From owner-freebsd-hackers@freebsd.org Mon Nov 28 18:16:18 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F0B6C591A2 for ; Mon, 28 Nov 2016 18:16:18 +0000 (UTC) (envelope-from george+freebsd@m5p.com) Received: from mailhost.m5p.com (mailhost.m5p.com [IPv6:2001:418:3fd::f7]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "m5p.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E7C2F1897 for ; Mon, 28 Nov 2016 18:16:17 +0000 (UTC) (envelope-from george+freebsd@m5p.com) Received: from [10.100.0.31] (haymarket.m5p.com [10.100.0.31]) by mailhost.m5p.com (8.15.2/8.15.2) with ESMTP id uASIGAk4062456 for ; Mon, 28 Nov 2016 13:16:15 -0500 (EST) (envelope-from george+freebsd@m5p.com) To: freebsd-hackers@FreeBSD.org From: George Mitchell Subject: Sendmail and STARTTLS Message-ID: Date: Mon, 28 Nov 2016 13:16:10 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.1 required=10.0 tests=ALL_TRUSTED, RP_MATCHES_RCVD, URIBL_SBL,URIBL_SBL_A autolearn=unavailable autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mattapan.m5p.com X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.4.3 (mailhost.m5p.com [10.100.0.247]); Mon, 28 Nov 2016 13:16:16 -0500 (EST) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2016 18:16:18 -0000 I have a shiny new Let's Encrypt certificate. I believe it is properly installed on my mail server, and https://ssl-tools.net/mailservers/ says my certificate is trustworthy and protocol is secure. (I'm not [yet] using DNS-based authentication.) Despite all these encouraging signs, my maillog is filled with STARTTLS VERIFY=NO and VERIFY=FAIL messages. A typical email header entry says: Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Sun, 27 Nov 2016 08:01:01 -0500 (EST) (envelope-from owner-freebsd-hackers@freebsd.org) My sendmail.cf says: O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 (When I used the default values, ssl-tools accused me of using a weak protocol, so I started experimenting with values gleaned from around the net, to no avail so far.) What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George