Date: Thu, 23 Mar 2017 12:00:08 -0400 From: William Dudley <wfdudley@gmail.com> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <CAFsnNZKCv0UcwGKeMW7xLLhyN5qVLEya7z6h1DBVqYsjqGdJ-w@mail.gmail.com> In-Reply-To: <cae94183-aae8-781c-680d-b4c3c44b2dbd@FreeBSD.org> References: <mailman.110.1490270402.90011.freebsd-questions@freebsd.org> <20170323233742.R95579@sola.nimnet.asn.au> <d47700f6-7adf-1d51-2e8b-4431e9102ee5@FreeBSD.org> <CAFsnNZLcLrmKYLFKLhcLEBzQv7x-1dqbFi9GyEG-_LxSYapbog@mail.gmail.com> <cae94183-aae8-781c-680d-b4c3c44b2dbd@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
To answer your questions:
Yes, I'm using the right .mc file, and yes, I know how to make && make
install && make restart when I make
changes to it. (I assume service sendmail restart has the same effect as
"make restart"; it *looks* the same
when I "tail -f /var/log/maillog").
sockstat | grep sendmail
root sendmail 78456 3 dgram -> /var/run/logpriv
root sendmail 78456 4 tcp4 *:25 *:*
root sendmail 78456 5 tcp4 *:465 *:*
root sendmail 78456 6 tcp4 *:587 *:*
smmsp sendmail 78454 3 dgram -> /var/run/log
So that seems reasonable.
sockstat | grep -E ':25\>'
returns line two from above, so that's the same.
/etc/mail/access has a handful of address "OK" and address "ERROR" lines
I added to explicitly block or accept various emailers, and this:
192.168.27.26 RELAY
junkemailfilter.com OK
GreetPause:192.168.27.26 0
GreetPause:localhost 0
GreetPause:localhost.localdomain 0
GreetPause:pascal.junkemailfilter.com 0
srv_features: S
The relay is for my workstation, on the same LAN (obviously).
The GreetPause lines turn off the greeting delay for certain hosts.
AND -- Ah-hah
Hmmm, I don't remember adding any lines that would turn off STARTTLS,
but that's what srv_features: S does.
I'm SURE I didn't add that. I certainly didn't add it recently. Perhaps
it was added
by one of the blind alleys I've been sent down ("stunnel" comes to mind).
So. Fixed. Removed that line, "make && make restart" and now STARTTLS
is a capability of sendmail, *again*.
The phone is still unhappy, but that's another problem.
I declare this thread ended.
Thanks everyone, even the snide Mr. Ohlstein, for their time.
Bill Dudley
This email is free of malware because I run Linux.
On Thu, Mar 23, 2017 at 11:27 AM, Matthew Seaman <matthew@freebsd.org>
wrote:
> On 2017/03/23 15:00, William Dudley wrote:
> > Let's assume that I have no idea what I'm talking about.
> > However, I can successfully report what I SEE.
> >
> > 1. Android's mail app wants to use STARTTLS when it connects to my mail
> > server, for
> > whatever reason (send or receive) isn't important now. It wants it, and
> I
> > want it to be
> > happy, or else it doesn't work.
>
> Ah -- in this case, you've potentially got two different software
> systems that could involve STARTTLS. sendmail would only be involved
> when you send an e-mail. Otherwise your android device will be
> connecting to an IMAP server -- and that could either be configured to
> listen on port 143 (the port for unencrypted IMAP) and expect to use
> STARTTLS to upgrade to an encrypted connection; or it could listen on
> port 993 which expects TLS straight away. There is a move by IANA (I
> think) to prefer STARTTLS type mechanisms and so recover all of the
> duplicated-except-for-requiring-TLS port numbers out of /etc/services.
>
> But, as you say, the sendmail problems need sorting anyhow. Time to
> worry about IMAP later.
>
> > 2. When I telnet to port 25 of my mail server, sendmail does NOT announce
> > STARTTLS
> > as one of it's capabilities. This, despite my having all the
> incantations
> > *apparently" correct
> > in my hostname.mc, fresh self signed cert and key file in
> /etc/mail/certs,
> > and various other
> > things that have been suggested/intimated by various sources.
>
> Hmmm... well, I don't understand why it isn't working for you. The
> sendmail in FreeBSD-10.3 is supplied with STARTTLS capabilities compiled
> in and should have certs and keys created for it at install time.
>
> > It would be nice to solve the problem stated in the Subject of this
> > insanely long thread:
> >
> > Why is my sendmail refusing to announce STARTTLS ?
>
> It is almost certainly some trivial little oversight, but it's
> impossible to say what that might be. I'm sure you've been through all
> this already, but have you checked and rechecked the simple and obvious
> stuff:
>
> * Have you built and installed a fresh sendmail config:
>
> # cd /etc/mail
> # make
> # make install
>
> * Are you editing the correct .mc file? The one you want is
> ${hostname}.mc -- where ${hostname} (if it isn't obvious) is the
> hostname of your machine. If this doesn't exist, typing 'make'
> will create it for you.
>
> * Did you restart sendmail after the last config update?
>
> # service sendmail restart
>
> * Is sendmail listening on the IP numbers and ports you expect it to
> be listening on? Or is it some other piece of software
> entirely answering on port 25?
>
> # sockstat | grep sendmail
> # sockstat | grep -E ':25\>'
>
> will provide clues.
>
> * Do you have anything in /etc/mail/access ?
>
> * What's in /etc/mail/mailwrapper ?
>
> Cheers,
>
> Matthew
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZKCv0UcwGKeMW7xLLhyN5qVLEya7z6h1DBVqYsjqGdJ-w>