From owner-freebsd-questions@freebsd.org Mon Mar 20 13:13:12 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5AA9D13AE9 for ; Mon, 20 Mar 2017 13:13:12 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5FE5510B7 for ; Mon, 20 Mar 2017 13:13:12 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw0-x22b.google.com with SMTP id p77so89226979ywg.1 for ; Mon, 20 Mar 2017 06:13:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=P6uo4L604oGfyImS2HXb3rDeHqg8QjpuapiqcTC4T2o=; b=BwYt8ab4eD/n2Azo/P+2THnJlJ0yi5GASUK65wslBSpLeEMDSFiWc+0B2JbXIbL/6Z qbSn8i8EoxNoPq8MUOw9ixkOa0TSnPeCQpVujKfUMo3jTe528nyJpqwKtGO+Mwb2b8QV Jfg/TBzMM9eWYb2teOe7EawCA2YDpTJWWx++49PCXcun7/Ph8OdymnyhpQXNbyyiDUTR uDQ4emyZPZDt0sBul6hb6V1VnKcZgBPgfytDKiL5YHY4PWVs6+fOL+fZpwSNYSDv0oWh dJXvyScxpt1HVEOVFT7cuLkfBzZ/vjAV1ybkZNPXn28Ph7ZUDWCISfWk7pvbqiqYscH8 aPiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=P6uo4L604oGfyImS2HXb3rDeHqg8QjpuapiqcTC4T2o=; b=nkPsG5zOxxL6mRFXZH2f2hfy6y9INOwyoXBVWUfqqlwlOAT3jGF5dMzTwVGAm8wLWn birc0C85V+HjxdfbG9z3KN7cvyNPzbSLdN7/gv9mnXl4ppcGDjxfV7juBorxsGUwq4OD KUqVmNRVmvlNly7mgoV7snEi2ADumgx5VE7+bMYcGMukgQYHwPM6EyxWMQZRm+tYrtTu 30ivuHCEpftFOytM47i2GoXRFqQ+BAqcnjb0ZEeXWjtBQstXv4gAFKDcmjqioqT+iXrJ OzbSTciPfICG+kty2yn4CRD4VI7Kn2xjaFI0iYUQVZOWEjYH4dGiTiwZhpvUPCj3vpyv 3dLw== X-Gm-Message-State: AFeK/H38btedKVTxYxKqouoEDUqrK4p9PMgFT0jxjezVOwNqOEdpdOhFYBgys18O7aGgHE4ARwQR84K2g7ZI3g== X-Received: by 10.37.223.146 with SMTP id w140mr17479245ybg.99.1490015591405; Mon, 20 Mar 2017 06:13:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.171.199 with HTTP; Mon, 20 Mar 2017 06:13:10 -0700 (PDT) In-Reply-To: References: From: William Dudley Date: Mon, 20 Mar 2017 09:13:10 -0400 Message-ID: Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? To: Patrick Mahan Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2017 13:13:12 -0000 The point of this exercise is to allow my Android phone to access my email on my FreeBSD 10.3 server, using imap. I had it working last year, and then, with nary an error message, it stopped working. So the email client is the native Android email client (on a recent Cyanogen Android). My FreeBSD server runs sendmail, and I've been running my own mail domain for about a decade. My latest guess (and that's all I can do is guess) is that my self-signed certificates expired, and I just need to re-generate them. All the sources on sendmail and STARTTLS that I've seen so far show configs identical to my config, so from this I infer perhaps one or more of my cert files is "bad". stunnel may well be a wonderful program, but I really don't want to figure out how to specify each of the 500 lines in it's config file, especially when the software doesn't run successfully with it's own sample config file. Thanks for your time, Bill Dudley This email is free of malware because I run Linux. On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan wrote: > On 3/19/17 1:07 PM, William Dudley wrote: > > I commented out the lines starting with checkHost, and started stunnel. > > It does start, and runs as a daemon. However, it doesn't seem to DO > anything. > > > > However, that hasn't changed sendmail's behaviour one iota. > > > > As far as I can tell, stunnel is a massive waste of time. > > > > I don't really want to spend months reading all the stunnel docs to > figure out > > how to get it to work with sendmail. Sendmail is hard enough on it's > own, and > > I can mostly control sendmail (well, except for the STARTTLS problem.) > > > > Thanks, > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley > > wrote: > > > > stunnel fails to start with this helpful message: > > > > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com > > ": Specified option name is not valid here > > > > The line it's complaining about is in the EXAMPLE config file. > > > > So this is not going well, at all. > > > > pop.gmail.com is a valid hostname. I have > no idea > > what stunnel is complaining about. > > > > Okay, Let me share what I do. I believe stunnel needs to run on the same > host > as the sendmail server. > > First, here is some relevant parts from my stunnel config file: > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005 > ; Some options used here may not be adequate for your particular > configuration > ; Please make sure you understand them (especially the effect of chroot > jail) > > ; Certificate/key is needed in server mode and optional in client mode > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem > ;key = /usr/local/etc/stunnel/mail.pem > > ; Some security enhancements for UNIX systems - comment them out on Win32 > chroot = /var/stunnel/ > setuid = stunnel > setgid = stunnel > ; PID is created inside chroot jail > pid = /stunnel.pid > > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ;compression = rle > > ; Workaround for Eudora bug > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > ; Authentication stuff > verify = 0 > > .... > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = stunnel.log > > ; Use it for client mode > ;client = yes > > ; Service-level configuration > > [pop3s] > accept = 995 > connect = 110 > > [imaps] > accept = 993 > connect = 143 > > [smtps] > accept = 465 > connect = 25 > > I run dovecot for my imap server which is listening on port 143: > > mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 > root dovecot 915 22 tcp4 *:110 *:* > > But I connect from my mail clients (ios mail, thunderbird, ...) to port > 993. The > mail clients are all configured to use ssl/tls, *not* startttl. > > My smtp I connect via stunnel over port 465, not port 25 for sending mail. > > So what are you trying to accomplish? The idea is for your accessing these > servers in an encrypted fashion. But from your above description, it > sounds > like you are trying to access your unsecured gmail account using POP3. Not > sure why as the connection from stunnel to pop.gmail.com will be > unsecured. > > What email client are you trying to use? > > Patrick > > >