Date: Mon, 28 Nov 2016 13:16:10 -0500 From: George Mitchell <george+freebsd@m5p.com> To: freebsd-hackers@FreeBSD.org Subject: Sendmail and STARTTLS Message-ID: <f4ee7a4c-8b8c-2542-20ba-7ef0a42313fa@m5p.com>
next in thread | raw e-mail | index | archive | help
I have a shiny new Let's Encrypt certificate. I believe it is properly installed on my mail server, and https://ssl-tools.net/mailservers/ says my certificate is trustworthy and protocol is secure. (I'm not [yet] using DNS-based authentication.) Despite all these encouraging signs, my maillog is filled with STARTTLS VERIFY=NO and VERIFY=FAIL messages. A typical email header entry says: Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <george+freebsd@m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST) (envelope-from owner-freebsd-hackers@freebsd.org) My sendmail.cf says: O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 (When I used the default values, ssl-tools accused me of using a weak protocol, so I started experimenting with values gleaned from around the net, to no avail so far.) What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f4ee7a4c-8b8c-2542-20ba-7ef0a42313fa>