Date: Sun, 19 Mar 2017 16:04:45 -0400 From: William Dudley <wfdudley@gmail.com> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com> In-Reply-To: <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org> References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com> <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I have all of the stuff you referenced in my ${hostname}.mc.
I have a dh.param in /etc/mail/certs
And yet,
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:02:48
-0400 (EDT)
ehlo localhost
250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.casano.com closing connection
Connection closed by foreign host.
in which STARTTLS is conspicuous by it's absence.
Surely I am missing some crucial, undocumented step.
Is there anything else I should check?
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
On Sun, Mar 19, 2017 at 10:34 AM, Matthew Seaman <matthew@freebsd.org>
wrote:
> On 18/03/2017 22:44, William Dudley wrote:
> > A google search does not reveal a useful answer.
> >
> > I just want to use a self-signed certificate so I can get my email from
> my
> > FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> > I don't really want to switch to postfix, qmail, etc. etc.
>
> Hmm... STARTTLS capability is enabled by default in freebsd.mc in 11.0
> -- I think it might be on 10.3 as well.
>
> Anyhow, you need the following sort of thing in your ${hostname}.mc --
>
> define(`CERT_DIR', `/etc/mail/certs')dnl
> define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
> define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
> define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
> define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
> define(`confCACERT', `CERT_DIR/cacert.pem')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
>
> and you need to create all of the host.key and host.cert and cacert.pem
> and dh.param files. That's mostly covered here:
>
> http://www.sendmail.org/~ca/email/other/cagreg.html
>
> Note that for e-mail purposes you don't generally need a certificate
> signed by a well known CA -- just self signed is fine. With e-mail,
> it's more important to ensure privacy in transit rather than to identify
> the party you're corresponding with.
>
> The dh.param file you can generate by:
>
> openssl dHParam -outform PEM -out dh.param 2048
>
> IIRC adding all this will allow your sendmail install to support
> STARTTLS, but not make it require STARTTLS. I believe there's a
> DAEMON_OPTIONS setting to achieve that, but I'd need to look that up.
> Get hold of the O'Reilly sendmail book if you're interested -- it has
> details of all this stuff.
>
> Cheers,
>
> Matthew
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw>