Date: Fri, 10 Feb 2023 10:06:08 -0500 From: William Dudley <wfdudley@gmail.com> To: list-freebsd-questions@jyborn.se, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13 Message-ID: <CAFsnNZJoYPMDcbX7N-nm4Ea_w0SgdJdakQ3zvV_XK3eDxhUhoQ@mail.gmail.com> In-Reply-To: <Y%2BYaN7HxCXG9t5XL@pol-server.leissner.se> References: <CAFsnNZKxUnZNnne%2BVf015jWugNTURxvib9wiP8F5eXSxutvMeQ@mail.gmail.com> <Y%2BYaN7HxCXG9t5XL@pol-server.leissner.se>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Peter,
Thanks for the tip about "sendmail -d0.1". I did that with both "base"
sendmail
and ports sendmail, and got this:
base sendmail:
Version 8.16.1
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC
TLS_VRFY_PER_CTX
USERDB XDEBUG
ports sendmail:
Version 8.17.1
Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS
TCPWRAPPERS
TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG
So despite various claims on "the internet", base sendmail IS compiled with
STARTTLS.
What is missing in the base version is SASLv2.
So, one mystery solved. I still can't get STARTTLS to "work", but I
understand a little more.
As to permissions: as stated in the original email, I was getting a
permissions complaint from
sendmail until I made some of the cert files 600.
Bill Dudley
On Fri, Feb 10, 2023 at 5:19 AM <list-freebsd-questions@jyborn.se> wrote:
> Hello!
>
> I'm no expert, but I think your configuration below looks fine.
>
> You have the [x] on TLS, and your mc define lines are identical
> to mine (except different path in CERT_DIR), and I also use
> LetsEncrypt. I don't remember doing anything else than that
> to get STARTTLS working.
>
> What do you see with "/usr/local/sbin/sendmail -d0.1"?
> Do you see STARTTLS in the "Compiled with" lines?
> If you do, then double check that you are running the sendmail
> from ports and not from base.
> (But I don't think that ports sendmail is necessary, I think
> that base sendmail also has the TLS option compiled in.)
>
> Could possibly be a permissions thing.
> My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.
>
> Peter Olsson
>
> On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:
> > I cannot get STARTTLS to "work", and all the tutorials I find on the web
> > seem to
> > be using FreeBSD 4 or 5? I've been running my own mail server for
> > perhaps 15 or 20 years now, so I've been working with sendmail for
> > a long time.
> >
> > PLEASE do not suggest I switch to postfix or one of the MTAs. I know
> > sendmail and have lots of configuration established, and I don't
> > want to go through that learning curve all over again.
> >
> > So, to the problem at hand. I've done lots of googling and reading, and
> > this is what I've done:
> >
> > I think I understand that one must build sendmail from ports because
> > the sendmail from pkg does not have TLS compiled in. (Why the hell not,
> > I don't know).
> >
> > I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,
> > and both act identically badly.
> >
> > I downloaded the latest ports tree (using git) and ran "make config",
> which
> > presents these options:
> >
> >
> ??????????????????????????????????????????????????????????????????????????????
> sendmail-8.17.1_6
> ???????????????????????????????????????????????????????????????????????????????????????
> > ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> > ??? ??? [x] SHMEM System V shared memory support
> ???
> > ???
> > ??? ??? [x] SEM POSIX semaphores support
> ???
> > ???
> > ??? ??? [x] LA load averages support
> ???
> > ???
> > ??? ??? [x] NIS Network Information Services/YP support
> ???
> > ???
> > ??? ??? [x] IPV6 IPv6 protocol support
> ???
> > ???
> > ??? ??? [x] TLS SMTP-TLS and SMTPS support
> ???
> > ???
> > ??? ??? [x] DANE Enable DANE support
> ???
> > ???
> > ??? ??? [x] SASL SASL authentication support
> ???
> > ???
> > ??? ??? [x] SASLAUTHD SASLAUTHD support
> ???
> > ???
> > ??? ??? [ ] LDAP LDAP protocol support
> ???
> > ???
> > ??? ??? [ ] BDB Berkeley DB version 4+ support
> ???
> > ???
> > ??? ??? [ ] GDBM GNU dbm library support (option COMPAT
> needed)???
> > ???
> > ??? ??? [ ] SOCKETMAP Enable socketmap feature
> ???
> > ???
> > ??? ??? [ ] CYRUSLOOKUP Enable cyruslookup feature
> ???
> > ???
> > ??? ??? [x] BLACKLISTD Enable blacklistd support
> ???
> > ???
> > ??? ??? [ ] SMTPUTF8 Enable unicode address support
> ???
> > ???
> > ??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check
> ???
> > ???
> > ??? ??? [x] MILTER Enable milter support
> ???
> > ???
> > ??? ??? [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP
> and T???
> > ???
> > ??? ??? [ ] TLS_CERT_CHAIN Enable certificate chain file support
> (incompa???
> > ???
> > ??? ??? [x] DOCS Build and/or install documentation
> ???
> > ???
> > ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> >
> >
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ??? < OK > <Cancel>
> > ???
> >
> > I didn't change any options. Should I have?
> > Then, of course, "make" and "make install", and then follow the
> > instructions that are printed out
> > at the conclusion of the last step.
> >
> > Next, in my freebsd.mc file, I added this:
> >
> > define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com
> ')dnl
> > define(`confCACERT_PATH', `CERT_DIR')dnl
> > define(`confCACERT', `CERT_DIR/chain.pem')dnl
> > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl
> > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl
> >
> > (except of course, I changed "my-site-name.com" to the actual directory
> > where my certs are)
> > (I've been using letsencrypt since late 2017 to generate certificates for
> > the few
> > websites I host.)
> >
> > I changed mailer.conf (both copies) to this:
> >
> > sendmail /usr/local/sbin/sendmail
> > send-mail /usr/local/sbin/sendmail
> > mailq /usr/local/sbin/sendmail
> > newaliases /usr/local/sbin/sendmail
> > hoststat /usr/local/sbin/sendmail
> > purgestat /usr/local/sbin/sendmail
> >
> > So that the sendmail from ports is chosen.
> >
> > I run "make" in the /etc/mail directory, and "make stop" and "make start"
> > to restart sendmail.
> > I found that I had to "chmod 600 privkey.pem" to get sendmail to not
> > complain about that file being
> > group readable:
> >
> > Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file
> > /usr/local/etc/letse
> > ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file
> >
> > when I run this test:
> >
> > openssl s_client -connect localhost:25 -starttls smtp -showcerts
> >
> > I get this response, showing that STARTTLS isn't announced.
> >
> > CONNECTED(00000003)
> > Didn't find STARTTLS in server response, trying anyway...
> > 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version
> > number:ssl/record/ssl3_record.c:332:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 323 bytes and written 326 bytes
> > Verification: OK
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 0 (ok)
> > ---
> >
> > If I telnet into my server, I see this:
> >
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023
> 18:36:46
> > -0500 (EST)
> > ehlo m2.casano.com
> > 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> > 250-ENHANCEDSTATUSCODES
> > 250-PIPELINING
> > 250-8BITMIME
> > 250-SIZE
> > 250-DSN
> > 250-ETRN
> > 250-AUTH PLAIN LOGIN
> > 250-DELIVERBY
> > 250 HELP
> > quit
> >
> > So no announcement of STARTTLS there, either. The sendmail version is
> the
> > one from ports. The "stock"
> > version is 8.16.1, as seen here from an earlier test before I enabled the
> > ports version:
> >
> > 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023
> 16:34:35
> > -0500 (EST)
> >
> > I do see this in /var/log/maillog:
> >
> > Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay=
> > aero4.stememail.com
> > , version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256,
> bits=128/128
> >
> > which looks promising, but then why do the other tests not show STARTTLS
> > present?
> >
> > I think this recitation includes all the changes I made to try to get
> this
> > working.
> > What am I missing? Are there any tutorials written in this decade for
> > doing this?
> >
> > If you want to poke at my mail server, feel free: mail.casano.com
> >
> > Thanks,
> > Bill Dudley
> > New Jersey, USA
> >
> > This email is free of malware because I run Linux.
>
[-- Attachment #2 --]
<div dir="ltr">Peter,<div><br></div><div>Thanks for the tip about "sendmail -d0.1". I did that with both "base" sendmail<div>and ports sendmail, and got this:</div><div><br></div><div>base sendmail:</div><div><br></div><div><font face="monospace">Version 8.16.1<br> Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER<br> MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS<br> PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX<br> USERDB XDEBUG</font><br><div><div dir="ltr" class="gmail_signature show" data-smartmail="gmail_signature"><br></div><div class="gmail_signature show" data-smartmail="gmail_signature">ports sendmail:</div><div class="gmail_signature show" data-smartmail="gmail_signature"><br></div><div class="gmail_signature show" data-smartmail="gmail_signature"><font face="monospace">Version 8.17.1<br> Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER<br> MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS<br> PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS<br> TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG</font><br></div><div dir="ltr" class="gmail_signature show" data-smartmail="gmail_signature"><br></div><div class="gmail_signature show" data-smartmail="gmail_signature">So despite various claims on "the internet", base sendmail IS compiled with STARTTLS.</div><div class="gmail_signature show" data-smartmail="gmail_signature">What is missing in the base version is SASLv2.</div><div class="gmail_signature show" data-smartmail="gmail_signature"><br></div><div class="gmail_signature show" data-smartmail="gmail_signature">So, one mystery solved. I still can't get STARTTLS to "work", but I understand a little more.</div><div class="gmail_signature show" data-smartmail="gmail_signature"><br></div><div class="gmail_signature show" data-smartmail="gmail_signature">As to permissions: as stated in the original email, I was getting a permissions complaint from</div><div class="gmail_signature show" data-smartmail="gmail_signature">sendmail until I made some of the cert files 600.</div><div class="gmail_signature show" data-smartmail="gmail_signature"><br></div><div class="gmail_signature show" data-smartmail="gmail_signature">Bill Dudley</div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 10, 2023 at 5:19 AM <<a href="mailto:list-freebsd-questions@jyborn.se">list-freebsd-questions@jyborn.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
I'm no expert, but I think your configuration below looks fine.<br>
<br>
You have the [x] on TLS, and your mc define lines are identical<br>
to mine (except different path in CERT_DIR), and I also use<br>
LetsEncrypt. I don't remember doing anything else than that<br>
to get STARTTLS working.<br>
<br>
What do you see with "/usr/local/sbin/sendmail -d0.1"?<br>
Do you see STARTTLS in the "Compiled with" lines?<br>
If you do, then double check that you are running the sendmail<br>
from ports and not from base.<br>
(But I don't think that ports sendmail is necessary, I think<br>
that base sendmail also has the TLS option compiled in.)<br>
<br>
Could possibly be a permissions thing.<br>
My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.<br>
<br>
Peter Olsson<br>
<br>
On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:<br>
> I cannot get STARTTLS to "work", and all the tutorials I find on the web<br>
> seem to<br>
> be using FreeBSD 4 or 5? I've been running my own mail server for<br>
> perhaps 15 or 20 years now, so I've been working with sendmail for<br>
> a long time.<br>
> <br>
> PLEASE do not suggest I switch to postfix or one of the MTAs. I know<br>
> sendmail and have lots of configuration established, and I don't<br>
> want to go through that learning curve all over again.<br>
> <br>
> So, to the problem at hand. I've done lots of googling and reading, and<br>
> this is what I've done:<br>
> <br>
> I think I understand that one must build sendmail from ports because<br>
> the sendmail from pkg does not have TLS compiled in. (Why the hell not,<br>
> I don't know).<br>
> <br>
> I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,<br>
> and both act identically badly.<br>
> <br>
> I downloaded the latest ports tree (using git) and ran "make config", which<br>
> presents these options:<br>
> <br>
> ?????????????????????????????????????????????????????????????????????????????? sendmail-8.17.1_6 ???????????????????????????????????????????????????????????????????????????????????????<br>
> ??? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????<br>
> ???<br>
> ??? ??? [x] SHMEM System V shared memory support ???<br>
> ???<br>
> ??? ??? [x] SEM POSIX semaphores support ???<br>
> ???<br>
> ??? ??? [x] LA load averages support ???<br>
> ???<br>
> ??? ??? [x] NIS Network Information Services/YP support ???<br>
> ???<br>
> ??? ??? [x] IPV6 IPv6 protocol support ???<br>
> ???<br>
> ??? ??? [x] TLS SMTP-TLS and SMTPS support ???<br>
> ???<br>
> ??? ??? [x] DANE Enable DANE support ???<br>
> ???<br>
> ??? ??? [x] SASL SASL authentication support ???<br>
> ???<br>
> ??? ??? [x] SASLAUTHD SASLAUTHD support ???<br>
> ???<br>
> ??? ??? [ ] LDAP LDAP protocol support ???<br>
> ???<br>
> ??? ??? [ ] BDB Berkeley DB version 4+ support ???<br>
> ???<br>
> ??? ??? [ ] GDBM GNU dbm library support (option COMPAT needed)???<br>
> ???<br>
> ??? ??? [ ] SOCKETMAP Enable socketmap feature ???<br>
> ???<br>
> ??? ??? [ ] CYRUSLOOKUP Enable cyruslookup feature ???<br>
> ???<br>
> ??? ??? [x] BLACKLISTD Enable blacklistd support ???<br>
> ???<br>
> ??? ??? [ ] SMTPUTF8 Enable unicode address support ???<br>
> ???<br>
> ??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check ???<br>
> ???<br>
> ??? ??? [x] MILTER Enable milter support ???<br>
> ???<br>
> ??? ??? [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP and T???<br>
> ???<br>
> ??? ??? [ ] TLS_CERT_CHAIN Enable certificate chain file support (incompa???<br>
> ???<br>
> ??? ??? [x] DOCS Build and/or install documentation ???<br>
> ???<br>
> ??? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????<br>
> ???<br>
> <br>
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????<br>
> ??? < OK > <Cancel><br>
> ???<br>
> <br>
> I didn't change any options. Should I have?<br>
> Then, of course, "make" and "make install", and then follow the<br>
> instructions that are printed out<br>
> at the conclusion of the last step.<br>
> <br>
> Next, in my <a href="http://freebsd.mc" rel="noreferrer" target="_blank">freebsd.mc</a> file, I added this:<br>
> <br>
> define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/<a href="http://my-site-name.com" rel="noreferrer" target="_blank">my-site-name.com</a>')dnl<br>
> define(`confCACERT_PATH', `CERT_DIR')dnl<br>
> define(`confCACERT', `CERT_DIR/chain.pem')dnl<br>
> define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl<br>
> define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl<br>
> define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl<br>
> define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl<br>
> <br>
> (except of course, I changed "<a href="http://my-site-name.com" rel="noreferrer" target="_blank">my-site-name.com</a>" to the actual directory<br>
> where my certs are)<br>
> (I've been using letsencrypt since late 2017 to generate certificates for<br>
> the few<br>
> websites I host.)<br>
> <br>
> I changed mailer.conf (both copies) to this:<br>
> <br>
> sendmail /usr/local/sbin/sendmail<br>
> send-mail /usr/local/sbin/sendmail<br>
> mailq /usr/local/sbin/sendmail<br>
> newaliases /usr/local/sbin/sendmail<br>
> hoststat /usr/local/sbin/sendmail<br>
> purgestat /usr/local/sbin/sendmail<br>
> <br>
> So that the sendmail from ports is chosen.<br>
> <br>
> I run "make" in the /etc/mail directory, and "make stop" and "make start"<br>
> to restart sendmail.<br>
> I found that I had to "chmod 600 privkey.pem" to get sendmail to not<br>
> complain about that file being<br>
> group readable:<br>
> <br>
> Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file<br>
> /usr/local/etc/letse<br>
> ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file<br>
> <br>
> when I run this test:<br>
> <br>
> openssl s_client -connect localhost:25 -starttls smtp -showcerts<br>
> <br>
> I get this response, showing that STARTTLS isn't announced.<br>
> <br>
> CONNECTED(00000003)<br>
> Didn't find STARTTLS in server response, trying anyway...<br>
> 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version<br>
> number:ssl/record/ssl3_record.c:332:<br>
> ---<br>
> no peer certificate available<br>
> ---<br>
> No client certificate CA names sent<br>
> ---<br>
> SSL handshake has read 323 bytes and written 326 bytes<br>
> Verification: OK<br>
> ---<br>
> New, (NONE), Cipher is (NONE)<br>
> Secure Renegotiation IS NOT supported<br>
> Compression: NONE<br>
> Expansion: NONE<br>
> No ALPN negotiated<br>
> Early data was not sent<br>
> Verify return code: 0 (ok)<br>
> ---<br>
> <br>
> If I telnet into my server, I see this:<br>
> <br>
> Trying 127.0.0.1...<br>
> Connected to localhost.<br>
> Escape character is '^]'.<br>
> 220 <a href="http://mail.casano.com" rel="noreferrer" target="_blank">mail.casano.com</a> ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:36:46<br>
> -0500 (EST)<br>
> ehlo <a href="http://m2.casano.com" rel="noreferrer" target="_blank">m2.casano.com</a><br>
> <a href="http://250-mail.casano.com" rel="noreferrer" target="_blank">250-mail.casano.com</a> Hello localhost [127.0.0.1], pleased to meet you<br>
> 250-ENHANCEDSTATUSCODES<br>
> 250-PIPELINING<br>
> 250-8BITMIME<br>
> 250-SIZE<br>
> 250-DSN<br>
> 250-ETRN<br>
> 250-AUTH PLAIN LOGIN<br>
> 250-DELIVERBY<br>
> 250 HELP<br>
> quit<br>
> <br>
> So no announcement of STARTTLS there, either. The sendmail version is the<br>
> one from ports. The "stock"<br>
> version is 8.16.1, as seen here from an earlier test before I enabled the<br>
> ports version:<br>
> <br>
> 220 <a href="http://mail.casano.com" rel="noreferrer" target="_blank">mail.casano.com</a> ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:34:35<br>
> -0500 (EST)<br>
> <br>
> I do see this in /var/log/maillog:<br>
> <br>
> Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay=<br>
> <a href="http://aero4.stememail.com" rel="noreferrer" target="_blank">aero4.stememail.com</a><br>
> , version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256, bits=128/128<br>
> <br>
> which looks promising, but then why do the other tests not show STARTTLS<br>
> present?<br>
> <br>
> I think this recitation includes all the changes I made to try to get this<br>
> working.<br>
> What am I missing? Are there any tutorials written in this decade for<br>
> doing this?<br>
> <br>
> If you want to poke at my mail server, feel free: <a href="http://mail.casano.com" rel="noreferrer" target="_blank">mail.casano.com</a><br>
> <br>
> Thanks,<br>
> Bill Dudley<br>
> New Jersey, USA<br>
> <br>
> This email is free of malware because I run Linux.<br>
</blockquote></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZJoYPMDcbX7N-nm4Ea_w0SgdJdakQ3zvV_XK3eDxhUhoQ>