Date: Wed, 13 Oct 2010 18:29:32 +0100 From: Dirk-Willem van Gulik <dirkx@webweaving.org> To: John Baldwin <jhb@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: anyone got advice on sendmail and TLS on 8.1? Message-ID: <0726C125-A94F-41F8-8A4C-8FBAF072ED03@webweaving.org> In-Reply-To: <201010111214.11698.jhb@freebsd.org> References: <4CB22E79.2010202@freebsd.org> <201010111214.11698.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 Oct 2010, at 17:14, John Baldwin wrote: >> TLS and authenticated email submission by me and my family >> able to forward the email anywhere (maybe just to my ISP but who=20 >> knows) (outgoing) >> non TLS submission from outside to reject all mail not to=20 >> elischer.{org,com} >> and deliver our mail to mailboxes or gmail (or where-ever = /etc/aliases=20 >> says.). I do pretty much this; from my *.mc: 1. Keys as usual - with limited CA trusted=20 define(`confCACERT', `/etc/pikmeer.webweaving.org.pem') define(`confCACERT_PATH', `/etc/ca-trusted') define(`confSERVER_CERT', `/etc/pikmeer.webweaving.org.pem') define(`confSERVER_KEY', `/etc/pikmeer.webweaving.org.key') And then at the bottom: dnl accept signed certs too - equivalent to SASL authenticated LOCAL_RULESETS SLocal_check_rcpt R$* $: $&{verify} ROK $# OK And then in the access file or ct/cw file just allow relay for , in your = case, elisher. I do the verify as a local ruleset - as I also allow a = SASL=20 TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5') define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 ') dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info') define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile') define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile') define(`confRUN_AS_USER',`root:mail') on any SSL inbounds in lieu of a cert. Dw.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0726C125-A94F-41F8-8A4C-8FBAF072ED03>