Date: Wed, 22 Mar 2017 10:14:24 -0400 From: William Dudley <wfdudley@gmail.com> To: Wayne Sierke <ws@au.dyndns.ws> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <CAFsnNZLDcTTPNKzZXeyWuuYOn07%2BK=m-BwiP=fS657DF-ha0kg@mail.gmail.com> In-Reply-To: <1490162531.1981.62.camel@au.dyndns.ws> References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com> <b424d91e-a7f4-57b8-174c-e2522c97107f@mahan.org> <CAFsnNZK5LpRyPTLGocMna1O-R0448ZJQ0qu2ZP%2BaE3w2UWwd8Q@mail.gmail.com> <CAFsnNZ%2B0c4EdQxcesohFcJjraoPYwi2v=wVK-QNFPnD7Wta5mQ@mail.gmail.com> <CAFsnNZL1bVCNuYCAe43uK3n6596HhQFpm8Y8S1ZCkNa_t1wGKw@mail.gmail.com> <a990c9a0-fe31-742b-a1bc-56fdd429d8cc@mahan.org> <CAFsnNZ%2B_Z-fCH2sHaXxH42KLmWGApqZJWamcy1AOS0oJnYqckA@mail.gmail.com> <CAFsnNZ%2BX4c=bVT5EXqeow-B9Dk-9LSr5g4xSy4yN19yQPDebpA@mail.gmail.com> <1490162531.1981.62.camel@au.dyndns.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
Turning up the debug level (thanks for pointing out the "code" for that) revealed this message as sendmail starts: STARTTLS: CRLFile missing So I googled that, and found this post (about sendmail on Linux, but the answer seemed generic enough) http://www.linuxweblog.com/blogs/sandip/20071019/starttls-crlfile-missing-resolved So I download all 8Meg of revoke.crl, , put the pointer to the file in hostname.mc, rebuild hostname.cf, and restart sendmail. Mar 22 10:09:31 dudley sm-msp-queue[78358]: starting daemon (8.15.2): queueing@00:30:00 Mar 22 10:09:31 dudley sm-mta[78360]: starting daemon (8.15.2): SMTP+queueing@00:30:00 Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, Diffie-Hellman init, key=1024 bit (/) Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, init=1 Mar 22 10:09:31 dudley sm-mta[78360]: started as: /usr/sbin/sendmail -L sm-mta -bd -q30m STILL BROKEN, but now there's no error message to give me a clue what is wrong. telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Mar 2017 10:10:14 -0400 (EDT) ehlo localhost 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.casano.com closing connection Connection closed by foreign host. Any ideas? Thanks, Bill Dudley This email is free of malware because I run Linux. On Wed, Mar 22, 2017 at 2:02 AM, Wayne Sierke <ws@au.dyndns.ws> wrote: > On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote: > > I've got all the bits that numerous sources say are the correct bits > > (like > > in hostname.mc). > > > > Sendmail in 10.x is able to generate it's OWN certificates. I've let it > do > > just that. > > > > However, sendmail still refuses to announce STARTTLS as a capability. > > > > Surely there must be some way to debug this, instead of just thrashing > > about randomly. > > > > Is there a debug variable in sendmail that I can turn up to see exactly > > what sendmail > > doesn't like about the SSl/TLS stuff? > > Certainly. Increasing the loglevel was suggested on the page that > Matthew linked for you earlier. > > Add this to your <hostname>.mc: > > define(`confLOG_Level', `14') > > These may help, too: > https://forums.freebsd.org/threads/52471/ > https://lists.freebsd.org/pipermail/freebsd-questions/ > 2012-August/244636.html > > > > > > Failing that, is anyone on this list using self-signed certificates? Do > > you know the EXACT > > sequence of things to do to get this to work? > > > > I have a funny feeling that the "auto-generated" certs created by > sendmail > > don't work if you > > don't have an official cert from Verisign. > > > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Mon, Mar 20, 2017 at 9:13 AM, William Dudley <wfdudley@gmail.com> > wrote: > > > > > > > > The point of this exercise is to allow my Android phone to access my > email > > > on my FreeBSD 10.3 server, using imap. I had it working last year, and > > > then, > > > with nary an error message, it stopped working. So the email client is > > > the native > > > Android email client (on a recent Cyanogen Android). My FreeBSD server > > > runs > > > sendmail, and I've been running my own mail domain for about a decade. > > > > > > My latest guess (and that's all I can do is guess) is that my > self-signed > > > certificates > > > expired, and I just need to re-generate them. All the sources on > sendmail > > > and > > > STARTTLS that I've seen so far show configs identical to my config, so > from > > > this I infer perhaps one or more of my cert files is "bad". > > > > > > stunnel may well be a wonderful program, but I really don't want to > figure > > > out how > > > to specify each of the 500 lines in it's config file, especially when > the > > > software > > > doesn't run successfully with it's own sample config file. > > > > > > Thanks for your time, > > > Bill Dudley > > > > > > > > > This email is free of malware because I run Linux. > > > > > > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan <mahan@mahan.org> > wrote: > > > > > > > > > > > On 3/19/17 1:07 PM, William Dudley wrote: > > > > > > > > > > I commented out the lines starting with checkHost, and started > stunnel. > > > > > It does start, and runs as a daemon. However, it doesn't seem to > DO > > > > anything. > > > > > > > > > > > > > > > However, that hasn't changed sendmail's behaviour one iota. > > > > > > > > > > As far as I can tell, stunnel is a massive waste of time. > > > > > > > > > > I don't really want to spend months reading all the stunnel docs to > > > > figure out > > > > > > > > > > how to get it to work with sendmail. Sendmail is hard enough on > it's > > > > own, and > > > > > > > > > > I can mostly control sendmail (well, except for the STARTTLS > problem.) > > > > > > > > > > Thanks, > > > > > Bill Dudley > > > > > > > > > > > > > > > This email is free of malware because I run Linux. > > > > > > > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley < > wfdudley@gmail.com > > > > > wfdudley@gmail.com>> wrote: > > > > > > > > > > stunnel fails to start with this helpful message: > > > > > > > > > > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = > pop.gmail.com > > > > > <http://pop.gmail.com>": Specified option name is not valid > here > > > > > > > > > > The line it's complaining about is in the EXAMPLE config file. > > > > > > > > > > So this is not going well, at all. > > > > > > > > > > pop.gmail.com <http://pop.gmail.com>; is a valid hostname. I > have > > > > no idea > > > > > > > > > > what stunnel is complaining about. > > > > > > > > > Okay, Let me share what I do. I believe stunnel needs to run on the > same > > > > host > > > > as the sendmail server. > > > > > > > > First, here is some relevant parts from my stunnel config file: > > > > > > > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005 > > > > ; Some options used here may not be adequate for your particular > > > > configuration > > > > ; Please make sure you understand them (especially the effect of > chroot > > > > jail) > > > > > > > > ; Certificate/key is needed in server mode and optional in client > mode > > > > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem > > > > ;key = /usr/local/etc/stunnel/mail.pem > > > > > > > > ; Some security enhancements for UNIX systems - comment them out on > Win32 > > > > chroot = /var/stunnel/ > > > > setuid = stunnel > > > > setgid = stunnel > > > > ; PID is created inside chroot jail > > > > pid = /stunnel.pid > > > > > > > > ; Some performance tunings > > > > socket = l:TCP_NODELAY=1 > > > > socket = r:TCP_NODELAY=1 > > > > ;compression = rle > > > > > > > > ; Workaround for Eudora bug > > > > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > > > > > > > ; Authentication stuff > > > > verify = 0 > > > > > > > > .... > > > > > > > > ; Some debugging stuff useful for troubleshooting > > > > debug = 7 > > > > output = stunnel.log > > > > > > > > ; Use it for client mode > > > > ;client = yes > > > > > > > > ; Service-level configuration > > > > > > > > [pop3s] > > > > accept = 995 > > > > connect = 110 > > > > > > > > [imaps] > > > > accept = 993 > > > > connect = 143 > > > > > > > > [smtps] > > > > accept = 465 > > > > connect = 25 > > > > > > > > I run dovecot for my imap server which is listening on port 143: > > > > > > > > mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 > > > > root dovecot 915 22 tcp4 *:110 *:* > > > > > > > > But I connect from my mail clients (ios mail, thunderbird, ...) to > port > > > > 993. The > > > > mail clients are all configured to use ssl/tls, *not* startttl. > > > > > > > > My smtp I connect via stunnel over port 465, not port 25 for sending > mail. > > > > > > > > So what are you trying to accomplish? The idea is for your accessing > > > > these > > > > servers in an encrypted fashion. But from your above description, it > > > > sounds > > > > like you are trying to access your unsecured gmail account using > POP3. > > > > Not > > > > sure why as the connection from stunnel to pop.gmail.com will be > > > > unsecured. > > > > > > > > What email client are you trying to use? > > > > > > > > Patrick > > > > > > > > > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZLDcTTPNKzZXeyWuuYOn07%2BK=m-BwiP=fS657DF-ha0kg>