Date: Thu, 9 Feb 2023 20:21:28 -0500 From: William Dudley <wfdudley@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13 Message-ID: <CAFsnNZKxUnZNnne%2BVf015jWugNTURxvib9wiP8F5eXSxutvMeQ@mail.gmail.com>
index | next in thread | raw e-mail
[-- Attachment #1 --] I cannot get STARTTLS to "work", and all the tutorials I find on the web seem to be using FreeBSD 4 or 5? I've been running my own mail server for perhaps 15 or 20 years now, so I've been working with sendmail for a long time. PLEASE do not suggest I switch to postfix or one of the MTAs. I know sendmail and have lots of configuration established, and I don't want to go through that learning curve all over again. So, to the problem at hand. I've done lots of googling and reading, and this is what I've done: I think I understand that one must build sendmail from ports because the sendmail from pkg does not have TLS compiled in. (Why the hell not, I don't know). I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine, and both act identically badly. I downloaded the latest ports tree (using git) and ran "make config", which presents these options: ┌───────────────────────── sendmail-8.17.1_6 ────────────────────────────┐ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ [x] SHMEM System V shared memory support │ │ │ │ [x] SEM POSIX semaphores support │ │ │ │ [x] LA load averages support │ │ │ │ [x] NIS Network Information Services/YP support │ │ │ │ [x] IPV6 IPv6 protocol support │ │ │ │ [x] TLS SMTP-TLS and SMTPS support │ │ │ │ [x] DANE Enable DANE support │ │ │ │ [x] SASL SASL authentication support │ │ │ │ [x] SASLAUTHD SASLAUTHD support │ │ │ │ [ ] LDAP LDAP protocol support │ │ │ │ [ ] BDB Berkeley DB version 4+ support │ │ │ │ [ ] GDBM GNU dbm library support (option COMPAT needed)│ │ │ │ [ ] SOCKETMAP Enable socketmap feature │ │ │ │ [ ] CYRUSLOOKUP Enable cyruslookup feature │ │ │ │ [x] BLACKLISTD Enable blacklistd support │ │ │ │ [ ] SMTPUTF8 Enable unicode address support │ │ │ │ [x] PICKY_HELO_CHECK Enable picky HELO check │ │ │ │ [x] MILTER Enable milter support │ │ │ │ [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP and T│ │ │ │ [ ] TLS_CERT_CHAIN Enable certificate chain file support (incompa│ │ │ │ [x] DOCS Build and/or install documentation │ │ │ └────────────────────────────────────────────────────────────────────┘ │ ├────────────────────────────────────────────────────────────────────────┤ │ < OK > <Cancel> │ I didn't change any options. Should I have? Then, of course, "make" and "make install", and then follow the instructions that are printed out at the conclusion of the last step. Next, in my freebsd.mc file, I added this: define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/chain.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl (except of course, I changed "my-site-name.com" to the actual directory where my certs are) (I've been using letsencrypt since late 2017 to generate certificates for the few websites I host.) I changed mailer.conf (both copies) to this: sendmail /usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail hoststat /usr/local/sbin/sendmail purgestat /usr/local/sbin/sendmail So that the sendmail from ports is chosen. I run "make" in the /etc/mail directory, and "make stop" and "make start" to restart sendmail. I found that I had to "chmod 600 privkey.pem" to get sendmail to not complain about that file being group readable: Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file /usr/local/etc/letse ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file when I run this test: openssl s_client -connect localhost:25 -starttls smtp -showcerts I get this response, showing that STARTTLS isn't announced. CONNECTED(00000003) Didn't find STARTTLS in server response, trying anyway... 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 323 bytes and written 326 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- If I telnet into my server, I see this: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:36:46 -0500 (EST) ehlo m2.casano.com 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH PLAIN LOGIN 250-DELIVERBY 250 HELP quit So no announcement of STARTTLS there, either. The sendmail version is the one from ports. The "stock" version is 8.16.1, as seen here from an earlier test before I enabled the ports version: 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:34:35 -0500 (EST) I do see this in /var/log/maillog: Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay= aero4.stememail.com ., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256, bits=128/128 which looks promising, but then why do the other tests not show STARTTLS present? I think this recitation includes all the changes I made to try to get this working. What am I missing? Are there any tutorials written in this decade for doing this? If you want to poke at my mail server, feel free: mail.casano.com Thanks, Bill Dudley New Jersey, USA This email is free of malware because I run Linux. [-- Attachment #2 --] <div dir="ltr">I cannot get STARTTLS to "work", and all the tutorials I find on the web seem to<div>be using FreeBSD 4 or 5? I've been running my own mail server for</div><div>perhaps 15 or 20 years now, so I've been working with sendmail for</div><div>a long time.</div><div><br></div><div>PLEASE do not suggest I switch to postfix or one of the MTAs. I know</div><div>sendmail and have lots of configuration established, and I don't</div><div>want to go through that learning curve all over again.</div><div><br></div><div>So, to the problem at hand. I've done lots of googling and reading, and</div><div>this is what I've done:</div><div><br></div><div>I think I understand that one must build sendmail from ports because</div><div>the sendmail from pkg does not have TLS compiled in. (Why the hell not,</div><div>I don't know).</div><div><br></div><div>I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,</div><div>and both act identically badly.</div><div><br></div><div>I downloaded the latest ports tree (using git) and ran "make config", which</div><div>presents these options:</div><div><br></div><div> <font face="monospace">┌───────────────────────── sendmail-8.17.1_6 ────────────────────────────┐<br> │ ┌────────────────────────────────────────────────────────────────────┐ │ <br> │ │ [x] SHMEM System V shared memory support │ │ <br> │ │ [x] SEM POSIX semaphores support │ │ <br> │ │ [x] LA load averages support │ │ <br> │ │ [x] NIS Network Information Services/YP support │ │ <br> │ │ [x] IPV6 IPv6 protocol support │ │ <br> │ │ [x] TLS SMTP-TLS and SMTPS support │ │ <br> │ │ [x] DANE Enable DANE support │ │ <br> │ │ [x] SASL SASL authentication support │ │ <br> │ │ [x] SASLAUTHD SASLAUTHD support │ │ <br> │ │ [ ] LDAP LDAP protocol support │ │ <br> │ │ [ ] BDB Berkeley DB version 4+ support │ │ <br> │ │ [ ] GDBM GNU dbm library support (option COMPAT needed)│ │ <br> │ │ [ ] SOCKETMAP Enable socketmap feature │ │ <br> │ │ [ ] CYRUSLOOKUP Enable cyruslookup feature │ │ <br> │ │ [x] BLACKLISTD Enable blacklistd support │ │ <br> │ │ [ ] SMTPUTF8 Enable unicode address support │ │ <br> │ │ [x] PICKY_HELO_CHECK Enable picky HELO check │ │ <br> │ │ [x] MILTER Enable milter support │ │ <br> │ │ [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP and T│ │ <br> │ │ [ ] TLS_CERT_CHAIN Enable certificate chain file support (incompa│ │ <br> │ │ [x] DOCS Build and/or install documentation │ │ <br> │ └────────────────────────────────────────────────────────────────────┘ │ <br> ├────────────────────────────────────────────────────────────────────────┤ <br> │ < OK > <Cancel> │ </font><br> <br></div><div>I didn't change any options. Should I have?</div><div>Then, of course, "<font face="arial, sans-serif">make</font>" and "<font face="monospace">make install</font>", and then follow the instructions that are printed out</div><div>at the conclusion of the last step.</div><div><br></div><div>Next, in my <a href="http://freebsd.mc">freebsd.mc</a>; file, I added this:</div><div><br></div><div><font face="monospace">define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/<a href="http://my-site-name.com">my-site-name.com</a>')dnl<br>define(`confCACERT_PATH', `CERT_DIR')dnl<br>define(`confCACERT', `CERT_DIR/chain.pem')dnl<br>define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl<br>define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl<br>define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl<br>define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl</font><br></div><div><font face="monospace"><br></font></div><div><font face="monospace">(except of course, I changed "<a href="http://my-site-name.com">my-site-name.com</a>" to the actual directory where my certs are)</font></div><div><font face="monospace">(I've been using letsencrypt since late 2017 to generate certificates for the few</font></div><div><font face="monospace">websites I host.)</font></div><div><font face="monospace"><br></font></div><div><font face="monospace">I changed mailer.conf (both copies) to this:</font></div><div><font face="monospace"><br></font></div><div><font face="monospace">sendmail /usr/local/sbin/sendmail<br>send-mail /usr/local/sbin/sendmail<br>mailq /usr/local/sbin/sendmail<br>newaliases /usr/local/sbin/sendmail<br>hoststat /usr/local/sbin/sendmail<br>purgestat /usr/local/sbin/sendmail<br></font></div><div><font face="monospace"><br></font></div><div><font face="arial, sans-serif">So that the sendmail from ports is chosen.</font></div><div><br></div><div>I run "<font face="monospace">make"</font> in the /etc/mail directory, and "<font face="monospace">make stop"</font> and "<font face="monospace">make start"</font> to restart sendmail.</div><div>I found that I had to "<font face="monospace">chmod 600 privkey.pem</font>" to get sendmail to not complain about that file being</div><div>group readable:</div><div><br></div><div><font face="monospace">Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file /usr/local/etc/letse<br>ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file</font><br></div><div><br></div><div>when I run this test:</div><div><br></div><div>openssl s_client -connect localhost:25 -starttls smtp -showcerts<br></div><div><br></div><div>I get this response, showing that STARTTLS isn't announced.</div><div><br></div><div>CONNECTED(00000003)<br>Didn't find STARTTLS in server response, trying anyway...<br>547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:<br>---<br>no peer certificate available<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 323 bytes and written 326 bytes<br>Verification: OK<br>---<br>New, (NONE), Cipher is (NONE)<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>Early data was not sent<br>Verify return code: 0 (ok)<br>---<br></div><div><br></div><div>If I telnet into my server, I see this:</div><div><br></div><div><font face="monospace">Trying 127.0.0.1...<br>Connected to localhost.<br>Escape character is '^]'.<br>220 <a href="http://mail.casano.com">mail.casano.com</a>; ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:36:46 -0500 (EST)<br>ehlo <a href="http://m2.casano.com">m2.casano.com</a><br><a href="http://250-mail.casano.com">250-mail.casano.com</a>; Hello localhost [127.0.0.1], pleased to meet you<br>250-ENHANCEDSTATUSCODES<br>250-PIPELINING<br>250-8BITMIME<br>250-SIZE<br>250-DSN<br>250-ETRN<br>250-AUTH PLAIN LOGIN<br>250-DELIVERBY<br>250 HELP<br>quit<br></font></div><div><br></div><div>So no announcement of STARTTLS there, either. The sendmail version is the one from ports. The "stock"</div><div>version is 8.16.1, as seen here from an earlier test before I enabled the ports version:</div><div><br></div><div><font face="monospace">220 <a href="http://mail.casano.com">mail.casano.com</a>; ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:34:35 -0500 (EST)</font><br></div><div><font face="monospace"><br></font></div><div><font face="monospace">I do see this in /var/log/maillog:</font></div><div><font face="monospace"><br></font></div><div><font face="monospace">Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay=<a href="http://aero4.stememail.com">aero4.stememail.com</a><br>., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256, bits=128/128<br></font></div><div><font face="monospace"><br></font></div><div><font face="arial, sans-serif">which looks promising, but then why do the other tests not show STARTTLS present?</font></div><div><br></div><div>I think this recitation includes all the changes I made to try to get this working.</div><div>What am I missing? Are there any tutorials written in this decade for doing this?</div><div><br></div><div>If you want to poke at my mail server, feel free: <font face="monospace"><a href="http://mail.casano.com">mail.casano.com</a></font></div><div><br></div><div>Thanks,</div><div>Bill Dudley</div><div>New Jersey, USA</div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">This email is free of malware because I run Linux.</div></div></div></div>help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZKxUnZNnne%2BVf015jWugNTURxvib9wiP8F5eXSxutvMeQ>