FreeBSD Mail Archives

Date:      Mon, 28 Nov 2016 14:19:09 -0500
From:      George Mitchell <george+freebsd@m5p.com>
To:        Gregory Shapiro <gshapiro@freebsd.org>
Cc:        freebsd-hackers@FreeBSD.org
Subject:   Re: Sendmail and STARTTLS
Message-ID:  <2c7a5fc1-5946-1221-816f-b68079a42078@m5p.com>
In-Reply-To: <20161128183554.GA6716@c02pp3c3fvh8.corp.proofpoint.com>
References:  <f4ee7a4c-8b8c-2542-20ba-7ef0a42313fa@m5p.com> <20161128183554.GA6716@c02pp3c3fvh8.corp.proofpoint.com>

On 11/28/16 13:35, Gregory Shapiro wrote:
>> Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
>> 	by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
>> 	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
>> 	for <george+freebsd@m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
>> 	(envelope-from owner-freebsd-hackers@freebsd.org)
>>
>> (When I used the default values, ssl-tools accused me of using a
>> weak protocol, so I started experimenting with values gleaned from
>> around the net, to no avail so far.)
>>
>> What am I doing wrong?  How can I enter VERIFY=YES nirvana?  -- George
> 
> Verification is via these settings.  You'll need a populated set of root certificates in the directory you pick.
> 
> M4 Variable Name        Configuration   [Default] & Description
> ================        =============   =======================
> confCACERT_PATH         CACertPath      [undefined] Path to directory with
>                                         certificates of CAs which must contain
>                                         their hashes as filenames or links.
> confCACERT              CACertFile      [undefined] File containing at least
>                                         one CA certificate.

Like this?

define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/m5p.com')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/chain.pem')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')

> 
> Finally, review section 6.6.1 of op.me:
> 
> % gunzip -c /usr/share/doc/smm/08.sendmailop/paper.ascii.gz | less
> [...]

Rechecking this now ...                            -- George

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2c7a5fc1-5946-1221-816f-b68079a42078>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation