Date: Thu, 23 Mar 2017 15:27:14 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: William Dudley <wfdudley@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <cae94183-aae8-781c-680d-b4c3c44b2dbd@FreeBSD.org> In-Reply-To: <CAFsnNZLcLrmKYLFKLhcLEBzQv7x-1dqbFi9GyEG-_LxSYapbog@mail.gmail.com> References: <mailman.110.1490270402.90011.freebsd-questions@freebsd.org> <20170323233742.R95579@sola.nimnet.asn.au> <d47700f6-7adf-1d51-2e8b-4431e9102ee5@FreeBSD.org> <CAFsnNZLcLrmKYLFKLhcLEBzQv7x-1dqbFi9GyEG-_LxSYapbog@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--wGbWGSjVgNFTLA7HwFp1aU3DGxuMwJHjx
Content-Type: multipart/mixed; boundary="kdfsl1dr8TUnivWEUtNbSG0Dq0Fukq9Px";
protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: William Dudley <wfdudley@gmail.com>
Cc: freebsd-questions@freebsd.org
Message-ID: <cae94183-aae8-781c-680d-b4c3c44b2dbd@FreeBSD.org>
Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
References: <mailman.110.1490270402.90011.freebsd-questions@freebsd.org>
<20170323233742.R95579@sola.nimnet.asn.au>
<d47700f6-7adf-1d51-2e8b-4431e9102ee5@FreeBSD.org>
<CAFsnNZLcLrmKYLFKLhcLEBzQv7x-1dqbFi9GyEG-_LxSYapbog@mail.gmail.com>
In-Reply-To: <CAFsnNZLcLrmKYLFKLhcLEBzQv7x-1dqbFi9GyEG-_LxSYapbog@mail.gmail.com>
--kdfsl1dr8TUnivWEUtNbSG0Dq0Fukq9Px
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 2017/03/23 15:00, William Dudley wrote:
> Let's assume that I have no idea what I'm talking about.
> However, I can successfully report what I SEE.
>=20
> 1. Android's mail app wants to use STARTTLS when it connects to my mail=
> server, for
> whatever reason (send or receive) isn't important now. It wants it, an=
d I
> want it to be
> happy, or else it doesn't work.
Ah -- in this case, you've potentially got two different software
systems that could involve STARTTLS. sendmail would only be involved
when you send an e-mail. Otherwise your android device will be
connecting to an IMAP server -- and that could either be configured to
listen on port 143 (the port for unencrypted IMAP) and expect to use
STARTTLS to upgrade to an encrypted connection; or it could listen on
port 993 which expects TLS straight away. There is a move by IANA (I
think) to prefer STARTTLS type mechanisms and so recover all of the
duplicated-except-for-requiring-TLS port numbers out of /etc/services.
But, as you say, the sendmail problems need sorting anyhow. Time to
worry about IMAP later.
> 2. When I telnet to port 25 of my mail server, sendmail does NOT announ=
ce
> STARTTLS
> as one of it's capabilities. This, despite my having all the incantati=
ons
> *apparently" correct
> in my hostname.mc, fresh self signed cert and key file in /etc/mail/cer=
ts,
> and various other
> things that have been suggested/intimated by various sources.
Hmmm... well, I don't understand why it isn't working for you. The
sendmail in FreeBSD-10.3 is supplied with STARTTLS capabilities compiled
in and should have certs and keys created for it at install time.
> It would be nice to solve the problem stated in the Subject of this
> insanely long thread:
>=20
> Why is my sendmail refusing to announce STARTTLS ?
It is almost certainly some trivial little oversight, but it's
impossible to say what that might be. I'm sure you've been through all
this already, but have you checked and rechecked the simple and obvious
stuff:
* Have you built and installed a fresh sendmail config:
# cd /etc/mail
# make
# make install
* Are you editing the correct .mc file? The one you want is
${hostname}.mc -- where ${hostname} (if it isn't obvious) is the
hostname of your machine. If this doesn't exist, typing 'make'
will create it for you.
* Did you restart sendmail after the last config update?
# service sendmail restart
* Is sendmail listening on the IP numbers and ports you expect it to
be listening on? Or is it some other piece of software
entirely answering on port 25?
# sockstat | grep sendmail
# sockstat | grep -E ':25\>'
will provide clues.
* Do you have anything in /etc/mail/access ?
* What's in /etc/mail/mailwrapper ?
Cheers,
Matthew
--kdfsl1dr8TUnivWEUtNbSG0Dq0Fukq9Px--
--wGbWGSjVgNFTLA7HwFp1aU3DGxuMwJHjx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQJ8BAEBCgBmBQJY0+lYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnNvcQAJBO4k30ceINEyqT4j2KZS1b
uYuYjoDm7XgeBcFKpy0ruHlkhO9ElW+ql6u+Hzs5UuRBjb0IkRpOhD4M0RNr1ySS
MoGEU9bkr0J1wzDoUiXq9oRyM/Ap1HigdjJDCA4KHbU5jI9z6M+c2MiRqwsQvYZU
8axiea+IHN2rxd9BlEG7lmkGlFFlS5XbQDoxUzCqznFZ73GEBt+eUmoJchb8Xf/d
fMR9rEVyPavEqsQ1pqg1DYGfg05WaD6XK461qKtPgcfgpuBI4WSZDpAMhbAZTVZB
3gvtAOrqDcUBEAEu3BUN0iIBhYeCJ+Tku0vdeJ6htiAP0Dy/jNebn9IucJiVq8yx
UQ5Iu85Q8rJkuN4ndrA7iR9QafXQYeeH8Gsvh2Elt/kW3zfDsEVD30TLHPirTeJZ
VgEyKCUYUmHQDAD7XM0Bl8oyjpuR/G4yygydrB70j8HKmIjq/RknU3yZWEsMoWrE
JqKVZ+AiV+VHun927PHkyL8/IxlCmvy8x7mKyjIMJn3sTBQp8quzaWst3nMZCt3j
S/yTTn+p2xEztPNmO9BjZsHcvOP2Kg/GDizBtQ66agl7rKlJXXn5sMMQrArpf3TT
GRwWmIJ95clD38Q+cu3Uk1SGEcn7Ls0e3x5Yi039FwRq7m2LQP6KzZwZ6o23drdP
ARcV6I3tKecQSSP9TM+x
=gMTq
-----END PGP SIGNATURE-----
--wGbWGSjVgNFTLA7HwFp1aU3DGxuMwJHjx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cae94183-aae8-781c-680d-b4c3c44b2dbd>