Date: Sat, 13 Jul 2024 09:33:17 -0700 From: bob prohaska <fbsd@www.zefox.net> To: TIM KELLERS <tim@beachpatt.com> Cc: ports@freebsd.org Subject: Sendmail and TLS, was: Re: Using dma for external incoming mail Message-ID: <ZpKsTQ50dKvFoooe@www.zefox.net> In-Reply-To: <7cedb66b-5573-4a1a-a318-8aeb6d659786@beachpatt.com> References: <ZomITiPJuhngG1ap@www.zefox.net> <202407070814.4678Ebdm011129@nuc.oldach.net> <ZorxE__UukLF0koc@www.zefox.net> <86y16a6x77.fsf@ltc.des.dev> <Zo6cSzeD1GJr5m0z@www.zefox.net> <8caa7e52-d84e-4e9b-8a24-6deee13764f9@quip.cz> <7cedb66b-5573-4a1a-a318-8aeb6d659786@beachpatt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 10, 2024 at 12:40:31PM -0400, TIM KELLERS wrote:
> On 7/10/24 11:49 AM, Miroslav Lachman wrote:
> >
[snip]
> > So I think it is very easy to be blocked by Gmail. It is not about
> > domain, but by the IP of the server I think.
> >
>
> Miroslav is correct. I have 2 domains hosted by Digital Ocean and one falls
> into an address range that Gmail rejects and another that Gmail accepts.
>
> mxtoolbox.com will check and alert you if your sending domain has any
> blacklist flags attached to it. UCEPROTECTL3 and UCEPROTECTL2 are the most
> common and they come from using a non-compliant host.
That was informative. No blacklist, but my mx record is somehow wrong.
The intent was to direct any mail for *.zefox.net to host www.zefox.net.
That seems to be considered an error. Once that is fixed, I'll do the same
for zefox.com and zefox.org
>
> You also have to be careful about using a DHCP address. Gmail may flag
> email you send even if it is Smarthosted through a compliant static IP
> mailserver if it detects that the originating address is DHCP.
>
All addresses are static, no DHCP.
> Gmail likes to deliver mail from one of my servers to their Junk/Spam
> folder, another of my servers gets email delivered fine.
>
I'd be delighted to get that far 8-)
> I've been through a lot of trial and error making gmail happy.
>
> These current sendmail features I'm using (updated 2 days ago) seem to do
> the trick the best:
> # sendmail -d0.1 -bv root | grep SASL
> PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS TLS_EC
Something different in my case, no SASL in the output. Instead:
bob@pelorus:~ % sendmail -d0.1 -bv root
Version 8.18.1
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TLS_VRFY_PER_CTX
USERDB XDEBUG
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = pelorus
(canonical domain name) $j = pelorus.zefox.org
(subdomain name) $m = zefox.org
(node name) $k = pelorus.zefox.org
========================================================
Notice: -bv may give misleading output for non-privileged user
bob@www.zefox.net... deliverable: mailer esmtp, host www.zefox.net., user bob@www.zefox.net
STARTTLS is present, but no SASLv2. Does it matter? I'm baffled where the
reference to bob@www.zefox.net came from, unless it's the MX record.
In the meantime I found a very old "cookbook" for TLS and sendmail at
https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html
Is it hopelessly out of date? Certificate and key generation seem
particularly obscure.
The plan is to test on pelorus.zefox.org, when TLS works rename the
host to www.zefox.net after migrating user files. I'm guessing this
will require a repeat of sendmail/TLS configuration. Is that right?
It's been suggested elsewhere that postfix is a better MTA these days.
I've no deep preference for sendmail, might postfix be easier, or at
least more accessibly documented?
Thank you very much!
bob prohaska
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZpKsTQ50dKvFoooe>