From owner-freebsd-questions@FreeBSD.ORG  Tue Nov  5 14:51:45 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 32FD9143
 for <freebsd-questions@freebsd.org>; Tue,  5 Nov 2013 14:51:45 +0000 (UTC)
 (envelope-from freebsd-questions@rsle.net)
Received: from mx1.rsle.net (mx1.rsle.net [IPv6:2607:ff40:b0b::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E9A022D40
 for <freebsd-questions@freebsd.org>; Tue,  5 Nov 2013 14:51:44 +0000 (UTC)
Received: from prometheus.rsle.net (UNKNOWN [206.162.203.14] (may be forged))
 (authenticated bits=0)
 by mx1.rsle.net (8.14.7/8.14.7) with ESMTP id rA5Epa1I016937
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
 Tue, 5 Nov 2013 09:51:38 -0500 (EST)
 (envelope-from freebsd-questions@rsle.net)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98 at antivirus.rsle.net
Message-ID: <527905F3.6020501@rsle.net>
Date: Tue, 05 Nov 2013 09:51:31 -0500
From: "R. Scott Evans" <freebsd-questions@rsle.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Andrea Venturoli <ml@netfence.it>
Subject: Re: [Half OT] Mavericks' Mail and SSL
References: <52718078.8080702@netfence.it> <5272C747.8030805@rsle.net>
 <5273EF3F.8040307@netfence.it> <5273FD23.7090207@rsle.net>
 <527554CE.1040605@netfence.it>
In-Reply-To: <527554CE.1040605@netfence.it>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (mx1.rsle.net [206.162.201.2]); Tue, 05 Nov 2013 09:51:39 -0500 (EST)
Cc: freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 14:51:45 -0000

On 11/02/13 15:38, Andrea Venturoli wrote:
> On 11/01/13 20:12, R. Scott Evans wrote:
>
>> I offer both SSL/TLS (465) and STARTTLS (587) to my users. In the Mac
>> Mail I don't see an option for differentiating the connection security
>> between SSL/TLS and STARTTLS other than specifying the port manually.
>> There is a checkbox to Use SSL regardless of what port option is used
>> (which I obviously have checked).
>>
>> Anyhow, I changed the port on my Mac to 465 and it still worked for me.
>>   Then again, I also just tried switching it back to the "default (25,
>> 465, 587)" option for the port and it now works with that also, so I'm
>> not sure what is going on?
>
> Thanks again.
> Would you mind sending me your .cf file, your FreeBSD, Sendmail, and
> OpenSSL version?
> Any other useful config file?
>
> Are you using a self-signed certificate?
>
>   bye & Thanks
>      av.

I'm using a CA signed certificate.  It's worth mentioning I also do SMTP 
Auth so will show the sasl version as well.  I don't recall previously 
having any problems with Apple Mac's and iDevices when using self signed 
certs but I have had problems with Android devices.  I've not tested 
this since I started using CA signed certs a few years ago though.

I only edit the .mc and let sendmail generate the .cf from that so I've 
included the relevant portions of the .mc instead (below).

-scott

--------
# uname -rsim
FreeBSD 9.2-STABLE amd64 GENERIC
#
# sendmail -d0.1
Version 8.14.7
  Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS 
PIPELINING SASLv2
                 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
#
# openssl version
OpenSSL 0.9.8y 5 Feb 2013
#
# pkg_info -Ix cyrus
cyrus-sasl-2.1.26_2 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.26 SASL authentication server for cyrus-sasl2
#

--------- my sendmail .mc file (edited)
define(`confPRIVACY_FLAGS',``authwarnings,needexpnhelo,needmailhelo,needvrfyhelo,noexpn,novrfy,goaway'')

FEATURE(`no_default_msa')
DAEMON_OPTIONS(`Name=IPv4, Family=inet, M=A')
DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')

dnl ### set SASL option ################################
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_MECHANISMS',`LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl

dnl ### SSL #############################################
define(`confCACERT_PATH', `/etc/mail/SSL/')dnl
define(`confCACERT', `/etc/mail/SSL/sf_bundle-g2.crt')dnl
define(`confSERVER_CERT', `/etc/mail/SSL/mydomain.pem')dnl
define(`confSERVER_KEY', `/etc/mail/SSL/mydomain.key')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl ### Enable IPv6 ######################################
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
DAEMON_OPTIONS(`Name=MSA, Family=inet6, Port=587, M=Ea, Modifiers=O')
dnl ######################################################