From owner-freebsd-hackers@freebsd.org  Tue Nov 29 15:49:53 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E76E5C5C10B
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Tue, 29 Nov 2016 15:49:53 +0000 (UTC)
 (envelope-from george+freebsd@m5p.com)
Received: from mailhost.m5p.com (mailhost.m5p.com [IPv6:2001:418:3fd::f7])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "m5p.com", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A36A11D8E;
 Tue, 29 Nov 2016 15:49:53 +0000 (UTC)
 (envelope-from george+freebsd@m5p.com)
Received: from [10.100.0.31] (haymarket.m5p.com [10.100.0.31])
 by mailhost.m5p.com (8.15.2/8.15.2) with ESMTP id uATFnjKt072610;
 Tue, 29 Nov 2016 10:49:51 -0500 (EST)
 (envelope-from george+freebsd@m5p.com)
Subject: Re: Sendmail and STARTTLS
To: Gregory Shapiro <gshapiro@freebsd.org>
References: <f4ee7a4c-8b8c-2542-20ba-7ef0a42313fa@m5p.com>
 <20161128183554.GA6716@c02pp3c3fvh8.corp.proofpoint.com>
 <2c7a5fc1-5946-1221-816f-b68079a42078@m5p.com>
Cc: freebsd-hackers@FreeBSD.org
From: George Mitchell <george+freebsd@m5p.com>
Message-ID: <66835790-9aea-c658-cd6b-09cd792edb62@m5p.com>
Date: Tue, 29 Nov 2016 10:49:45 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <2c7a5fc1-5946-1221-816f-b68079a42078@m5p.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3.8 required=10.0 tests=ALL_TRUSTED, RP_MATCHES_RCVD
 autolearn=unavailable autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mattapan.m5p.com
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.4.3
 (mailhost.m5p.com [10.100.0.247]); Tue, 29 Nov 2016 10:49:51 -0500 (EST)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 15:49:54 -0000

On 11/28/16 14:19, George Mitchell wrote:
> [...]
>>> What am I doing wrong?  How can I enter VERIFY=YES nirvana?  -- George
> [...]

Okay, I have convinced myself that I am misinterpreting what my mail
log is telling me.  I did a packet capture of the last email message
I received from mx2.freebsd.org, and even though the STARTTLS entry
tells me "VERIFY=FAIL", the headers and content of the email were
encrypted anyway.  It's just that either mx2.freebsd.org couldn't
verify that mailhost.m5p.com is really mailhost.m5p.com, or the other
way around.  That's annoying, but the main point of the exercise wasto
encrypt the data, and that's what is happening.  So I'm happier now,
though at some point I would like the identify verification to work
correctly as well.  Baby steps ...                          -- George