Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Nov 2016 13:16:10 -0500
From:      George Mitchell <george+freebsd@m5p.com>
To:        freebsd-hackers@FreeBSD.org
Subject:   Sendmail and STARTTLS
Message-ID:  <f4ee7a4c-8b8c-2542-20ba-7ef0a42313fa@m5p.com>
next in thread | raw e-mail | index | archive | help 
I have a shiny new Let's Encrypt certificate.  I believe it is properly
installed on my mail server, and https://ssl-tools.net/mailservers/
says my certificate is trustworthy and protocol is secure.  (I'm not
[yet] using DNS-based authentication.)  Despite all these encouraging
signs, my maillog is filled with STARTTLS VERIFY=NO and VERIFY=FAIL
messages.  A typical email header entry says:

Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
	by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
	for <george+freebsd@m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
	(envelope-from owner-freebsd-hackers@freebsd.org)

My sendmail.cf says:

O
CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

(When I used the default values, ssl-tools accused me of using a
weak protocol, so I started experimenting with values gleaned from
around the net, to no avail so far.)

What am I doing wrong?  How can I enter VERIFY=YES nirvana?  -- George

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f4ee7a4c-8b8c-2542-20ba-7ef0a42313fa>