Date: Fri, 10 Feb 2023 10:06:08 -0500 From: William Dudley <wfdudley@gmail.com> To: list-freebsd-questions@jyborn.se, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13 Message-ID: <CAFsnNZJoYPMDcbX7N-nm4Ea_w0SgdJdakQ3zvV_XK3eDxhUhoQ@mail.gmail.com> In-Reply-To: <Y%2BYaN7HxCXG9t5XL@pol-server.leissner.se> References: <CAFsnNZKxUnZNnne%2BVf015jWugNTURxvib9wiP8F5eXSxutvMeQ@mail.gmail.com> <Y%2BYaN7HxCXG9t5XL@pol-server.leissner.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000005f830305f459d7af
Content-Type: text/plain; charset="UTF-8"
Peter,
Thanks for the tip about "sendmail -d0.1". I did that with both "base"
sendmail
and ports sendmail, and got this:
base sendmail:
Version 8.16.1
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC
TLS_VRFY_PER_CTX
USERDB XDEBUG
ports sendmail:
Version 8.17.1
Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS
TCPWRAPPERS
TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG
So despite various claims on "the internet", base sendmail IS compiled with
STARTTLS.
What is missing in the base version is SASLv2.
So, one mystery solved. I still can't get STARTTLS to "work", but I
understand a little more.
As to permissions: as stated in the original email, I was getting a
permissions complaint from
sendmail until I made some of the cert files 600.
Bill Dudley
On Fri, Feb 10, 2023 at 5:19 AM <list-freebsd-questions@jyborn.se> wrote:
> Hello!
>
> I'm no expert, but I think your configuration below looks fine.
>
> You have the [x] on TLS, and your mc define lines are identical
> to mine (except different path in CERT_DIR), and I also use
> LetsEncrypt. I don't remember doing anything else than that
> to get STARTTLS working.
>
> What do you see with "/usr/local/sbin/sendmail -d0.1"?
> Do you see STARTTLS in the "Compiled with" lines?
> If you do, then double check that you are running the sendmail
> from ports and not from base.
> (But I don't think that ports sendmail is necessary, I think
> that base sendmail also has the TLS option compiled in.)
>
> Could possibly be a permissions thing.
> My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.
>
> Peter Olsson
>
> On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:
> > I cannot get STARTTLS to "work", and all the tutorials I find on the web
> > seem to
> > be using FreeBSD 4 or 5? I've been running my own mail server for
> > perhaps 15 or 20 years now, so I've been working with sendmail for
> > a long time.
> >
> > PLEASE do not suggest I switch to postfix or one of the MTAs. I know
> > sendmail and have lots of configuration established, and I don't
> > want to go through that learning curve all over again.
> >
> > So, to the problem at hand. I've done lots of googling and reading, and
> > this is what I've done:
> >
> > I think I understand that one must build sendmail from ports because
> > the sendmail from pkg does not have TLS compiled in. (Why the hell not,
> > I don't know).
> >
> > I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,
> > and both act identically badly.
> >
> > I downloaded the latest ports tree (using git) and ran "make config",
> which
> > presents these options:
> >
> >
> ??????????????????????????????????????????????????????????????????????????????
> sendmail-8.17.1_6
> ???????????????????????????????????????????????????????????????????????????????????????
> > ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> > ??? ??? [x] SHMEM System V shared memory support
> ???
> > ???
> > ??? ??? [x] SEM POSIX semaphores support
> ???
> > ???
> > ??? ??? [x] LA load averages support
> ???
> > ???
> > ??? ??? [x] NIS Network Information Services/YP support
> ???
> > ???
> > ??? ??? [x] IPV6 IPv6 protocol support
> ???
> > ???
> > ??? ??? [x] TLS SMTP-TLS and SMTPS support
> ???
> > ???
> > ??? ??? [x] DANE Enable DANE support
> ???
> > ???
> > ??? ??? [x] SASL SASL authentication support
> ???
> > ???
> > ??? ??? [x] SASLAUTHD SASLAUTHD support
> ???
> > ???
> > ??? ??? [ ] LDAP LDAP protocol support
> ???
> > ???
> > ??? ??? [ ] BDB Berkeley DB version 4+ support
> ???
> > ???
> > ??? ??? [ ] GDBM GNU dbm library support (option COMPAT
> needed)???
> > ???
> > ??? ??? [ ] SOCKETMAP Enable socketmap feature
> ???
> > ???
> > ??? ??? [ ] CYRUSLOOKUP Enable cyruslookup feature
> ???
> > ???
> > ??? ??? [x] BLACKLISTD Enable blacklistd support
> ???
> > ???
> > ??? ??? [ ] SMTPUTF8 Enable unicode address support
> ???
> > ???
> > ??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check
> ???
> > ???
> > ??? ??? [x] MILTER Enable milter support
> ???
> > ???
> > ??? ??? [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP
> and T???
> > ???
> > ??? ??? [ ] TLS_CERT_CHAIN Enable certificate chain file support
> (incompa???
> > ???
> > ??? ??? [x] DOCS Build and/or install documentation
> ???
> > ???
> > ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> >
> >
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ??? < OK > <Cancel>
> > ???
> >
> > I didn't change any options. Should I have?
> > Then, of course, "make" and "make install", and then follow the
> > instructions that are printed out
> > at the conclusion of the last step.
> >
> > Next, in my freebsd.mc file, I added this:
> >
> > define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com
> ')dnl
> > define(`confCACERT_PATH', `CERT_DIR')dnl
> > define(`confCACERT', `CERT_DIR/chain.pem')dnl
> > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl
> > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl
> >
> > (except of course, I changed "my-site-name.com" to the actual directory
> > where my certs are)
> > (I've been using letsencrypt since late 2017 to generate certificates for
> > the few
> > websites I host.)
> >
> > I changed mailer.conf (both copies) to this:
> >
> > sendmail /usr/local/sbin/sendmail
> > send-mail /usr/local/sbin/sendmail
> > mailq /usr/local/sbin/sendmail
> > newaliases /usr/local/sbin/sendmail
> > hoststat /usr/local/sbin/sendmail
> > purgestat /usr/local/sbin/sendmail
> >
> > So that the sendmail from ports is chosen.
> >
> > I run "make" in the /etc/mail directory, and "make stop" and "make start"
> > to restart sendmail.
> > I found that I had to "chmod 600 privkey.pem" to get sendmail to not
> > complain about that file being
> > group readable:
> >
> > Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file
> > /usr/local/etc/letse
> > ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file
> >
> > when I run this test:
> >
> > openssl s_client -connect localhost:25 -starttls smtp -showcerts
> >
> > I get this response, showing that STARTTLS isn't announced.
> >
> > CONNECTED(00000003)
> > Didn't find STARTTLS in server response, trying anyway...
> > 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version
> > number:ssl/record/ssl3_record.c:332:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 323 bytes and written 326 bytes
> > Verification: OK
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 0 (ok)
> > ---
> >
> > If I telnet into my server, I see this:
> >
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023
> 18:36:46
> > -0500 (EST)
> > ehlo m2.casano.com
> > 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> > 250-ENHANCEDSTATUSCODES
> > 250-PIPELINING
> > 250-8BITMIME
> > 250-SIZE
> > 250-DSN
> > 250-ETRN
> > 250-AUTH PLAIN LOGIN
> > 250-DELIVERBY
> > 250 HELP
> > quit
> >
> > So no announcement of STARTTLS there, either. The sendmail version is
> the
> > one from ports. The "stock"
> > version is 8.16.1, as seen here from an earlier test before I enabled the
> > ports version:
> >
> > 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023
> 16:34:35
> > -0500 (EST)
> >
> > I do see this in /var/log/maillog:
> >
> > Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay=
> > aero4.stememail.com
> > , version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256,
> bits=128/128
> >
> > which looks promising, but then why do the other tests not show STARTTLS
> > present?
> >
> > I think this recitation includes all the changes I made to try to get
> this
> > working.
> > What am I missing? Are there any tutorials written in this decade for
> > doing this?
> >
> > If you want to poke at my mail server, feel free: mail.casano.com
> >
> > Thanks,
> > Bill Dudley
> > New Jersey, USA
> >
> > This email is free of malware because I run Linux.
>
--0000000000005f830305f459d7af
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Peter,<div><br></div><div>Thanks for the tip about "s=
endmail -d0.1".=C2=A0 I did that with both "base" sendmail<d=
iv>and ports sendmail, and got this:</div><div><br></div><div>base sendmail=
:</div><div><br></div><div><font face=3D"monospace">Version 8.16.1<br>=C2=
=A0Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 MIME7TO8 MIME8TO7 NAME=
D_BIND NETINET NETINET6 NETUNIX NEWDB NIS<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TL=
S_VRFY_PER_CTX<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U=
SERDB XDEBUG</font><br><div><div dir=3D"ltr" class=3D"gmail_signature show"=
data-smartmail=3D"gmail_signature"><br></div><div class=3D"gmail_signature=
show" data-smartmail=3D"gmail_signature">ports sendmail:</div><div class=
=3D"gmail_signature show" data-smartmail=3D"gmail_signature"><br></div><div=
class=3D"gmail_signature show" data-smartmail=3D"gmail_signature"><font fa=
ce=3D"monospace">Version 8.17.1<br>=C2=A0Compiled with: DANE DNSMAP IPV6_FU=
LL LOG MAP_REGEX MATCHGECOS MILTER<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX =
NEWDB NIS<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 PICKY_=
HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS<br>=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 TLS_EC TLS_VRFY_PER_CTX USERDB XD=
EBUG</font><br></div><div dir=3D"ltr" class=3D"gmail_signature show" data-s=
martmail=3D"gmail_signature"><br></div><div class=3D"gmail_signature show" =
data-smartmail=3D"gmail_signature">So despite various claims on "the i=
nternet", base sendmail IS compiled with STARTTLS.</div><div class=3D"=
gmail_signature show" data-smartmail=3D"gmail_signature">What is missing in=
the base version is SASLv2.</div><div class=3D"gmail_signature show" data-=
smartmail=3D"gmail_signature"><br></div><div class=3D"gmail_signature show"=
data-smartmail=3D"gmail_signature">So, one mystery solved.=C2=A0 I still c=
an't get STARTTLS to "work", but I understand a little more.<=
/div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_signature"=
><br></div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_sign=
ature">As to permissions: as stated in the original email, I was getting a =
permissions complaint from</div><div class=3D"gmail_signature show" data-sm=
artmail=3D"gmail_signature">sendmail until I made some of the cert files 60=
0.</div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_signatu=
re"><br></div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_s=
ignature">Bill Dudley</div></div><br></div></div></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Feb 10, 2023 at 5:=
19 AM <<a href=3D"mailto:list-freebsd-questions@jyborn.se">list-freebsd-=
questions@jyborn.se</a>> wrote:<br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">Hello!<br>
<br>
I'm no expert, but I think your configuration below looks fine.<br>
<br>
You have the [x] on TLS, and your mc define lines are identical<br>
to mine (except different path in CERT_DIR), and I also use<br>
LetsEncrypt. I don't remember doing anything else than that<br>
to get STARTTLS working.<br>
<br>
What do you see with "/usr/local/sbin/sendmail -d0.1"?<br>
Do you see STARTTLS in the "Compiled with" lines?<br>
If you do, then double check that you are running the sendmail<br>
from ports and not from base.<br>
(But I don't think that ports sendmail is necessary, I think<br>
that base sendmail also has the TLS option compiled in.)<br>
<br>
Could possibly be a permissions thing.<br>
My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.<=
br>
<br>
Peter Olsson<br>
<br>
On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:<br>
> I cannot get STARTTLS to "work", and all the tutorials I fin=
d on the web<br>
> seem to<br>
> be using FreeBSD 4 or 5?=C2=A0 I've been running my own mail serve=
r for<br>
> perhaps 15 or 20 years now, so I've been working with sendmail for=
<br>
> a long time.<br>
> <br>
> PLEASE do not suggest I switch to postfix or one of the MTAs.=C2=A0 I =
know<br>
> sendmail and have lots of configuration established, and I don't<b=
r>
> want to go through that learning curve all over again.<br>
> <br>
> So, to the problem at hand.=C2=A0 I've done lots of googling and r=
eading, and<br>
> this is what I've done:<br>
> <br>
> I think I understand that one must build sendmail from ports because<b=
r>
> the sendmail from pkg does not have TLS compiled in.=C2=A0 (Why the he=
ll not,<br>
> I don't know).<br>
> <br>
> I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,<b=
r>
> and both act identically badly.<br>
> <br>
> I downloaded the latest ports tree (using git) and ran "make conf=
ig", which<br>
> presents these options:<br>
> <br>
>=C2=A0 =C2=A0??????????????????????????????????????????????????????????=
???????????????????? sendmail-8.17.1_6 ????????????????????????????????????=
???????????????????????????????????????????????????<br>
>=C2=A0 =C2=A0??? ??????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
??????<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] SHMEM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
System V shared memory support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] SEM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 POSIX semaphores support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] LA=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0load averages support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] NIS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 Network Information Services/YP support=C2=A0 =C2=A0 =C2=A0 =C2=A0??=
?<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] IPV6=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0IPv6 protocol support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] TLS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 SMTP-TLS and SMTPS support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] DANE=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0Enable DANE support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] SASL=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0SASL authentication support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] SASLAUTHD=C2=A0 =C2=A0 =C2=A0 =C2=A0 SASLAUTHD=
support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] LDAP=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0LDAP protocol support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] BDB=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 Berkeley DB version 4+ support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] GDBM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0GNU dbm library support (option COMPAT needed)???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] SOCKETMAP=C2=A0 =C2=A0 =C2=A0 =C2=A0 Enable so=
cketmap feature=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] CYRUSLOOKUP=C2=A0 =C2=A0 =C2=A0 Enable cyruslo=
okup feature=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] BLACKLISTD=C2=A0 =C2=A0 =C2=A0 =C2=A0Enable bl=
acklistd support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] SMTPUTF8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Enab=
le unicode address support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check=C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] MILTER=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0Enable milter support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] MTA_STS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Enab=
le MTA-STS support (option SOCKETMAP and T???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [ ] TLS_CERT_CHAIN=C2=A0 =C2=A0Enable certificate =
chain file support (incompa???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??? [x] DOCS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0Build and/or install documentation=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 ???<br>
> ???<br>
>=C2=A0 =C2=A0??? ??????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
??????<br>
> ???<br>
> <br>
> ??????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
??<br>
>=C2=A0 =C2=A0???=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0<=C2=A0 OK=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0<Cancel><br>
>=C2=A0 ???<br>
> <br>
> I didn't change any options.=C2=A0 Should I have?<br>
> Then, of course, "make" and "make install", and th=
en follow the<br>
> instructions that are printed out<br>
> at the conclusion of the last step.<br>
> <br>
> Next, in my <a href=3D"http://freebsd.mc" rel=3D"noreferrer" target=3D=
"_blank">freebsd.mc</a> file, I added this:<br>
> <br>
> define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/<a href=3D"htt=
p://my-site-name.com" rel=3D"noreferrer" target=3D"_blank">my-site-name.com=
</a>')dnl<br>
> define(`confCACERT_PATH', `CERT_DIR')dnl<br>
> define(`confCACERT', `CERT_DIR/chain.pem')dnl<br>
> define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl<br>
> define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl<br>
> define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl<br>
> define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl<br>
> <br>
> (except of course, I changed "<a href=3D"http://my-site-name.com"=
rel=3D"noreferrer" target=3D"_blank">my-site-name.com</a>" to the act=
ual directory<br>
> where my certs are)<br>
> (I've been using letsencrypt since late 2017 to generate certifica=
tes for<br>
> the few<br>
> websites I host.)<br>
> <br>
> I changed mailer.conf (both copies) to this:<br>
> <br>
> sendmail=C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail<br>
> send-mail=C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail<br>
> mailq=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail=
<br>
> newaliases=C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail<br>
> hoststat=C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail<br>
> purgestat=C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail<br>
> <br>
> So that the sendmail from ports is chosen.<br>
> <br>
> I run "make" in the /etc/mail directory, and "make stop=
" and "make start"<br>
> to restart sendmail.<br>
> I found that I had to "chmod 600 privkey.pem" to get sendmai=
l to not<br>
> complain about that file being<br>
> group readable:<br>
> <br>
> Feb=C2=A0 9 19:51:39 my-site sm-mta[38802]: STARTTLS=3Dclient: file<br=
>
> /usr/local/etc/letse<br>
> ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable f=
ile<br>
> <br>
> when I run this test:<br>
> <br>
> openssl s_client -connect localhost:25 -starttls smtp -showcerts<br>
> <br>
> I get this response, showing that STARTTLS isn't announced.<br>
> <br>
> CONNECTED(00000003)<br>
> Didn't find STARTTLS in server response, trying anyway...<br>
> 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version<br=
>
> number:ssl/record/ssl3_record.c:332:<br>
> ---<br>
> no peer certificate available<br>
> ---<br>
> No client certificate CA names sent<br>
> ---<br>
> SSL handshake has read 323 bytes and written 326 bytes<br>
> Verification: OK<br>
> ---<br>
> New, (NONE), Cipher is (NONE)<br>
> Secure Renegotiation IS NOT supported<br>
> Compression: NONE<br>
> Expansion: NONE<br>
> No ALPN negotiated<br>
> Early data was not sent<br>
> Verify return code: 0 (ok)<br>
> ---<br>
> <br>
> If I telnet into my server, I see this:<br>
> <br>
> Trying 127.0.0.1...<br>
> Connected to localhost.<br>
> Escape character is '^]'.<br>
> 220 <a href=3D"http://mail.casano.com" rel=3D"noreferrer" target=3D"_b=
lank">mail.casano.com</a> ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:=
36:46<br>
> -0500 (EST)<br>
> ehlo <a href=3D"http://m2.casano.com" rel=3D"noreferrer" target=3D"_bl=
ank">m2.casano.com</a><br>
> <a href=3D"http://250-mail.casano.com" rel=3D"noreferrer" target=3D"_b=
lank">250-mail.casano.com</a> Hello localhost [127.0.0.1], pleased to meet =
you<br>
> 250-ENHANCEDSTATUSCODES<br>
> 250-PIPELINING<br>
> 250-8BITMIME<br>
> 250-SIZE<br>
> 250-DSN<br>
> 250-ETRN<br>
> 250-AUTH PLAIN LOGIN<br>
> 250-DELIVERBY<br>
> 250 HELP<br>
> quit<br>
> <br>
> So no announcement of STARTTLS there, either.=C2=A0 The sendmail versi=
on is the<br>
> one from ports.=C2=A0 The "stock"<br>
> version is 8.16.1, as seen here from an earlier test before I enabled =
the<br>
> ports version:<br>
> <br>
> 220 <a href=3D"http://mail.casano.com" rel=3D"noreferrer" target=3D"_b=
lank">mail.casano.com</a> ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:=
34:35<br>
> -0500 (EST)<br>
> <br>
> I do see this in /var/log/maillog:<br>
> <br>
> Feb=C2=A0 9 19:51:14 my-site sm-mta[38691]: STARTTLS=3Dclient, relay=
=3D<br>
> <a href=3D"http://aero4.stememail.com" rel=3D"noreferrer" target=3D"_b=
lank">aero4.stememail.com</a><br>
> , version=3DTLSv1.3, verify=3DFAIL, cipher=3DTLS_AES_128_GCM_SHA256, b=
its=3D128/128<br>
> <br>
> which looks promising, but then why do the other tests not show STARTT=
LS<br>
> present?<br>
> <br>
> I think this recitation includes all the changes I made to try to get =
this<br>
> working.<br>
> What am I missing?=C2=A0 Are there any tutorials written in this decad=
e for<br>
> doing this?<br>
> <br>
> If you want to poke at my mail server, feel free:=C2=A0 <a href=3D"htt=
p://mail.casano.com" rel=3D"noreferrer" target=3D"_blank">mail.casano.com</=
a><br>
> <br>
> Thanks,<br>
> Bill Dudley<br>
> New Jersey, USA<br>
> <br>
> This email is free of malware because I run Linux.<br>
</blockquote></div>
--0000000000005f830305f459d7af--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZJoYPMDcbX7N-nm4Ea_w0SgdJdakQ3zvV_XK3eDxhUhoQ>