From owner-freebsd-questions@freebsd.org Tue Mar 21 22:57:57 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80CF5D17EF9 for ; Tue, 21 Mar 2017 22:57:57 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 27F51116B for ; Tue, 21 Mar 2017 22:57:57 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw0-x232.google.com with SMTP id v198so119151046ywc.2 for ; Tue, 21 Mar 2017 15:57:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc; bh=jAEu7WRzvI43UMsQ25seQio/7kaLS1e0koOYs7HWExQ=; b=apILal9kqcRPD7OVL2f53OBfTkUZbRZQ9pUdxMFJut0TKHHdErZ68bI9phiGqs3+n5 glYC74JVqPQvlArrWLdTYbq5NudhPAGIwCY2SerF0ih/5LUbPrdgQiIbPeeg8aFGghPD aQvfKzkAaknmxgnUCAm5kfT/oR8q6t7pgF6pVNuFBytOVvyYPHIX2wfcPeVg1TAyMRBC bcO7x2GrKa+xV0VFcDmh6pMmMT410JOlW87UJ5lA+Zv0bvFDRkQNBvGPJhP63ioI+GYL 8s4Vyxghph8bOMsfaK8a5S30G3pyGT6O16Lb36SbCLoEulZKghjuOU/nzJsVWNHBYIsT 9H1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc; bh=jAEu7WRzvI43UMsQ25seQio/7kaLS1e0koOYs7HWExQ=; b=h57WySdMW3PXxk045ZLdgC4abwGXEEqJMmMM8NsYR7dZwfq/X4rD8j4NSLM7qFXYQI k1rsoTBKqrsy6TdGhwU0gtK5P06zmWMlsMc9UgiWQQ+ofCDLKiqTKzdIeSxffbFx2PTG VwpAVb1HZCfqZMeBzmWBkB09a9zhAnyltePO8XCIWF/NTz5KpZb0Xr1ey08BMW3pYrSy 8UelneA1HkAsSKj97YGk1f9gGvJrKb2p5GmRgox7L15SL//kcLUSMKZQVMaIstWuVa5p fuwlGMK+Ly3LV3k0LvOpp0lyior/T1iFzxPowY0xS9QxrE+rBuveYlZwbgb6UDhB/fGm KLqw== X-Gm-Message-State: AFeK/H2CGuQ7eSLWv3lHVuGt4F2KFSbVDN9fzYb/rpig/xdg/u5rm07vS16zqiaf0uYisUTsmmUsfepzBg9MLQ== X-Received: by 10.37.114.69 with SMTP id n66mr24684837ybc.157.1490137076163; Tue, 21 Mar 2017 15:57:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.163.227 with HTTP; Tue, 21 Mar 2017 15:57:55 -0700 (PDT) In-Reply-To: References: From: William Dudley Date: Tue, 21 Mar 2017 18:57:55 -0400 Message-ID: Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 22:57:57 -0000 I've got all the bits that numerous sources say are the correct bits (like in hostname.mc). Sendmail in 10.x is able to generate it's OWN certificates. I've let it do just that. However, sendmail still refuses to announce STARTTLS as a capability. Surely there must be some way to debug this, instead of just thrashing about randomly. Is there a debug variable in sendmail that I can turn up to see exactly what sendmail doesn't like about the SSl/TLS stuff? Failing that, is anyone on this list using self-signed certificates? Do you know the EXACT sequence of things to do to get this to work? I have a funny feeling that the "auto-generated" certs created by sendmail don't work if you don't have an official cert from Verisign. Bill Dudley This email is free of malware because I run Linux. On Mon, Mar 20, 2017 at 9:13 AM, William Dudley wrote: > The point of this exercise is to allow my Android phone to access my email > on my FreeBSD 10.3 server, using imap. I had it working last year, and > then, > with nary an error message, it stopped working. So the email client is > the native > Android email client (on a recent Cyanogen Android). My FreeBSD server > runs > sendmail, and I've been running my own mail domain for about a decade. > > My latest guess (and that's all I can do is guess) is that my self-signed > certificates > expired, and I just need to re-generate them. All the sources on sendmail > and > STARTTLS that I've seen so far show configs identical to my config, so from > this I infer perhaps one or more of my cert files is "bad". > > stunnel may well be a wonderful program, but I really don't want to figure > out how > to specify each of the 500 lines in it's config file, especially when the > software > doesn't run successfully with it's own sample config file. > > Thanks for your time, > Bill Dudley > > > This email is free of malware because I run Linux. > > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan wrote: > >> On 3/19/17 1:07 PM, William Dudley wrote: >> > I commented out the lines starting with checkHost, and started stunnel. >> > It does start, and runs as a daemon. However, it doesn't seem to DO >> anything. >> > >> > However, that hasn't changed sendmail's behaviour one iota. >> > >> > As far as I can tell, stunnel is a massive waste of time. >> > >> > I don't really want to spend months reading all the stunnel docs to >> figure out >> > how to get it to work with sendmail. Sendmail is hard enough on it's >> own, and >> > I can mostly control sendmail (well, except for the STARTTLS problem.) >> > >> > Thanks, >> > Bill Dudley >> > >> > >> > This email is free of malware because I run Linux. >> > >> > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley > > > wrote: >> > >> > stunnel fails to start with this helpful message: >> > >> > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com >> > ": Specified option name is not valid here >> > >> > The line it's complaining about is in the EXAMPLE config file. >> > >> > So this is not going well, at all. >> > >> > pop.gmail.com is a valid hostname. I have >> no idea >> > what stunnel is complaining about. >> > >> >> Okay, Let me share what I do. I believe stunnel needs to run on the same >> host >> as the sendmail server. >> >> First, here is some relevant parts from my stunnel config file: >> >> ; Sample stunnel configuration file by Michal Trojnara 2002-2005 >> ; Some options used here may not be adequate for your particular >> configuration >> ; Please make sure you understand them (especially the effect of chroot >> jail) >> >> ; Certificate/key is needed in server mode and optional in client mode >> cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem >> ;key = /usr/local/etc/stunnel/mail.pem >> >> ; Some security enhancements for UNIX systems - comment them out on Win32 >> chroot = /var/stunnel/ >> setuid = stunnel >> setgid = stunnel >> ; PID is created inside chroot jail >> pid = /stunnel.pid >> >> ; Some performance tunings >> socket = l:TCP_NODELAY=1 >> socket = r:TCP_NODELAY=1 >> ;compression = rle >> >> ; Workaround for Eudora bug >> ;options = DONT_INSERT_EMPTY_FRAGMENTS >> >> ; Authentication stuff >> verify = 0 >> >> .... >> >> ; Some debugging stuff useful for troubleshooting >> debug = 7 >> output = stunnel.log >> >> ; Use it for client mode >> ;client = yes >> >> ; Service-level configuration >> >> [pop3s] >> accept = 995 >> connect = 110 >> >> [imaps] >> accept = 993 >> connect = 143 >> >> [smtps] >> accept = 465 >> connect = 25 >> >> I run dovecot for my imap server which is listening on port 143: >> >> mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 >> root dovecot 915 22 tcp4 *:110 *:* >> >> But I connect from my mail clients (ios mail, thunderbird, ...) to port >> 993. The >> mail clients are all configured to use ssl/tls, *not* startttl. >> >> My smtp I connect via stunnel over port 465, not port 25 for sending mail. >> >> So what are you trying to accomplish? The idea is for your accessing >> these >> servers in an encrypted fashion. But from your above description, it >> sounds >> like you are trying to access your unsecured gmail account using POP3. >> Not >> sure why as the connection from stunnel to pop.gmail.com will be >> unsecured. >> >> What email client are you trying to use? >> >> Patrick >> >> >> >