From owner-freebsd-hackers@freebsd.org Tue Nov 29 17:42:37 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABFA2C5C0FB for ; Tue, 29 Nov 2016 17:42:37 +0000 (UTC) (envelope-from gshapiro@freebsd.org) Received: from z.gshapiro.net (z.gshapiro.net [52.4.190.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.gshapiro.net", Issuer "Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 75F0714DA for ; Tue, 29 Nov 2016 17:42:37 +0000 (UTC) (envelope-from gshapiro@freebsd.org) Received: from c02pp3c3fvh8.corp.proofpoint.com (snv-gw.proofpoint.com [208.86.202.10]) (authenticated bits=0) by z.gshapiro.net (8.16.0.16/8.16.0.16) with ESMTPSA id uATHgN7A085162 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 29 Nov 2016 17:42:32 GMT Date: Tue, 29 Nov 2016 09:42:22 -0800 From: Gregory Shapiro To: George Mitchell Cc: freebsd-hackers@FreeBSD.org Subject: Re: Sendmail and STARTTLS Message-ID: <20161129174218.GD5956@c02pp3c3fvh8.corp.proofpoint.com> References: <20161128183554.GA6716@c02pp3c3fvh8.corp.proofpoint.com> <2c7a5fc1-5946-1221-816f-b68079a42078@m5p.com> <66835790-9aea-c658-cd6b-09cd792edb62@m5p.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <66835790-9aea-c658-cd6b-09cd792edb62@m5p.com> User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2016 17:42:37 -0000 On Tue, Nov 29, 2016 at 10:49:45AM -0500, George Mitchell wrote: > On 11/28/16 14:19, George Mitchell wrote: > > [...] > >>> What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George > > [...] > > Okay, I have convinced myself that I am misinterpreting what my mail > log is telling me. I did a packet capture of the last email message > I received from mx2.freebsd.org, and even though the STARTTLS entry > tells me "VERIFY=FAIL", the headers and content of the email were > encrypted anyway. It's just that either mx2.freebsd.org couldn't > verify that mailhost.m5p.com is really mailhost.m5p.com, or the other > way around. That's annoying, but the main point of the exercise wasto > encrypt the data, and that's what is happening. So I'm happier now, > though at some point I would like the identify verification to work > correctly as well. Baby steps ... -- George Yes, you were misinterpreting the logs. STARTTLS provides both encryption and authentication. The verify= tells you the result of the authentication portion. When you connect to mx2.freebsd.org, it is telling you whether your MTA can verify it is actually talking to mx2.freebsd.org by verifying the certificate returned by mx2.freebsd.org and comparing it to the list of trusted signers in confCACERT_PATH. Note that has nothing to do with whether mx2.freebsd.org was able to verify your cert unless you see it in a Received header.