From owner-freebsd-questions@freebsd.org  Mon Mar 20 04:59:44 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA7F2D13417
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 20 Mar 2017 04:59:44 +0000 (UTC) (envelope-from mahan@mahan.org)
Received: from ns.mahan.org (23-24-207-145-static.hfc.comcastbusiness.net
 [23.24.207.145])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id ABE8D14A5
 for <freebsd-questions@freebsd.org>; Mon, 20 Mar 2017 04:59:44 +0000 (UTC)
 (envelope-from mahan@mahan.org)
Received: from Cone-of-Silence.local (localhost [127.0.0.1])
 by ns.mahan.org (8.14.9/8.14.9) with ESMTP id v2K4xgCL092445;
 Sun, 19 Mar 2017 21:59:42 -0700 (PDT) (envelope-from mahan@mahan.org)
Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
To: William Dudley <wfdudley@gmail.com>
References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi+3iELmg@mail.gmail.com>
 <b424d91e-a7f4-57b8-174c-e2522c97107f@mahan.org>
 <CAFsnNZK5LpRyPTLGocMna1O-R0448ZJQ0qu2ZP+aE3w2UWwd8Q@mail.gmail.com>
 <CAFsnNZ+0c4EdQxcesohFcJjraoPYwi2v=wVK-QNFPnD7Wta5mQ@mail.gmail.com>
 <CAFsnNZL1bVCNuYCAe43uK3n6596HhQFpm8Y8S1ZCkNa_t1wGKw@mail.gmail.com>
Cc: freebsd-questions@freebsd.org
From: Patrick Mahan <mahan@mahan.org>
Message-ID: <a990c9a0-fe31-742b-a1bc-56fdd429d8cc@mahan.org>
Date: Sun, 19 Mar 2017 21:59:36 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAFsnNZL1bVCNuYCAe43uK3n6596HhQFpm8Y8S1ZCkNa_t1wGKw@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 04:59:44 -0000

On 3/19/17 1:07 PM, William Dudley wrote:
> I commented out the lines starting with checkHost, and started stunnel.
> It does start, and runs as a daemon.  However, it doesn't seem to DO anything.
> 
> However, that hasn't changed sendmail's behaviour one iota.
> 
> As far as I can tell, stunnel is a massive waste of time.
> 
> I don't really want to spend months reading all the stunnel docs to figure out
> how to get it to work with sendmail.  Sendmail is hard enough on it's own, and
> I can mostly control sendmail (well, except for the STARTTLS problem.)
> 
> Thanks,
> Bill Dudley
> 
> 
> This email is free of malware because I run Linux.
> 
> On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdudley@gmail.com
> <mailto:wfdudley@gmail.com>> wrote:
> 
>     stunnel fails to start with this helpful message:
> 
>     /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com
>     <http://pop.gmail.com>": Specified option name is not valid here
> 
>     The line it's complaining about is in the EXAMPLE config file.
> 
>     So this is not going well, at all.
> 
>     pop.gmail.com <http://pop.gmail.com> is a valid hostname.  I have no idea
>     what stunnel is complaining about.
> 

Okay, Let me share what I do.  I believe stunnel needs to run on the same host
as the sendmail server.

First, here is some relevant parts from my stunnel config file:

; Sample stunnel configuration file by Michal Trojnara 2002-2005
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/stunnel/
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
verify = 0

....

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143

[smtps]
accept  = 465
connect = 25

I run dovecot for my imap server which is listening on port 143:

mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110
root     dovecot    915   22 tcp4   *:110                 *:*

But I connect from my mail clients (ios mail, thunderbird, ...) to port 993.  The
mail clients are all configured to use ssl/tls, *not* startttl.

My smtp I connect via stunnel over port 465, not port 25 for sending mail.

So what are you trying to accomplish?  The idea is for your accessing these
servers in an encrypted fashion.  But from your above description, it sounds
like you are trying to access your unsecured gmail account using POP3.  Not
sure why as the connection from stunnel to pop.gmail.com will be unsecured.

What email client are you trying to use?

Patrick