From owner-freebsd-questions@freebsd.org  Fri May  3 07:08:06 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3FBEE1586BD1
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri,  3 May 2019 07:08:06 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com
 [66.111.4.29])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DF3408AF55
 for <freebsd-questions@freebsd.org>; Fri,  3 May 2019 07:08:03 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 7722A22036;
 Fri,  3 May 2019 03:07:57 -0400 (EDT)
Received: from imap6 ([10.202.2.56])
 by compute7.internal (MEProxy); Fri, 03 May 2019 03:07:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
 h=mime-version:message-id:in-reply-to:references:date:from:to
 :subject:content-type; s=fm2; bh=WNa4HDcgj0DGWJs/r7CPNs0xRBD9pit
 lZA2xAinrWR4=; b=BjKffKWSyZwsSdazA7n+9fmpWN1UmDnFKAutL8OphQRy6Gp
 HM2EeYHmTFEf+A3u0MQJAwUkBVCRLj3VAUpHoTOwHU2TXUaggq7ikIJAnhmNJPox
 JDAURBCLM1Sk9jAGs1ClVkEeuIIptwTXEaX6wPzAZkqFnvzi+Ke1t7vgIXmjKSRG
 aKjkRKgdAHZJ563WsV9gM2kgaG0qv9dAZEMQ5A3OliP3wsPSunk2sWqlsSPISsYJ
 fkKtYMOzHSBCXeoAip+si0lrwpiNxJlyW3HPh6KGv6EcNZVdMbhsJbsMRytsaNOQ
 eZDBx0SyxHY2rws9Oxam0w98/Gy84zaNEmMJt3g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=WNa4HD
 cgj0DGWJs/r7CPNs0xRBD9pitlZA2xAinrWR4=; b=vMbSrnaiqz2b9TLkIAdUi0
 gwGwUd4SORVFOcu+NU/YISIQr5hvNIpM7Pkg9izyvg+0fom/0Oh6axJ3mG1p0zAr
 9LLyGOMNQPBzyhZZZonMMNyYtrhrjNQ70LFah6e5/m0i6ayWKx62IDKpDBvph6iF
 EO95FjJNDqllHKlIzx4GEIS5ST7oDdVd3l8Y1KTJIIdc9rjTQL+cOTl6m78kLcWj
 phuoyoWfkdO6bc1743Gc+giOqO5ymdGScpsgZtmdJo1FTj2h9boQckxUB/jcvZcv
 b1ArDALtMwP4+ylPMmGcWsJoBkBTB9luOYmkV5y8OOIrS7vHiPKs6Yzomsr+J6nA
 ==
X-ME-Sender: <xms:zOjLXAebiy_v2jyX-iFqbygCKoq6iRiFWFkTyrEDp7X2GT5RcfwmCw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrjedtgdduudehucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdffrghv
 vgcuvehothhtlhgvhhhusggvrhdfuceouggthhesshhkuhhnkhifvghrkhhsrdgrtheqne
 cuffhomhgrihhnpehfrhgvvggsshgurdhorhhgpdhsthgrrhhtthhlshdqvghvvghrhiif
 hhgvrhgvrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfi
 gvrhhkshdrrghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:zOjLXGdBUkmFTCdV1Bo0WEhTYfXQpvTjVXkqdckakMggJ3qjc8Nbrg>
 <xmx:zOjLXMhPZ33Rt6Dil18eeKpXH7_oxP17weRYXQAaVEB3kI0qzaoOGQ>
 <xmx:zOjLXKSxCULCLKglLFo4Q1tgc0ZlX_9s2oeDrJ4An6fEu-9jCEHy-g>
 <xmx:zejLXLpy8Hgyq54Zo6ZMvHyB7mtU2xXayCBV8FrkNZ6ejGVHIY_hzg>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id C1A8A82152; Fri,  3 May 2019 03:07:56 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-449-gfb3fc5a-fmstable-20190430v1
Mime-Version: 1.0
Message-Id: <810e6613-999c-44eb-8903-adba57583713@www.fastmail.com>
In-Reply-To: <57666625-0fc4-4094-97b9-03adba03d3e2@www.fastmail.com>
References: <d0703d2a-f13e-f4ea-65fc-db58abfe3269@gmail.com>
 <57666625-0fc4-4094-97b9-03adba03d3e2@www.fastmail.com>
Date: Fri, 03 May 2019 03:07:56 -0400
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: freebsd-questions <freebsd-questions@freebsd.org>,
 "David K. Gerry" <david.k.gerry@gmail.com>
Subject: Re: FreeBSD 12.0-p3 sendmail openssl Google
Content-Type: text/plain
X-Rspamd-Queue-Id: DF3408AF55
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=skunkwerks.at header.s=fm2 header.b=BjKffKWS;
 dkim=pass header.d=messagingengine.com header.s=fm2 header.b=vMbSrnai;
 spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.29
 as permitted sender) smtp.mailfrom=dch@skunkwerks.at
X-Spamd-Result: default: False [-6.06 / 15.00]; XM_UA_NO_VERSION(0.01)[];
 R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29]; MV_CASE(0.50)[];
 RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 MX_GOOD(-0.01)[in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com];
 NEURAL_HAM_SHORT(-0.97)[-0.973,0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 IP_SCORE(-3.49)[ip: (-9.56), ipnet: 66.111.4.0/24(-4.57), asn: 11403(-3.26),
 country: US(-0.06)]; 
 RCVD_IN_DNSWL_LOW(-0.10)[29.4.111.66.list.dnswl.org : 127.0.5.1];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm2,messagingengine.com:s=fm2];
 FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[skunkwerks.at]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 MID_RHS_WWW(0.50)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 07:08:06 -0000

On Wed, 1 May 2019, at 17:53, Dave Cottlehuber wrote:
> On Tue, 30 Apr 2019, at 22:57, David K. Gerry wrote:
> > Greetings,
> > 
> > 	I upgraded to FreeBSD 12.0-p3 on Wednesday using make installworld,
> > mergemaster, etc. Since then I have not been able to recieve e-mail from
> > Google with the following error in the mail log.
> > 
> > Apr 30 18:14:07 john-steed sm-mta[32581]: STARTTLS=server, error: accept
> > failed=-1, reason=sslv3 alert illegal parameter, SSL_error=1, errno=0,
> ------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^---------------------
> 
> Hi David,
> 
> TLDR: use TLS1.1 at minimum, preferred 1.2 & share more info to reduce
> speculation. SSLv2 is vulnerable to a bunch of attacks.

[moving reply back to list, content elided]

The error message from google is very clear: something is broken with
your SSL stuff, and you'll need to fix that first. The cause, unfortunately,
is not provided.

Using the openssl tool against your domain MX server shows this:

verify error:num=19:self signed certificate in certificate chain

I have a few tools for checking TLS for websites, but nothing for TLS
for SMTP etc. I found this, run by the EFF:

https://starttls-everywhere.org/ which showed 2 errors:

Failure: Name in cert doesn't match hostname: x509: 
ertificate is not valid for any names, but wanted to match mail.xyz

Failure: Certificate root is not trusted: x509: certificate signed by unknown authority

Hopefully that's enough for you to fix things.

https://forums.freebsd.org/threads/sendmail-and-letsencrypt.57675/ may be of interest.

A+
Dave