From owner-freebsd-questions@freebsd.org Mon Mar 20 04:59:44 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA7F2D13417 for ; Mon, 20 Mar 2017 04:59:44 +0000 (UTC) (envelope-from mahan@mahan.org) Received: from ns.mahan.org (23-24-207-145-static.hfc.comcastbusiness.net [23.24.207.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ABE8D14A5 for ; Mon, 20 Mar 2017 04:59:44 +0000 (UTC) (envelope-from mahan@mahan.org) Received: from Cone-of-Silence.local (localhost [127.0.0.1]) by ns.mahan.org (8.14.9/8.14.9) with ESMTP id v2K4xgCL092445; Sun, 19 Mar 2017 21:59:42 -0700 (PDT) (envelope-from mahan@mahan.org) Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? To: William Dudley References: Cc: freebsd-questions@freebsd.org From: Patrick Mahan Message-ID: Date: Sun, 19 Mar 2017 21:59:36 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2017 04:59:44 -0000 On 3/19/17 1:07 PM, William Dudley wrote: > I commented out the lines starting with checkHost, and started stunnel. > It does start, and runs as a daemon. However, it doesn't seem to DO anything. > > However, that hasn't changed sendmail's behaviour one iota. > > As far as I can tell, stunnel is a massive waste of time. > > I don't really want to spend months reading all the stunnel docs to figure out > how to get it to work with sendmail. Sendmail is hard enough on it's own, and > I can mostly control sendmail (well, except for the STARTTLS problem.) > > Thanks, > Bill Dudley > > > This email is free of malware because I run Linux. > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley > wrote: > > stunnel fails to start with this helpful message: > > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com > ": Specified option name is not valid here > > The line it's complaining about is in the EXAMPLE config file. > > So this is not going well, at all. > > pop.gmail.com is a valid hostname. I have no idea > what stunnel is complaining about. > Okay, Let me share what I do. I believe stunnel needs to run on the same host as the sendmail server. First, here is some relevant parts from my stunnel config file: ; Sample stunnel configuration file by Michal Trojnara 2002-2005 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem ;key = /usr/local/etc/stunnel/mail.pem ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/stunnel/ setuid = stunnel setgid = stunnel ; PID is created inside chroot jail pid = /stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff verify = 0 .... ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode ;client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [smtps] accept = 465 connect = 25 I run dovecot for my imap server which is listening on port 143: mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 root dovecot 915 22 tcp4 *:110 *:* But I connect from my mail clients (ios mail, thunderbird, ...) to port 993. The mail clients are all configured to use ssl/tls, *not* startttl. My smtp I connect via stunnel over port 465, not port 25 for sending mail. So what are you trying to accomplish? The idea is for your accessing these servers in an encrypted fashion. But from your above description, it sounds like you are trying to access your unsecured gmail account using POP3. Not sure why as the connection from stunnel to pop.gmail.com will be unsecured. What email client are you trying to use? Patrick