vCenter

HI,

since latest VC 7 updates (I think so) our VCSA 7 won't relay mails to our internal SMTP relay.

Sendmail launches with

2023-01-10T09:25:04.844323+01:00 OurVCSA sendmail[41873]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied

2023-01-10T09:25:04.826623+01:00 OurVCSA systemd[1]: Stopping Sendmail Mail Transport Agent...
2023-01-10T09:25:04.829456+01:00 OurVCSA systemd[1]: Stopped Sendmail Mail Transport Agent.
2023-01-10T09:25:04.829531+01:00 OurVCSA systemd[1]: Starting Sendmail Mail Transport Agent...
2023-01-10T09:25:04.840458+01:00 OurVCSA systemd-resolved[1618]: Grace period over, resuming full feature set (TLS+EDNS0) for DNS server 127.0.0.1.
2023-01-10T09:25:04.843836+01:00 OurVCSA sendmail[41873]: starting daemon (8.17.1): SMTP+queueing@01:00:00
2023-01-10T09:25:04.844323+01:00 OurVCSA sendmail[41873]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied
2023-01-10T09:25:04.844653+01:00 OurVCSA systemd[1]: Started Sendmail Mail Transport Agent.

I had already refreshed the machine certificates, but it wont help.  

I suspect that the crt file has too much permissions in the file system.

Which SMTP server have you entered? 
via ssh vcenter exist option [curl -v telnet] how to check connection. 

I had a longer appointment with Vmware support. It looks like one of the last updates deleted a config file of sendmail (on 2 VCSA). I am waiting for a feedback.

Very strange. But which exact update deleted the file? 

patch from vCenter? 

/etc/systemd/system/sendmail.service

Obviously the smarthost entry has to go in here.

Lastest Patch (I had a one hour long meeting with the support staff).

Hi,

Did you get a fix? I'm having the exact same issue.

Tried using a certificate signed by a valid CA and still getting the same "unsafe"  error in the logs

Do you manage network or a dedicated team? 

I would suggest still checking all rules from network side. 

Based on the error message you provided, it seems that Sendmail is unable to access the "machine-ssl.crt" file due to insufficient permissions. The error message specifically states "Permission denied" when trying to access the file.

To resolve this issue, you can try adjusting the file permissions for the "machine-ssl.crt" file by running the following command:

chmod 644 /etc/vmware/vmware-vmafd/machine-ssl.crt

This command will set the file permissions to allow read access for all users and write access for the file owner. After running this command, you may need to restart the Sendmail service to apply the changes.

Alternatively, you can try recreating the "machine-ssl.crt" file and restarting the Sendmail service to see if that resolves the issue.

The files in /etc/vmware/vmware-vmafd/ are just symlinks:

root@vcsa7-1 [ ~ ]# ls -la /etc/vmware/vmware-vmafd/
total 8
drwx------  2 root root 4096 Feb  7 14:17 .
drwxr-xr-x 20 root root 4096 Dec 22 23:12 ..
lrwxrwxrwx  1 root root   25 Feb  7 14:17 ca.crt -> /etc/ssl/certs/36a67251.0
lrwxrwxrwx  1 root root   43 Dec  9 18:39 machine-ssl.crt -> /var/lib/vmware/vmafdd_data/machine-ssl.crt
lrwxrwxrwx  1 root root   43 Dec  9 18:39 machine-ssl.key -> /var/lib/vmware/vmafdd_data/machine-ssl.key

I have tried changing the permissions on the actual file as well as the symlink and the problem remains.

2023-02-23T15:37:51.869541+00:00 vcsa7-1 sendmail[3904]: starting daemon (8.17.1): SMTP+queueing@01:00:00
2023-02-23T15:37:51.869814+00:00 vcsa7-1 sendmail[3904]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied
2023-02-23T15:37:51.871967+00:00 vcsa7-1 systemd[1]: Started Sendmail Mail Transport Agent.

I also found this - Emails are not sent from vCenter Server Appliance 6.5 or 6.7 after an Alert/Event is triggered. (54375) (vmware.com) however it appears to be a different issue.

,

Is the DNS resolution forward and backwards working properly when you try a curl or telnet? Check that it is connecting to the proper IP of the SMTP. I know is a silly test but just to discard.

Yes, nslookup from the shell on the VCSA for the FQDN resolves, as does the reverse lookup for the IPv4 & IPv6 addresses for the SMTP server (Exchange).  I can telnet successfully from the VCSA to the SMTP server on port 25 using:

curl -v telnet://<hostname>:25
or 
curl -v telnet://192.168.1.1:25

What /var/log/vmware/messages shows if you grep it:

cat /var/log/vmware/messages | grep -i sendmail

See what I posted a couple of posts back

2023-02-23T15:37:51.869541+00:00 vcsa7-1 sendmail[3904]: starting daemon (8.17.1): SMTP+queueing@01:00:00
2023-02-23T15:37:51.869814+00:00 vcsa7-1 sendmail[3904]: STARTTLS=server: file /etc/vmware/vmware-vmafd/machine-ssl.crt unsafe: Permission denied
2023-02-23T15:37:51.871967+00:00 vcsa7-1 systemd[1]: Started Sendmail Mail Transport Agent.

Did you ever get a resolution ?

Yes.... So for some reason the settings in the GUI didn't work - no idea why as they did with VCSA 6.7.

I followed a guide to configure the /etc/mail/submit.cf file with a hostname next to the 'DS' value for my SMTP server and this worked after restarting the service.

Can you point me to the howto? I'm having the exact same problem on vcenter 8.