From owner-freebsd-questions@freebsd.org Wed Mar 22 14:14:26 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 361FCD17C4E for ; Wed, 22 Mar 2017 14:14:26 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3CE31589 for ; Wed, 22 Mar 2017 14:14:25 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw0-x236.google.com with SMTP id i203so14722233ywc.3 for ; Wed, 22 Mar 2017 07:14:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SaFhhfsWvz+6YGjrI5OWpAe6AgF21ZsRLjsXaOmYvrs=; b=QnCdYFYQVrVG+V5H4+rkdVdvLDchTOFTcTKzRbUFT2RxIimc9o0e67wcJrcDeB8GrI tAoZTTvBFo8lJPWNvzYXc6WZu3TIR6D5L4MKTNrnRznCKa9WNb8E7c/eAvx6ujB7fg6x jpCKfL/tmeiOeuyolT3/YZmNiV6jZy95NXamvU7Bz+b1l4r44/NVqUIzBNBN5W3BMy4X C5uLNi/vQ3nbc3w+Z2pEZxItxyuxZwJRTNhIRWO2xEf/mGc6Io2MCdr6CzfgfPP+JVPy LrcqxV9rOb5+lmodmf7bt4mtmXBTvbij655TVB1nIgHJQe0btmDGov04ZsJuETw4YZ81 SWjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SaFhhfsWvz+6YGjrI5OWpAe6AgF21ZsRLjsXaOmYvrs=; b=b8bTTRCRRdKtLEUHNwwHXig/vkpXVl6SNIbeTerEnMUQ2V9sh+2B54YV7qSaexlGB/ jhHu7LgFKu1hienKTT5Q7M4Umddt4pAKfCarEeMvbfPMo7wl7r344wJfKfxJoKteye30 dn+sb3vgC3xcStVrqASUx+GvPHa4i/ZcNCHjin2ipb77/iGznpHv16sYH+xiNb27g/H9 e2vyZO+sO+W6cHNrbGAm2OO7OZIwtisF5fCIe8QeeEmA9asxKkrr+MMWV0+XeOHIIKbv cI6T4OFqb8RFz7FbRkWjZysB1SDH0J9HE3ScvaaUgyP35ngyFMedWK1ghOPkfkpOR+0e n64g== X-Gm-Message-State: AFeK/H30l4n5WZMSX3YirR8LjH4sCUkJ7XVxyweALBISXPwEF+TZbpd84Mqws9V60xU7ElVB2P2PCis66OuC2A== X-Received: by 10.37.200.4 with SMTP id y4mr26593431ybf.36.1490192064848; Wed, 22 Mar 2017 07:14:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.163.227 with HTTP; Wed, 22 Mar 2017 07:14:24 -0700 (PDT) In-Reply-To: <1490162531.1981.62.camel@au.dyndns.ws> References: <1490162531.1981.62.camel@au.dyndns.ws> From: William Dudley Date: Wed, 22 Mar 2017 10:14:24 -0400 Message-ID: Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? To: Wayne Sierke Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2017 14:14:26 -0000 Turning up the debug level (thanks for pointing out the "code" for that) revealed this message as sendmail starts: STARTTLS: CRLFile missing So I googled that, and found this post (about sendmail on Linux, but the answer seemed generic enough) http://www.linuxweblog.com/blogs/sandip/20071019/starttls-crlfile-missing-resolved So I download all 8Meg of revoke.crl, , put the pointer to the file in hostname.mc, rebuild hostname.cf, and restart sendmail. Mar 22 10:09:31 dudley sm-msp-queue[78358]: starting daemon (8.15.2): queueing@00:30:00 Mar 22 10:09:31 dudley sm-mta[78360]: starting daemon (8.15.2): SMTP+queueing@00:30:00 Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, Diffie-Hellman init, key=1024 bit (/) Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, init=1 Mar 22 10:09:31 dudley sm-mta[78360]: started as: /usr/sbin/sendmail -L sm-mta -bd -q30m STILL BROKEN, but now there's no error message to give me a clue what is wrong. telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Mar 2017 10:10:14 -0400 (EDT) ehlo localhost 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.casano.com closing connection Connection closed by foreign host. Any ideas? Thanks, Bill Dudley This email is free of malware because I run Linux. On Wed, Mar 22, 2017 at 2:02 AM, Wayne Sierke wrote: > On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote: > > I've got all the bits that numerous sources say are the correct bits > > (like > > in hostname.mc). > > > > Sendmail in 10.x is able to generate it's OWN certificates. I've let it > do > > just that. > > > > However, sendmail still refuses to announce STARTTLS as a capability. > > > > Surely there must be some way to debug this, instead of just thrashing > > about randomly. > > > > Is there a debug variable in sendmail that I can turn up to see exactly > > what sendmail > > doesn't like about the SSl/TLS stuff? > > Certainly. Increasing the loglevel was suggested on the page that > Matthew linked for you earlier. > > Add this to your .mc: > > define(`confLOG_Level', `14') > > These may help, too: > https://forums.freebsd.org/threads/52471/ > https://lists.freebsd.org/pipermail/freebsd-questions/ > 2012-August/244636.html > > > > > > Failing that, is anyone on this list using self-signed certificates? Do > > you know the EXACT > > sequence of things to do to get this to work? > > > > I have a funny feeling that the "auto-generated" certs created by > sendmail > > don't work if you > > don't have an official cert from Verisign. > > > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Mon, Mar 20, 2017 at 9:13 AM, William Dudley > wrote: > > > > > > > > The point of this exercise is to allow my Android phone to access my > email > > > on my FreeBSD 10.3 server, using imap. I had it working last year, and > > > then, > > > with nary an error message, it stopped working. So the email client is > > > the native > > > Android email client (on a recent Cyanogen Android). My FreeBSD server > > > runs > > > sendmail, and I've been running my own mail domain for about a decade. > > > > > > My latest guess (and that's all I can do is guess) is that my > self-signed > > > certificates > > > expired, and I just need to re-generate them. All the sources on > sendmail > > > and > > > STARTTLS that I've seen so far show configs identical to my config, so > from > > > this I infer perhaps one or more of my cert files is "bad". > > > > > > stunnel may well be a wonderful program, but I really don't want to > figure > > > out how > > > to specify each of the 500 lines in it's config file, especially when > the > > > software > > > doesn't run successfully with it's own sample config file. > > > > > > Thanks for your time, > > > Bill Dudley > > > > > > > > > This email is free of malware because I run Linux. > > > > > > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan > wrote: > > > > > > > > > > > On 3/19/17 1:07 PM, William Dudley wrote: > > > > > > > > > > I commented out the lines starting with checkHost, and started > stunnel. > > > > > It does start, and runs as a daemon. However, it doesn't seem to > DO > > > > anything. > > > > > > > > > > > > > > > However, that hasn't changed sendmail's behaviour one iota. > > > > > > > > > > As far as I can tell, stunnel is a massive waste of time. > > > > > > > > > > I don't really want to spend months reading all the stunnel docs to > > > > figure out > > > > > > > > > > how to get it to work with sendmail. Sendmail is hard enough on > it's > > > > own, and > > > > > > > > > > I can mostly control sendmail (well, except for the STARTTLS > problem.) > > > > > > > > > > Thanks, > > > > > Bill Dudley > > > > > > > > > > > > > > > This email is free of malware because I run Linux. > > > > > > > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley < > wfdudley@gmail.com > > > > > wfdudley@gmail.com>> wrote: > > > > > > > > > > stunnel fails to start with this helpful message: > > > > > > > > > > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = > pop.gmail.com > > > > > ": Specified option name is not valid > here > > > > > > > > > > The line it's complaining about is in the EXAMPLE config file. > > > > > > > > > > So this is not going well, at all. > > > > > > > > > > pop.gmail.com is a valid hostname. I > have > > > > no idea > > > > > > > > > > what stunnel is complaining about. > > > > > > > > > Okay, Let me share what I do. I believe stunnel needs to run on the > same > > > > host > > > > as the sendmail server. > > > > > > > > First, here is some relevant parts from my stunnel config file: > > > > > > > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005 > > > > ; Some options used here may not be adequate for your particular > > > > configuration > > > > ; Please make sure you understand them (especially the effect of > chroot > > > > jail) > > > > > > > > ; Certificate/key is needed in server mode and optional in client > mode > > > > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem > > > > ;key = /usr/local/etc/stunnel/mail.pem > > > > > > > > ; Some security enhancements for UNIX systems - comment them out on > Win32 > > > > chroot = /var/stunnel/ > > > > setuid = stunnel > > > > setgid = stunnel > > > > ; PID is created inside chroot jail > > > > pid = /stunnel.pid > > > > > > > > ; Some performance tunings > > > > socket = l:TCP_NODELAY=1 > > > > socket = r:TCP_NODELAY=1 > > > > ;compression = rle > > > > > > > > ; Workaround for Eudora bug > > > > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > > > > > > > ; Authentication stuff > > > > verify = 0 > > > > > > > > .... > > > > > > > > ; Some debugging stuff useful for troubleshooting > > > > debug = 7 > > > > output = stunnel.log > > > > > > > > ; Use it for client mode > > > > ;client = yes > > > > > > > > ; Service-level configuration > > > > > > > > [pop3s] > > > > accept = 995 > > > > connect = 110 > > > > > > > > [imaps] > > > > accept = 993 > > > > connect = 143 > > > > > > > > [smtps] > > > > accept = 465 > > > > connect = 25 > > > > > > > > I run dovecot for my imap server which is listening on port 143: > > > > > > > > mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 > > > > root dovecot 915 22 tcp4 *:110 *:* > > > > > > > > But I connect from my mail clients (ios mail, thunderbird, ...) to > port > > > > 993. The > > > > mail clients are all configured to use ssl/tls, *not* startttl. > > > > > > > > My smtp I connect via stunnel over port 465, not port 25 for sending > mail. > > > > > > > > So what are you trying to accomplish? The idea is for your accessing > > > > these > > > > servers in an encrypted fashion. But from your above description, it > > > > sounds > > > > like you are trying to access your unsecured gmail account using > POP3. > > > > Not > > > > sure why as the connection from stunnel to pop.gmail.com will be > > > > unsecured. > > > > > > > > What email client are you trying to use? > > > > > > > > Patrick > > > > > > > > > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >