From owner-freebsd-questions@FreeBSD.ORG Tue Nov 5 14:51:45 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 32FD9143 for ; Tue, 5 Nov 2013 14:51:45 +0000 (UTC) (envelope-from freebsd-questions@rsle.net) Received: from mx1.rsle.net (mx1.rsle.net [IPv6:2607:ff40:b0b::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E9A022D40 for ; Tue, 5 Nov 2013 14:51:44 +0000 (UTC) Received: from prometheus.rsle.net (UNKNOWN [206.162.203.14] (may be forged)) (authenticated bits=0) by mx1.rsle.net (8.14.7/8.14.7) with ESMTP id rA5Epa1I016937 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 5 Nov 2013 09:51:38 -0500 (EST) (envelope-from freebsd-questions@rsle.net) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98 at antivirus.rsle.net Message-ID: <527905F3.6020501@rsle.net> Date: Tue, 05 Nov 2013 09:51:31 -0500 From: "R. Scott Evans" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Andrea Venturoli Subject: Re: [Half OT] Mavericks' Mail and SSL References: <52718078.8080702@netfence.it> <5272C747.8030805@rsle.net> <5273EF3F.8040307@netfence.it> <5273FD23.7090207@rsle.net> <527554CE.1040605@netfence.it> In-Reply-To: <527554CE.1040605@netfence.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mx1.rsle.net [206.162.201.2]); Tue, 05 Nov 2013 09:51:39 -0500 (EST) Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Nov 2013 14:51:45 -0000 On 11/02/13 15:38, Andrea Venturoli wrote: > On 11/01/13 20:12, R. Scott Evans wrote: > >> I offer both SSL/TLS (465) and STARTTLS (587) to my users. In the Mac >> Mail I don't see an option for differentiating the connection security >> between SSL/TLS and STARTTLS other than specifying the port manually. >> There is a checkbox to Use SSL regardless of what port option is used >> (which I obviously have checked). >> >> Anyhow, I changed the port on my Mac to 465 and it still worked for me. >> Then again, I also just tried switching it back to the "default (25, >> 465, 587)" option for the port and it now works with that also, so I'm >> not sure what is going on? > > Thanks again. > Would you mind sending me your .cf file, your FreeBSD, Sendmail, and > OpenSSL version? > Any other useful config file? > > Are you using a self-signed certificate? > > bye & Thanks > av. I'm using a CA signed certificate. It's worth mentioning I also do SMTP Auth so will show the sasl version as well. I don't recall previously having any problems with Apple Mac's and iDevices when using self signed certs but I have had problems with Android devices. I've not tested this since I started using CA signed certs a few years ago though. I only edit the .mc and let sendmail generate the .cf from that so I've included the relevant portions of the .mc instead (below). -scott -------- # uname -rsim FreeBSD 9.2-STABLE amd64 GENERIC # # sendmail -d0.1 Version 8.14.7 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG # # openssl version OpenSSL 0.9.8y 5 Feb 2013 # # pkg_info -Ix cyrus cyrus-sasl-2.1.26_2 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-saslauthd-2.1.26 SASL authentication server for cyrus-sasl2 # --------- my sendmail .mc file (edited) define(`confPRIVACY_FLAGS',``authwarnings,needexpnhelo,needmailhelo,needvrfyhelo,noexpn,novrfy,goaway'') FEATURE(`no_default_msa') DAEMON_OPTIONS(`Name=IPv4, Family=inet, M=A') DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') dnl ### set SASL option ################################ define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl TRUST_AUTH_MECH(`LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl define(`confAUTH_MECHANISMS',`LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5')dnl dnl ### SSL ############################################# define(`confCACERT_PATH', `/etc/mail/SSL/')dnl define(`confCACERT', `/etc/mail/SSL/sf_bundle-g2.crt')dnl define(`confSERVER_CERT', `/etc/mail/SSL/mydomain.pem')dnl define(`confSERVER_KEY', `/etc/mail/SSL/mydomain.key')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl ### Enable IPv6 ###################################### DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') DAEMON_OPTIONS(`Name=MSA, Family=inet6, Port=587, M=Ea, Modifiers=O') dnl ######################################################