From owner-freebsd-questions@freebsd.org Thu Mar 23 16:00:11 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3ADA3D18917 for ; Thu, 23 Mar 2017 16:00:11 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0116F15CD; Thu, 23 Mar 2017 16:00:10 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw0-x22c.google.com with SMTP id v76so150009033ywg.0; Thu, 23 Mar 2017 09:00:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jwDLo74xEHOAEer0Cw4xZ+UkPjs42g3FNqy4Cdx3oRM=; b=C0zl01yD5RJzTC1QUpBXQHuT9pgnCkkZFNMlsdDSFJHvPY0YGgPGVDmTuZvGZXx6WD r1d8wzp7oaVbTiImSGDtAoaXhws5XxXi6usHIpejqyI4oGGlwyM2syNa7LIzXwlE913q vyRZlO1DnndA0NjpZuBdf301wNV2AsWe+7zRTaNsBZZ4KSh3fRSmn44nswdy2LUWSLJI trrNeuokI/k3dguskcB+MADrQhyUxpBp6ffrx9+iVweliyMfFStuwUwFhNFrcaXpX7Fb +LoIAKtwTBHhOm5o6+NudLKa4a/a91m9TbduMkPanGToyy+y+gupngRLt/A4vnjiiLM1 xfaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jwDLo74xEHOAEer0Cw4xZ+UkPjs42g3FNqy4Cdx3oRM=; b=RcZztP1jtDVrGz4EzjFCNGP38H1ep9+D5/dffdsVgx8sJnsAVCG5Be+rcjO5ashB3p TRUd1kUcb77iN/C6em6SUOtQYvnzGVvM718TqKBukoxAKc7o3pepT86XrT53D0ODZcQT 5VaEcRi6j86RAqs7S2QQfcvF8QIProHf5ef9KIEhZEDnDa8c0V9raVjkoqbh2Bu+NC38 70YxMPAk3++Z8/By3vlLGveaTkzcskF9NkD4ugYz/+OHxXcQg9TQPrbqTGyLOSn8ss8C Sude8nFwE/C6gbuxrR713ciQvg/OS8GPANvTyNCzQkXqsHYLhUwsibv+Hv85FeSeLdru uDCw== X-Gm-Message-State: AFeK/H1vmjhRfyH73vLuWNyoKHg3OE2J+3CalogJO/8M+N7P/sc6+LI/MBRFTtHdA3HaLPoL0RoQEhPygjCH4A== X-Received: by 10.129.172.23 with SMTP id k23mr2318449ywh.337.1490284809578; Thu, 23 Mar 2017 09:00:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.163.227 with HTTP; Thu, 23 Mar 2017 09:00:08 -0700 (PDT) In-Reply-To: References: <20170323233742.R95579@sola.nimnet.asn.au> From: William Dudley Date: Thu, 23 Mar 2017 12:00:08 -0400 Message-ID: Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? To: Matthew Seaman Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 16:00:11 -0000 To answer your questions: Yes, I'm using the right .mc file, and yes, I know how to make && make install && make restart when I make changes to it. (I assume service sendmail restart has the same effect as "make restart"; it *looks* the same when I "tail -f /var/log/maillog"). sockstat | grep sendmail root sendmail 78456 3 dgram -> /var/run/logpriv root sendmail 78456 4 tcp4 *:25 *:* root sendmail 78456 5 tcp4 *:465 *:* root sendmail 78456 6 tcp4 *:587 *:* smmsp sendmail 78454 3 dgram -> /var/run/log So that seems reasonable. sockstat | grep -E ':25\>' returns line two from above, so that's the same. /etc/mail/access has a handful of address "OK" and address "ERROR" lines I added to explicitly block or accept various emailers, and this: 192.168.27.26 RELAY junkemailfilter.com OK GreetPause:192.168.27.26 0 GreetPause:localhost 0 GreetPause:localhost.localdomain 0 GreetPause:pascal.junkemailfilter.com 0 srv_features: S The relay is for my workstation, on the same LAN (obviously). The GreetPause lines turn off the greeting delay for certain hosts. AND -- Ah-hah Hmmm, I don't remember adding any lines that would turn off STARTTLS, but that's what srv_features: S does. I'm SURE I didn't add that. I certainly didn't add it recently. Perhaps it was added by one of the blind alleys I've been sent down ("stunnel" comes to mind). So. Fixed. Removed that line, "make && make restart" and now STARTTLS is a capability of sendmail, *again*. The phone is still unhappy, but that's another problem. I declare this thread ended. Thanks everyone, even the snide Mr. Ohlstein, for their time. Bill Dudley This email is free of malware because I run Linux. On Thu, Mar 23, 2017 at 11:27 AM, Matthew Seaman wrote: > On 2017/03/23 15:00, William Dudley wrote: > > Let's assume that I have no idea what I'm talking about. > > However, I can successfully report what I SEE. > > > > 1. Android's mail app wants to use STARTTLS when it connects to my mail > > server, for > > whatever reason (send or receive) isn't important now. It wants it, and > I > > want it to be > > happy, or else it doesn't work. > > Ah -- in this case, you've potentially got two different software > systems that could involve STARTTLS. sendmail would only be involved > when you send an e-mail. Otherwise your android device will be > connecting to an IMAP server -- and that could either be configured to > listen on port 143 (the port for unencrypted IMAP) and expect to use > STARTTLS to upgrade to an encrypted connection; or it could listen on > port 993 which expects TLS straight away. There is a move by IANA (I > think) to prefer STARTTLS type mechanisms and so recover all of the > duplicated-except-for-requiring-TLS port numbers out of /etc/services. > > But, as you say, the sendmail problems need sorting anyhow. Time to > worry about IMAP later. > > > 2. When I telnet to port 25 of my mail server, sendmail does NOT announce > > STARTTLS > > as one of it's capabilities. This, despite my having all the > incantations > > *apparently" correct > > in my hostname.mc, fresh self signed cert and key file in > /etc/mail/certs, > > and various other > > things that have been suggested/intimated by various sources. > > Hmmm... well, I don't understand why it isn't working for you. The > sendmail in FreeBSD-10.3 is supplied with STARTTLS capabilities compiled > in and should have certs and keys created for it at install time. > > > It would be nice to solve the problem stated in the Subject of this > > insanely long thread: > > > > Why is my sendmail refusing to announce STARTTLS ? > > It is almost certainly some trivial little oversight, but it's > impossible to say what that might be. I'm sure you've been through all > this already, but have you checked and rechecked the simple and obvious > stuff: > > * Have you built and installed a fresh sendmail config: > > # cd /etc/mail > # make > # make install > > * Are you editing the correct .mc file? The one you want is > ${hostname}.mc -- where ${hostname} (if it isn't obvious) is the > hostname of your machine. If this doesn't exist, typing 'make' > will create it for you. > > * Did you restart sendmail after the last config update? > > # service sendmail restart > > * Is sendmail listening on the IP numbers and ports you expect it to > be listening on? Or is it some other piece of software > entirely answering on port 25? > > # sockstat | grep sendmail > # sockstat | grep -E ':25\>' > > will provide clues. > > * Do you have anything in /etc/mail/access ? > > * What's in /etc/mail/mailwrapper ? > > Cheers, > > Matthew > > >