From owner-freebsd-questions@freebsd.org  Sun Mar 19 23:02:54 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04256D136A9
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sun, 19 Mar 2017 23:02:54 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [81.2.117.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9A64013CF
 for <freebsd-questions@freebsd.org>; Sun, 19 Mar 2017 23:02:53 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from liminal.local (unknown
 [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id DF9F410D3B;
 Sun, 19 Mar 2017 23:02:47 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=FreeBSD.org
Authentication-Results: smtp.infracaninophile.co.uk/DF9F410D3B;
 dkim=none; dkim-atps=neutral
Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
To: William Dudley <wfdudley@gmail.com>
References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi+3iELmg@mail.gmail.com>
 <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org>
 <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>
Cc: freebsd-questions@freebsd.org
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <dc1f26f7-58bc-ac28-1a09-605806fe7bfd@FreeBSD.org>
Date: Sun, 19 Mar 2017 23:02:47 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6"
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE,
 SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 smtp.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 23:02:54 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6
Content-Type: multipart/mixed; boundary="jiieWqFMOJ3p6fH1rFecmnkiqFLTARAGn";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: William Dudley <wfdudley@gmail.com>
Cc: freebsd-questions@freebsd.org
Message-ID: <dc1f26f7-58bc-ac28-1a09-605806fe7bfd@FreeBSD.org>
Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi+3iELmg@mail.gmail.com>
 <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org>
 <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>
In-Reply-To: <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>

--jiieWqFMOJ3p6fH1rFecmnkiqFLTARAGn
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 19/03/2017 20:04, William Dudley wrote:
> I have all of the stuff you referenced in my ${hostname}.mc.
>=20
> I have a dh.param in /etc/mail/certs
>=20
> And yet,
>=20
> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:0=
2:48
> -0400 (EDT)
> ehlo localhost
> 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-DELIVERBY
> 250 HELP
> quit
> 221 2.0.0 mail.casano.com closing connection
> Connection closed by foreign host.
>
> in which STARTTLS is conspicuous by it's absence.
>=20
> Surely I am missing some crucial, undocumented step.
>=20
> Is there anything else I should check?
>=20

The chapter and verse on setting this up is here:
http://www.sendmail.org/~ca/email/starttls.html

You really only need the stuff on that page up to the 'Operation' section=
=2E

Do you have the symbolic link of the cacert hash pointing at the cacert?
Like so:

lucid-nonsense:/etc/mail/certs:% ls -la
total 36
drwxr-xr-x  2 root  wheel     7 Jul 19  2016 ./
drwxr-xr-x  3 root  wheel    22 Feb  5 12:37 ../
lrwxr-xr-x  1 root  wheel    10 Jul 19  2016 5d402486.0@ -> cacert.pem
-rw-r--r--  1 root  wheel  1367 Jul 19  2016 cacert.pem
-rw-r--r--  1 root  wheel   424 May 21  2015 dh.param
-rw-r--r--  1 root  wheel  1415 Jul 19  2016 host.cert
-rw-------  1 root  wheel  1704 Jul 19  2016 host.key

If you need to, create that by:

ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0

Also check permissions -- the host.key file should be owned by
root:wheel and mode 0600 as shown here.

Check in /var/log/maillog for any relevant messages from when you
restarted sendmail or tried sending or receiving messages.

One final sanity check:  does the output from 'sendmail -d0.1' show that
it was compiled with STARTTLS?  If not, then you'll need to choose one
of the following:

  * Install sendmail from ports, compiled with the necessary settings

  * Tweak settings in your src.conf or make.conf and rebuild sendmail
    from the system sources.[*]

  * Upgrade to 11.0, where all this stuff definitely is enabled already.

	Cheers,

	Matthew

[*] ISTR that this sort of thing was not necessary for STARTTLS support,
but it is necessary for SASL support.  However those neurons have mostly
been recycled, since I switched to postfix for all my e-mail needs some
time ago and have never looked back.



--jiieWqFMOJ3p6fH1rFecmnkiqFLTARAGn--

--nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJYzw4XXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT7qsP/A8C6JjoZJEl5pbrhxKuqiAp
GA8JR/gnyTguy9dWnTaLbksFpzer+p18jKE2e9nGEb2vXY1cyQ89AgoDa53VzxTB
9X93BjNRcl/Fuh1kObrtCWZSY15CZ5/2pfgt6z0rcn1SYkw0cgRe55QicT4muVTk
Z9NOPARNwKHHe0nf1vEZ8ed/OKfeEZfycXZ1TR+F/wM8vARpNdr/3Lz3uebCMAEN
2JtZ0OP1IIpZ7OeaIDH2qTAoxhY7XaBAdquvo+Ni7xJd6gzrv9AHUODLxxkMvxru
IB55gVIs9J7VTtyexdp6G3JTFDsbde+rtyQGtvgz2oxBrUo9etjRMLeFifOk+QT3
xzwzpBOOxad7FsBTQzWv6emTplYPA4RmErP2zDYs9J2oDBI8k7s1v74tYguXQUxD
9xc8X2Hw/XKgE1jFdpkVEN3RONEQMszQgGQPE57J6WiofQ4JotzNGm0w+FLdqUk6
+UO3o2najZyrMFPbUQlRMob+Knt48C3JS8oTmEd46JcyAw5w84/cbSIutnX3gM/I
KNbi+ges8bb1BAMxo3fWmgIRfagiB/tsTdaQb8ZqtZHc2QKB9pe29aTyGw49izSB
pGSCM0a3WQhNRyGYRZfQZk5wUTyZn9WDtLnkKGPwWsU5t2ZUAPhswHOY29XfP5Jw
KKK09F4koofySjBHZFl+
=lahR
-----END PGP SIGNATURE-----

--nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6--