Date: Wed, 13 Oct 2010 18:29:32 +0100 From: Dirk-Willem van Gulik <dirkx@webweaving.org> To: John Baldwin <jhb@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: anyone got advice on sendmail and TLS on 8.1? Message-ID: <0726C125-A94F-41F8-8A4C-8FBAF072ED03@webweaving.org> In-Reply-To: <201010111214.11698.jhb@freebsd.org> References: <4CB22E79.2010202@freebsd.org> <201010111214.11698.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 Oct 2010, at 17:14, John Baldwin wrote:
>> TLS and authenticated email submission by me and my family
>> able to forward the email anywhere (maybe just to my ISP but who=20
>> knows) (outgoing)
>> non TLS submission from outside to reject all mail not to=20
>> elischer.{org,com}
>> and deliver our mail to mailboxes or gmail (or where-ever =
/etc/aliases=20
>> says.).
I do pretty much this; from my *.mc:
1. Keys as usual - with limited CA trusted=20
define(`confCACERT', `/etc/pikmeer.webweaving.org.pem')
define(`confCACERT_PATH', `/etc/ca-trusted')
define(`confSERVER_CERT', `/etc/pikmeer.webweaving.org.pem')
define(`confSERVER_KEY', `/etc/pikmeer.webweaving.org.key')
And then at the bottom:
dnl accept signed certs too - equivalent to SASL authenticated
LOCAL_RULESETS
SLocal_check_rcpt
R$* $: $&{verify}
ROK $# OK
And then in the access file or ct/cw file just allow relay for , in your =
case, elisher. I do the verify as a local ruleset - as I also allow a =
SASL=20
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 ')
dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile')
define(`confRUN_AS_USER',`root:mail')
on any SSL inbounds in lieu of a cert.
Dw.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0726C125-A94F-41F8-8A4C-8FBAF072ED03>