
maksym007
Expert
Expert

Very strange. But which exact update deleted the file? 

patch from vCenter? 

Reply
0 Kudos
Zahni
Contributor
Contributor

/etc/systemd/system/sendmail.service

Obviously the smarthost entry has to go in here.

 

Lastest Patch (I had a one hour long meeting with the support staff).

Reply
0 Kudos
ATEK_Support
Contributor
Contributor

Hi,

Did you get a fix? I'm having the exact same issue.

Tried using a certificate signed by a valid CA and still getting the same "unsafe"  error in the logs

Reply
0 Kudos
maksym007
Expert
Expert

Do you manage network or a dedicated team? 

I would suggest still checking all rules from network side. 

Reply
0 Kudos
wenoi6
Contributor
Contributor


Based on the error message you provided, it seems that Sendmail is unable to access the "machine-ssl.crt" file due to insufficient permissions. The error message specifically states "Permission denied" when trying to access the file.

To resolve this issue, you can try adjusting the file permissions for the "machine-ssl.crt" file by running the following command:

chmod 644 /etc/vmware/vmware-vmafd/machine-ssl.crt

This command will set the file permissions to allow read access for all users and write access for the file owner. After running this command, you may need to restart the Sendmail service to apply the changes.

Alternatively, you can try recreating the "machine-ssl.crt" file and restarting the Sendmail service to see if that resolves the issue.

Reply
0 Kudos
AndyButterworth
Contributor
Contributor

The files in /etc/vmware/vmware-vmafd/ are just symlinks:

root@vcsa7-1 [ ~ ]# ls -la /etc/vmware/vmware-vmafd/
total 8
drwx------  2 root root 4096 Feb  7 14:17 .
drwxr-xr-x 20 root root 4096 Dec 22 23:12 ..
lrwxrwxrwx  1 root root   25 Feb  7 14:17 ca.crt -> /etc/ssl/certs/36a67251.0
lrwxrwxrwx  1 root root   43 Dec  9 18:39 machine-ssl.crt -> /var/lib/vmware/vmafdd_data/machine-ssl.crt
lrwxrwxrwx  1 root root   43 Dec  9 18:39 machine-ssl.key -> /var/lib/vmware/vmafdd_data/machine-ssl.key

I have tried changing the permissions on the actual file as well as the symlink and the problem remains.

2023-02-23T15:37:51.869541+00:00 vcsa7-1 sendmail[3904]: starting daemon (8.17.1): SMTP+queueing@01:00:00
2023-02-23T15:37:51.869814+00:00 vcsa7-1 sendmail[3904]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied
2023-02-23T15:37:51.871967+00:00 vcsa7-1 systemd[1]: Started Sendmail Mail Transport Agent.

 

I also found this - Emails are not sent from vCenter Server Appliance 6.5 or 6.7 after an Alert/Event is triggered. (543... however it appears to be a different issue.

 

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

@Zahni,

Is the DNS resolution forward and backwards working properly when you try a curl or telnet? Check that it is connecting to the proper IP of the SMTP. I know is a silly test but just to discard.

Reply
0 Kudos
AndyButterworth
Contributor
Contributor

Yes, nslookup from the shell on the VCSA for the FQDN resolves, as does the reverse lookup for the IPv4 & IPv6 addresses for the SMTP server (Exchange).  I can telnet successfully from the VCSA to the SMTP server on port 25 using:

curl -v telnet://<hostname>:25
or 
curl -v telnet://192.168.1.1:25

 

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

What /var/log/vmware/messages shows if you grep it:

cat /var/log/vmware/messages | grep -i sendmail
Reply
0 Kudos
AndyButterworth
Contributor
Contributor

See what I posted a couple of posts back

2023-02-23T15:37:51.869541+00:00 vcsa7-1 sendmail[3904]: starting daemon (8.17.1): SMTP+queueing@01:00:00
2023-02-23T15:37:51.869814+00:00 vcsa7-1 sendmail[3904]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied
2023-02-23T15:37:51.871967+00:00 vcsa7-1 systemd[1]: Started Sendmail Mail Transport Agent.
Reply
0 Kudos
tschmidt621
Contributor
Contributor

Did you ever get a resolution ?

Reply
0 Kudos
AndyButterworth
Contributor
Contributor

Yes.... So for some reason the settings in the GUI didn't work - no idea why as they did with VCSA 6.7.

I followed a guide to configure the /etc/mail/submit.cf file with a hostname next to the 'DS' value for my SMTP server and this worked after restarting the service.

Reply
0 Kudos
Frustrated3
Contributor
Contributor

Can you point me to the howto? I'm having the exact same problem on vcenter 8.

Reply
0 Kudos