From nobody Fri Feb 10 15:06:08 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PCxrz6cnjz3nZKw for ; Fri, 10 Feb 2023 15:06:27 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PCxrz1N8Zz4LXF for ; Fri, 10 Feb 2023 15:06:27 +0000 (UTC) (envelope-from wfdudley@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=k+AMrGZ9; spf=pass (mx1.freebsd.org: domain of wfdudley@gmail.com designates 2607:f8b0:4864:20::734 as permitted sender) smtp.mailfrom=wfdudley@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-qk1-x734.google.com with SMTP id j22so2319997qka.0 for ; Fri, 10 Feb 2023 07:06:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=wzeTqm4TQpAe+LPR+6emJ3mr18D8SxsBsxiUkk6H9Bs=; b=k+AMrGZ9uVLkcThPic1FEv3nmikkVcShLvabYFRsA9K1pH2WdFE4tTikRjyO0oOAb+ R0kWofIO17UL83bNqB9KumUMsLvSeQcxIC/kd6NIemgnMf/cdKg1Mpen5TXFvptgJEw4 R1bCCA627/B6rxO5gRqa28EobCgvAR2QTUr16z/TEdoZc3/vW6q9uCmydXorezSjvyH3 yQSLWunobuiJXbRzIcLcLhKBRdD16IC+TbqgvdrQBkIKJz8sgl33GP8KGmttJdDC7BFA HYC404lMcKzv/I47CNdWljrR/BFTWJJYufMaUgZxTUDQKuVduG3nyqEkkqFiVMnW4X2E 77Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wzeTqm4TQpAe+LPR+6emJ3mr18D8SxsBsxiUkk6H9Bs=; b=HVlxbidjMxT41gBH7rhwIlb4cbeC1SsV4TZOnXPpWHheXHLD7KBr1Zp/1iAjm+oMW9 LOuu3jgiemRPWkOp8w0U64Oz2xdGmWYZ5mQiWzoLoYriQ10qPM/BLdT8A3rA0j9N7LB7 y5eUlkOc4BV+Vg3UqdT43lIzGv1CVEpiAA1BpFNKQEPhm1VW1uIVStmcLeCqqzTO1/Qz W3DwPY8nTu2vlDCyvzqj1gGMvCQHwmlsxxu0ou+199KL2WCUiRkhzlqA++mgY3ZjV05A jBatZj74rBbk7vf7KRHRhGGDcM8kACMf4eA9ePzoSxbudwweWz6T6HTR6f2391ovowTf cyKw== X-Gm-Message-State: AO0yUKUBwesYpYIKDOJojiu3PdBb63xQZjRoFyy1kiLa4eirD9/ZswFE B23qhsIlSTOJ+Z3LLI658rYStvJ03RgikTG6/pjf8/mWfMQ= X-Google-Smtp-Source: AK7set9ILqXkJEZj+daFvHrnQydKz1SjHfCTlVVeWuosm15LwBn/pSPlqznNsiM2FRc8yoNzihn9p5KZFV/zzpWG79M= X-Received: by 2002:a37:aa55:0:b0:731:fec2:b11c with SMTP id t82-20020a37aa55000000b00731fec2b11cmr971361qke.354.1676041586179; Fri, 10 Feb 2023 07:06:26 -0800 (PST) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: William Dudley Date: Fri, 10 Feb 2023 10:06:08 -0500 Message-ID: Subject: Re: help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13 To: list-freebsd-questions@jyborn.se, freebsd-questions Content-Type: multipart/alternative; boundary="0000000000005f830305f459d7af" X-Spamd-Result: default: False [-3.67 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.67)[-0.674]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::734:from]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_TLS_LAST(0.00)[]; TO_DN_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4PCxrz1N8Zz4LXF X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --0000000000005f830305f459d7af Content-Type: text/plain; charset="UTF-8" Peter, Thanks for the tip about "sendmail -d0.1". I did that with both "base" sendmail and ports sendmail, and got this: base sendmail: Version 8.16.1 Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG ports sendmail: Version 8.17.1 Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG So despite various claims on "the internet", base sendmail IS compiled with STARTTLS. What is missing in the base version is SASLv2. So, one mystery solved. I still can't get STARTTLS to "work", but I understand a little more. As to permissions: as stated in the original email, I was getting a permissions complaint from sendmail until I made some of the cert files 600. Bill Dudley On Fri, Feb 10, 2023 at 5:19 AM wrote: > Hello! > > I'm no expert, but I think your configuration below looks fine. > > You have the [x] on TLS, and your mc define lines are identical > to mine (except different path in CERT_DIR), and I also use > LetsEncrypt. I don't remember doing anything else than that > to get STARTTLS working. > > What do you see with "/usr/local/sbin/sendmail -d0.1"? > Do you see STARTTLS in the "Compiled with" lines? > If you do, then double check that you are running the sendmail > from ports and not from base. > (But I don't think that ports sendmail is necessary, I think > that base sendmail also has the TLS option compiled in.) > > Could possibly be a permissions thing. > My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel. > > Peter Olsson > > On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote: > > I cannot get STARTTLS to "work", and all the tutorials I find on the web > > seem to > > be using FreeBSD 4 or 5? I've been running my own mail server for > > perhaps 15 or 20 years now, so I've been working with sendmail for > > a long time. > > > > PLEASE do not suggest I switch to postfix or one of the MTAs. I know > > sendmail and have lots of configuration established, and I don't > > want to go through that learning curve all over again. > > > > So, to the problem at hand. I've done lots of googling and reading, and > > this is what I've done: > > > > I think I understand that one must build sendmail from ports because > > the sendmail from pkg does not have TLS compiled in. (Why the hell not, > > I don't know). > > > > I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine, > > and both act identically badly. > > > > I downloaded the latest ports tree (using git) and ran "make config", > which > > presents these options: > > > > > ?????????????????????????????????????????????????????????????????????????????? > sendmail-8.17.1_6 > ??????????????????????????????????????????????????????????????????????????????????????? > > ??? > ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > > ??? > > ??? ??? [x] SHMEM System V shared memory support > ??? > > ??? > > ??? ??? [x] SEM POSIX semaphores support > ??? > > ??? > > ??? ??? [x] LA load averages support > ??? > > ??? > > ??? ??? [x] NIS Network Information Services/YP support > ??? > > ??? > > ??? ??? [x] IPV6 IPv6 protocol support > ??? > > ??? > > ??? ??? [x] TLS SMTP-TLS and SMTPS support > ??? > > ??? > > ??? ??? [x] DANE Enable DANE support > ??? > > ??? > > ??? ??? [x] SASL SASL authentication support > ??? > > ??? > > ??? ??? [x] SASLAUTHD SASLAUTHD support > ??? > > ??? > > ??? ??? [ ] LDAP LDAP protocol support > ??? > > ??? > > ??? ??? [ ] BDB Berkeley DB version 4+ support > ??? > > ??? > > ??? ??? [ ] GDBM GNU dbm library support (option COMPAT > needed)??? > > ??? > > ??? ??? [ ] SOCKETMAP Enable socketmap feature > ??? > > ??? > > ??? ??? [ ] CYRUSLOOKUP Enable cyruslookup feature > ??? > > ??? > > ??? ??? [x] BLACKLISTD Enable blacklistd support > ??? > > ??? > > ??? ??? [ ] SMTPUTF8 Enable unicode address support > ??? > > ??? > > ??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check > ??? > > ??? > > ??? ??? [x] MILTER Enable milter support > ??? > > ??? > > ??? ??? [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP > and T??? > > ??? > > ??? ??? [ ] TLS_CERT_CHAIN Enable certificate chain file support > (incompa??? > > ??? > > ??? ??? [x] DOCS Build and/or install documentation > ??? > > ??? > > ??? > ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > > ??? > > > > > ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? > > ??? < OK > > > ??? > > > > I didn't change any options. Should I have? > > Then, of course, "make" and "make install", and then follow the > > instructions that are printed out > > at the conclusion of the last step. > > > > Next, in my freebsd.mc file, I added this: > > > > define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com > ')dnl > > define(`confCACERT_PATH', `CERT_DIR')dnl > > define(`confCACERT', `CERT_DIR/chain.pem')dnl > > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl > > define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl > > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl > > define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl > > > > (except of course, I changed "my-site-name.com" to the actual directory > > where my certs are) > > (I've been using letsencrypt since late 2017 to generate certificates for > > the few > > websites I host.) > > > > I changed mailer.conf (both copies) to this: > > > > sendmail /usr/local/sbin/sendmail > > send-mail /usr/local/sbin/sendmail > > mailq /usr/local/sbin/sendmail > > newaliases /usr/local/sbin/sendmail > > hoststat /usr/local/sbin/sendmail > > purgestat /usr/local/sbin/sendmail > > > > So that the sendmail from ports is chosen. > > > > I run "make" in the /etc/mail directory, and "make stop" and "make start" > > to restart sendmail. > > I found that I had to "chmod 600 privkey.pem" to get sendmail to not > > complain about that file being > > group readable: > > > > Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file > > /usr/local/etc/letse > > ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file > > > > when I run this test: > > > > openssl s_client -connect localhost:25 -starttls smtp -showcerts > > > > I get this response, showing that STARTTLS isn't announced. > > > > CONNECTED(00000003) > > Didn't find STARTTLS in server response, trying anyway... > > 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version > > number:ssl/record/ssl3_record.c:332: > > --- > > no peer certificate available > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 323 bytes and written 326 bytes > > Verification: OK > > --- > > New, (NONE), Cipher is (NONE) > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > Early data was not sent > > Verify return code: 0 (ok) > > --- > > > > If I telnet into my server, I see this: > > > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 > 18:36:46 > > -0500 (EST) > > ehlo m2.casano.com > > 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you > > 250-ENHANCEDSTATUSCODES > > 250-PIPELINING > > 250-8BITMIME > > 250-SIZE > > 250-DSN > > 250-ETRN > > 250-AUTH PLAIN LOGIN > > 250-DELIVERBY > > 250 HELP > > quit > > > > So no announcement of STARTTLS there, either. The sendmail version is > the > > one from ports. The "stock" > > version is 8.16.1, as seen here from an earlier test before I enabled the > > ports version: > > > > 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 > 16:34:35 > > -0500 (EST) > > > > I do see this in /var/log/maillog: > > > > Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay= > > aero4.stememail.com > > , version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256, > bits=128/128 > > > > which looks promising, but then why do the other tests not show STARTTLS > > present? > > > > I think this recitation includes all the changes I made to try to get > this > > working. > > What am I missing? Are there any tutorials written in this decade for > > doing this? > > > > If you want to poke at my mail server, feel free: mail.casano.com > > > > Thanks, > > Bill Dudley > > New Jersey, USA > > > > This email is free of malware because I run Linux. > --0000000000005f830305f459d7af Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Peter,

Thanks for the tip about "s= endmail -d0.1".=C2=A0 I did that with both "base" sendmailand ports sendmail, and got this:

base sendmail= :

Version 8.16.1
=C2= =A0Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 MIME7TO8 MIME8TO7 NAME= D_BIND NETINET NETINET6 NETUNIX NEWDB NIS
=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TL= S_VRFY_PER_CTX
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U= SERDB XDEBUG

ports sendmail:

Version 8.17.1
=C2=A0Compiled with: DANE DNSMAP IPV6_FU= LL LOG MAP_REGEX MATCHGECOS MILTER
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX = NEWDB NIS
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 PICKY_= HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 TLS_EC TLS_VRFY_PER_CTX USERDB XD= EBUG

So despite various claims on "the i= nternet", base sendmail IS compiled with STARTTLS.
What is missing in= the base version is SASLv2.

So, one mystery solved.=C2=A0 I still c= an't get STARTTLS to "work", but I understand a little more.<= /div>

As to permissions: as stated in the original email, I was getting a = permissions complaint from
sendmail until I made some of the cert files 60= 0.

Bill Dudley


On Fri, Feb 10, 2023 at 5:= 19 AM <list-freebsd-= questions@jyborn.se> wrote:
Hello!

I'm no expert, but I think your configuration below looks fine.

You have the [x] on TLS, and your mc define lines are identical
to mine (except different path in CERT_DIR), and I also use
LetsEncrypt. I don't remember doing anything else than that
to get STARTTLS working.

What do you see with "/usr/local/sbin/sendmail -d0.1"?
Do you see STARTTLS in the "Compiled with" lines?
If you do, then double check that you are running the sendmail
from ports and not from base.
(But I don't think that ports sendmail is necessary, I think
that base sendmail also has the TLS option compiled in.)

Could possibly be a permissions thing.
My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.<= br>
Peter Olsson

On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:
> I cannot get STARTTLS to "work", and all the tutorials I fin= d on the web
> seem to
> be using FreeBSD 4 or 5?=C2=A0 I've been running my own mail serve= r for
> perhaps 15 or 20 years now, so I've been working with sendmail for=
> a long time.
>
> PLEASE do not suggest I switch to postfix or one of the MTAs.=C2=A0 I = know
> sendmail and have lots of configuration established, and I don't > want to go through that learning curve all over again.
>
> So, to the problem at hand.=C2=A0 I've done lots of googling and r= eading, and
> this is what I've done:
>
> I think I understand that one must build sendmail from ports because > the sendmail from pkg does not have TLS compiled in.=C2=A0 (Why the he= ll not,
> I don't know).
>
> I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine, > and both act identically badly.
>
> I downloaded the latest ports tree (using git) and ran "make conf= ig", which
> presents these options:
>
>=C2=A0 =C2=A0??????????????????????????????????????????????????????????= ???????????????????? sendmail-8.17.1_6 ????????????????????????????????????= ???????????????????????????????????????????????????
>=C2=A0 =C2=A0??? ??????????????????????????????????????????????????????= ???????????????????????????????????????????????????????????????????????????= ???????????????????????????????????????????????????????????????????????????= ??????
> ???
>=C2=A0 =C2=A0??? ??? [x] SHMEM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= System V shared memory support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [x] SEM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 POSIX semaphores support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [x] LA=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0load averages support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [x] NIS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 Network Information Services/YP support=C2=A0 =C2=A0 =C2=A0 =C2=A0??= ?
> ???
>=C2=A0 =C2=A0??? ??? [x] IPV6=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0IPv6 protocol support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [x] TLS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 SMTP-TLS and SMTPS support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [x] DANE=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0Enable DANE support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [x] SASL=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0SASL authentication support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [x] SASLAUTHD=C2=A0 =C2=A0 =C2=A0 =C2=A0 SASLAUTHD= support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [ ] LDAP=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0LDAP protocol support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [ ] BDB=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 Berkeley DB version 4+ support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [ ] GDBM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0GNU dbm library support (option COMPAT needed)???
> ???
>=C2=A0 =C2=A0??? ??? [ ] SOCKETMAP=C2=A0 =C2=A0 =C2=A0 =C2=A0 Enable so= cketmap feature=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [ ] CYRUSLOOKUP=C2=A0 =C2=A0 =C2=A0 Enable cyruslo= okup feature=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [x] BLACKLISTD=C2=A0 =C2=A0 =C2=A0 =C2=A0Enable bl= acklistd support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [ ] SMTPUTF8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Enab= le unicode address support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check=C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0???
> ???
>=C2=A0 =C2=A0??? ??? [x] MILTER=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0Enable milter support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???
> ???
>=C2=A0 =C2=A0??? ??? [ ] MTA_STS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Enab= le MTA-STS support (option SOCKETMAP and T???
> ???
>=C2=A0 =C2=A0??? ??? [ ] TLS_CERT_CHAIN=C2=A0 =C2=A0Enable certificate = chain file support (incompa???
> ???
>=C2=A0 =C2=A0??? ??? [x] DOCS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0Build and/or install documentation=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 ???
> ???
>=C2=A0 =C2=A0??? ??????????????????????????????????????????????????????= ???????????????????????????????????????????????????????????????????????????= ???????????????????????????????????????????????????????????????????????????= ??????
> ???
>
> ??????????????????????????????????????????????????????????????????????= ???????????????????????????????????????????????????????????????????????????= ???????????????????????????????????????????????????????????????????????????= ??
>=C2=A0 =C2=A0???=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0<=C2=A0 OK=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0<Cancel>
>=C2=A0 ???
>
> I didn't change any options.=C2=A0 Should I have?
> Then, of course, "make" and "make install", and th= en follow the
> instructions that are printed out
> at the conclusion of the last step.
>
> Next, in my freebsd.mc file, I added this:
>
> define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com= ')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confCACERT', `CERT_DIR/chain.pem')dnl
> define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl
> define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl
>
> (except of course, I changed "my-site-name.com" to the act= ual directory
> where my certs are)
> (I've been using letsencrypt since late 2017 to generate certifica= tes for
> the few
> websites I host.)
>
> I changed mailer.conf (both copies) to this:
>
> sendmail=C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail
> send-mail=C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail
> mailq=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail=
> newaliases=C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail
> hoststat=C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail
> purgestat=C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail
>
> So that the sendmail from ports is chosen.
>
> I run "make" in the /etc/mail directory, and "make stop= " and "make start"
> to restart sendmail.
> I found that I had to "chmod 600 privkey.pem" to get sendmai= l to not
> complain about that file being
> group readable:
>
> Feb=C2=A0 9 19:51:39 my-site sm-mta[38802]: STARTTLS=3Dclient: file > /usr/local/etc/letse
> ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable f= ile
>
> when I run this test:
>
> openssl s_client -connect localhost:25 -starttls smtp -showcerts
>
> I get this response, showing that STARTTLS isn't announced.
>
> CONNECTED(00000003)
> Didn't find STARTTLS in server response, trying anyway...
> 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version > number:ssl/record/ssl3_record.c:332:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 323 bytes and written 326 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
>
> If I telnet into my server, I see this:
>
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:= 36:46
> -0500 (EST)
> ehlo m2.casano.com
> 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet = you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250-DELIVERBY
> 250 HELP
> quit
>
> So no announcement of STARTTLS there, either.=C2=A0 The sendmail versi= on is the
> one from ports.=C2=A0 The "stock"
> version is 8.16.1, as seen here from an earlier test before I enabled = the
> ports version:
>
> 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:= 34:35
> -0500 (EST)
>
> I do see this in /var/log/maillog:
>
> Feb=C2=A0 9 19:51:14 my-site sm-mta[38691]: STARTTLS=3Dclient, relay= =3D
> aero4.stememail.com
> , version=3DTLSv1.3, verify=3DFAIL, cipher=3DTLS_AES_128_GCM_SHA256, b= its=3D128/128
>
> which looks promising, but then why do the other tests not show STARTT= LS
> present?
>
> I think this recitation includes all the changes I made to try to get = this
> working.
> What am I missing?=C2=A0 Are there any tutorials written in this decad= e for
> doing this?
>
> If you want to poke at my mail server, feel free:=C2=A0 mail.casano.com
>
> Thanks,
> Bill Dudley
> New Jersey, USA
>
> This email is free of malware because I run Linux.
--0000000000005f830305f459d7af--