From owner-freebsd-hackers@FreeBSD.ORG Wed Oct 13 18:01:10 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F9491065679; Wed, 13 Oct 2010 18:01:10 +0000 (UTC) (envelope-from dirkx@webweaving.org) Received: from pikmeer.webweaving.org (pikmeer.webweaving.org [213.207.101.183]) by mx1.freebsd.org (Postfix) with ESMTP id DBC9F8FC0A; Wed, 13 Oct 2010 18:01:09 +0000 (UTC) Received: from neep.dmi.dev.local (ge2-0.rt2.rbsov.bbc.co.uk [212.58.239.38]) (authenticated bits=0) by pikmeer.webweaving.org (8.14.4/8.14.4) with ESMTP id o9DHJdZm015701 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 13 Oct 2010 17:19:40 GMT (envelope-from dirkx@webweaving.org) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Dirk-Willem van Gulik In-Reply-To: <201010111214.11698.jhb@freebsd.org> Date: Wed, 13 Oct 2010 18:29:32 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <0726C125-A94F-41F8-8A4C-8FBAF072ED03@webweaving.org> References: <4CB22E79.2010202@freebsd.org> <201010111214.11698.jhb@freebsd.org> To: John Baldwin X-Mailer: Apple Mail (2.1081) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (pikmeer.webweaving.org [213.207.101.183]); Wed, 13 Oct 2010 17:19:40 +0000 (UTC) Cc: freebsd-hackers@freebsd.org Subject: Re: anyone got advice on sendmail and TLS on 8.1? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Oct 2010 18:01:10 -0000 On 11 Oct 2010, at 17:14, John Baldwin wrote: >> TLS and authenticated email submission by me and my family >> able to forward the email anywhere (maybe just to my ISP but who=20 >> knows) (outgoing) >> non TLS submission from outside to reject all mail not to=20 >> elischer.{org,com} >> and deliver our mail to mailboxes or gmail (or where-ever = /etc/aliases=20 >> says.). I do pretty much this; from my *.mc: 1. Keys as usual - with limited CA trusted=20 define(`confCACERT', `/etc/pikmeer.webweaving.org.pem') define(`confCACERT_PATH', `/etc/ca-trusted') define(`confSERVER_CERT', `/etc/pikmeer.webweaving.org.pem') define(`confSERVER_KEY', `/etc/pikmeer.webweaving.org.key') And then at the bottom: dnl accept signed certs too - equivalent to SASL authenticated LOCAL_RULESETS SLocal_check_rcpt R$* $: $&{verify} ROK $# OK And then in the access file or ct/cw file just allow relay for , in your = case, elisher. I do the verify as a local ruleset - as I also allow a = SASL=20 TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5') define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 ') dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info') define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile') define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile') define(`confRUN_AS_USER',`root:mail') on any SSL inbounds in lieu of a cert. Dw.=