Date: Sun, 19 Mar 2017 14:34:34 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org> In-Reply-To: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com> References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu
Content-Type: multipart/mixed; boundary="ChNXfME8TR2mFm4aXRnPLfSwmkineoRxK";
protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org>
Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi+3iELmg@mail.gmail.com>
In-Reply-To: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi+3iELmg@mail.gmail.com>
--ChNXfME8TR2mFm4aXRnPLfSwmkineoRxK
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 18/03/2017 22:44, William Dudley wrote:
> A google search does not reveal a useful answer.
>=20
> I just want to use a self-signed certificate so I can get my email from=
my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.=
> I don't really want to switch to postfix, qmail, etc. etc.
Hmm... STARTTLS capability is enabled by default in freebsd.mc in 11.0
-- I think it might be on 10.3 as well.
Anyhow, you need the following sort of thing in your ${hostname}.mc --
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
and you need to create all of the host.key and host.cert and cacert.pem
and dh.param files. That's mostly covered here:
http://www.sendmail.org/~ca/email/other/cagreg.html
Note that for e-mail purposes you don't generally need a certificate
signed by a well known CA -- just self signed is fine. With e-mail,
it's more important to ensure privacy in transit rather than to identify
the party you're corresponding with.
The dh.param file you can generate by:
openssl dHParam -outform PEM -out dh.param 2048
IIRC adding all this will allow your sendmail install to support
STARTTLS, but not make it require STARTTLS. I believe there's a
DAEMON_OPTIONS setting to achieve that, but I'd need to look that up.
Get hold of the O'Reilly sendmail book if you're interested -- it has
details of all this stuff.
Cheers,
Matthew
--ChNXfME8TR2mFm4aXRnPLfSwmkineoRxK--
--NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJYzpcAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATE/4P/jDSyitxdt3tHoL1fORqeaPO
+7NfHv+cIdlY5EUr8+pCYPkmz/d4AEi+LfbsUzgct+8qH+wATyfTdIEEi3xgKngu
Zn/jYyNslieQ3e666IiBcLaxdpeMsC/yRmqmEC5RRsHUVPqgP4EK1dN8ZcVEPucq
08A4LF12brbEYRxK7kvtlhF9utBZcNwvu0SRlf9WqO+0cBW5QCqcBQaqEfOEyGin
xbYOuM06YlYp4G2DYAI5UoueplzI0F7ETykV8URMYnw30I++nF9UdnZiWyPNJ8OG
QgYsuDwtpZwpquM1hmS1QctLH6UZFc+X46sN2moTzRRRx4othQpZEaJogrGaawaC
Y9uBSg0KSweIfKMCuNuyNivmSIo+V4CdBhXLA3+eYQkD1NdruTOZxj4HVYhAjMzJ
X6zVAInFLVeg9sCfolOUIANURBYCBDufxLZEHI2bY5UshImLQXLqh8c9YZ78pNwF
xaYVtZjB1nRDPPV0cOcQr2Z1wvmUr/i+4t99+scmPEcOni2P0/SHLPdip80EkQyS
nvnsjUNUZVD2vpjG0fSO2JGbHNi4n/D4E1VmjMWFMbbZy3Z/fBdkeFG+rrqT6kyj
IzXz4tDr7aFhBRogIIF4vE3hfnuiigCDlaFHYDPO6CpjEqxbpLjmAyvpXPTq5X2+
7+jJ/KbISh7P6bdw20It
=Iw7O
-----END PGP SIGNATURE-----
--NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e0147881-7d8f-3153-a179-24a0daf1f354>