Site Navigation

Date:      Fri, 10 Feb 2023 10:06:08 -0500
From:      William Dudley <wfdudley@gmail.com>
To:        list-freebsd-questions@jyborn.se,  freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13
Message-ID:  <CAFsnNZJoYPMDcbX7N-nm4Ea_w0SgdJdakQ3zvV_XK3eDxhUhoQ@mail.gmail.com>
In-Reply-To: <Y%2BYaN7HxCXG9t5XL@pol-server.leissner.se>
References:  <CAFsnNZKxUnZNnne%2BVf015jWugNTURxvib9wiP8F5eXSxutvMeQ@mail.gmail.com> <Y%2BYaN7HxCXG9t5XL@pol-server.leissner.se>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--0000000000005f830305f459d7af
Content-Type: text/plain; charset="UTF-8"

Peter,

Thanks for the tip about "sendmail -d0.1".  I did that with both "base"
sendmail
and ports sendmail, and got this:

base sendmail:

Version 8.16.1
 Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
                MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
                PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC
TLS_VRFY_PER_CTX
                USERDB XDEBUG

ports sendmail:

Version 8.17.1
 Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
                MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
                PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS
TCPWRAPPERS
                TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG

So despite various claims on "the internet", base sendmail IS compiled with
STARTTLS.
What is missing in the base version is SASLv2.

So, one mystery solved.  I still can't get STARTTLS to "work", but I
understand a little more.

As to permissions: as stated in the original email, I was getting a
permissions complaint from
sendmail until I made some of the cert files 600.

Bill Dudley


On Fri, Feb 10, 2023 at 5:19 AM <list-freebsd-questions@jyborn.se> wrote:

> Hello!
>
> I'm no expert, but I think your configuration below looks fine.
>
> You have the [x] on TLS, and your mc define lines are identical
> to mine (except different path in CERT_DIR), and I also use
> LetsEncrypt. I don't remember doing anything else than that
> to get STARTTLS working.
>
> What do you see with "/usr/local/sbin/sendmail -d0.1"?
> Do you see STARTTLS in the "Compiled with" lines?
> If you do, then double check that you are running the sendmail
> from ports and not from base.
> (But I don't think that ports sendmail is necessary, I think
> that base sendmail also has the TLS option compiled in.)
>
> Could possibly be a permissions thing.
> My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.
>
> Peter Olsson
>
> On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:
> > I cannot get STARTTLS to "work", and all the tutorials I find on the web
> > seem to
> > be using FreeBSD 4 or 5?  I've been running my own mail server for
> > perhaps 15 or 20 years now, so I've been working with sendmail for
> > a long time.
> >
> > PLEASE do not suggest I switch to postfix or one of the MTAs.  I know
> > sendmail and have lots of configuration established, and I don't
> > want to go through that learning curve all over again.
> >
> > So, to the problem at hand.  I've done lots of googling and reading, and
> > this is what I've done:
> >
> > I think I understand that one must build sendmail from ports because
> > the sendmail from pkg does not have TLS compiled in.  (Why the hell not,
> > I don't know).
> >
> > I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,
> > and both act identically badly.
> >
> > I downloaded the latest ports tree (using git) and ran "make config",
> which
> > presents these options:
> >
> >
>  ??????????????????????????????????????????????????????????????????????????????
> sendmail-8.17.1_6
> ???????????????????????????????????????????????????????????????????????????????????????
> >   ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> >   ??? ??? [x] SHMEM            System V shared memory support
>     ???
> > ???
> >   ??? ??? [x] SEM              POSIX semaphores support
>     ???
> > ???
> >   ??? ??? [x] LA               load averages support
>      ???
> > ???
> >   ??? ??? [x] NIS              Network Information Services/YP support
>      ???
> > ???
> >   ??? ??? [x] IPV6             IPv6 protocol support
>      ???
> > ???
> >   ??? ??? [x] TLS              SMTP-TLS and SMTPS support
>     ???
> > ???
> >   ??? ??? [x] DANE             Enable DANE support
>      ???
> > ???
> >   ??? ??? [x] SASL             SASL authentication support
>      ???
> > ???
> >   ??? ??? [x] SASLAUTHD        SASLAUTHD support
>      ???
> > ???
> >   ??? ??? [ ] LDAP             LDAP protocol support
>      ???
> > ???
> >   ??? ??? [ ] BDB              Berkeley DB version 4+ support
>     ???
> > ???
> >   ??? ??? [ ] GDBM             GNU dbm library support (option COMPAT
> needed)???
> > ???
> >   ??? ??? [ ] SOCKETMAP        Enable socketmap feature
>     ???
> > ???
> >   ??? ??? [ ] CYRUSLOOKUP      Enable cyruslookup feature
>     ???
> > ???
> >   ??? ??? [x] BLACKLISTD       Enable blacklistd support
>      ???
> > ???
> >   ??? ??? [ ] SMTPUTF8         Enable unicode address support
>     ???
> > ???
> >   ??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check
>      ???
> > ???
> >   ??? ??? [x] MILTER           Enable milter support
>      ???
> > ???
> >   ??? ??? [ ] MTA_STS          Enable MTA-STS support (option SOCKETMAP
> and T???
> > ???
> >   ??? ??? [ ] TLS_CERT_CHAIN   Enable certificate chain file support
> (incompa???
> > ???
> >   ??? ??? [x] DOCS             Build and/or install documentation
>     ???
> > ???
> >   ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> >
> >
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> >   ???                     <  OK  >           <Cancel>
> >  ???
> >
> > I didn't change any options.  Should I have?
> > Then, of course, "make" and "make install", and then follow the
> > instructions that are printed out
> > at the conclusion of the last step.
> >
> > Next, in my freebsd.mc file, I added this:
> >
> > define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com
> ')dnl
> > define(`confCACERT_PATH', `CERT_DIR')dnl
> > define(`confCACERT', `CERT_DIR/chain.pem')dnl
> > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl
> > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl
> >
> > (except of course, I changed "my-site-name.com" to the actual directory
> > where my certs are)
> > (I've been using letsencrypt since late 2017 to generate certificates for
> > the few
> > websites I host.)
> >
> > I changed mailer.conf (both copies) to this:
> >
> > sendmail        /usr/local/sbin/sendmail
> > send-mail       /usr/local/sbin/sendmail
> > mailq           /usr/local/sbin/sendmail
> > newaliases      /usr/local/sbin/sendmail
> > hoststat        /usr/local/sbin/sendmail
> > purgestat       /usr/local/sbin/sendmail
> >
> > So that the sendmail from ports is chosen.
> >
> > I run "make" in the /etc/mail directory, and "make stop" and "make start"
> > to restart sendmail.
> > I found that I had to "chmod 600 privkey.pem" to get sendmail to not
> > complain about that file being
> > group readable:
> >
> > Feb  9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file
> > /usr/local/etc/letse
> > ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file
> >
> > when I run this test:
> >
> > openssl s_client -connect localhost:25 -starttls smtp -showcerts
> >
> > I get this response, showing that STARTTLS isn't announced.
> >
> > CONNECTED(00000003)
> > Didn't find STARTTLS in server response, trying anyway...
> > 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version
> > number:ssl/record/ssl3_record.c:332:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 323 bytes and written 326 bytes
> > Verification: OK
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 0 (ok)
> > ---
> >
> > If I telnet into my server, I see this:
> >
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023
> 18:36:46
> > -0500 (EST)
> > ehlo m2.casano.com
> > 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> > 250-ENHANCEDSTATUSCODES
> > 250-PIPELINING
> > 250-8BITMIME
> > 250-SIZE
> > 250-DSN
> > 250-ETRN
> > 250-AUTH PLAIN LOGIN
> > 250-DELIVERBY
> > 250 HELP
> > quit
> >
> > So no announcement of STARTTLS there, either.  The sendmail version is
> the
> > one from ports.  The "stock"
> > version is 8.16.1, as seen here from an earlier test before I enabled the
> > ports version:
> >
> > 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023
> 16:34:35
> > -0500 (EST)
> >
> > I do see this in /var/log/maillog:
> >
> > Feb  9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay=
> > aero4.stememail.com
> > , version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256,
> bits=128/128
> >
> > which looks promising, but then why do the other tests not show STARTTLS
> > present?
> >
> > I think this recitation includes all the changes I made to try to get
> this
> > working.
> > What am I missing?  Are there any tutorials written in this decade for
> > doing this?
> >
> > If you want to poke at my mail server, feel free:  mail.casano.com
> >
> > Thanks,
> > Bill Dudley
> > New Jersey, USA
> >
> > This email is free of malware because I run Linux.
>

--0000000000005f830305f459d7af
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Peter,<div><br></div><div>Thanks for the tip about &quot;s=
endmail -d0.1&quot;.=C2=A0 I did that with both &quot;base&quot; sendmail<d=
iv>and ports sendmail, and got this:</div><div><br></div><div>base sendmail=
:</div><div><br></div><div><font face=3D"monospace">Version 8.16.1<br>=C2=
=A0Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 MIME7TO8 MIME8TO7 NAME=
D_BIND NETINET NETINET6 NETUNIX NEWDB NIS<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC TL=
S_VRFY_PER_CTX<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U=
SERDB XDEBUG</font><br><div><div dir=3D"ltr" class=3D"gmail_signature show"=
 data-smartmail=3D"gmail_signature"><br></div><div class=3D"gmail_signature=
 show" data-smartmail=3D"gmail_signature">ports sendmail:</div><div class=
=3D"gmail_signature show" data-smartmail=3D"gmail_signature"><br></div><div=
 class=3D"gmail_signature show" data-smartmail=3D"gmail_signature"><font fa=
ce=3D"monospace">Version 8.17.1<br>=C2=A0Compiled with: DANE DNSMAP IPV6_FU=
LL LOG MAP_REGEX MATCHGECOS MILTER<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX =
NEWDB NIS<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 PICKY_=
HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS<br>=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 TLS_EC TLS_VRFY_PER_CTX USERDB XD=
EBUG</font><br></div><div dir=3D"ltr" class=3D"gmail_signature show" data-s=
martmail=3D"gmail_signature"><br></div><div class=3D"gmail_signature show" =
data-smartmail=3D"gmail_signature">So despite various claims on &quot;the i=
nternet&quot;, base sendmail IS compiled with STARTTLS.</div><div class=3D"=
gmail_signature show" data-smartmail=3D"gmail_signature">What is missing in=
 the base version is SASLv2.</div><div class=3D"gmail_signature show" data-=
smartmail=3D"gmail_signature"><br></div><div class=3D"gmail_signature show"=
 data-smartmail=3D"gmail_signature">So, one mystery solved.=C2=A0 I still c=
an&#39;t get STARTTLS to &quot;work&quot;, but I understand a little more.<=
/div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_signature"=
><br></div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_sign=
ature">As to permissions: as stated in the original email, I was getting a =
permissions complaint from</div><div class=3D"gmail_signature show" data-sm=
artmail=3D"gmail_signature">sendmail until I made some of the cert files 60=
0.</div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_signatu=
re"><br></div><div class=3D"gmail_signature show" data-smartmail=3D"gmail_s=
ignature">Bill Dudley</div></div><br></div></div></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Feb 10, 2023 at 5:=
19 AM &lt;<a href=3D"mailto:list-freebsd-questions@jyborn.se">list-freebsd-=
questions@jyborn.se</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">Hello!<br>
<br>
I&#39;m no expert, but I think your configuration below looks fine.<br>
<br>
You have the [x] on TLS, and your mc define lines are identical<br>
to mine (except different path in CERT_DIR), and I also use<br>
LetsEncrypt. I don&#39;t remember doing anything else than that<br>
to get STARTTLS working.<br>
<br>
What do you see with &quot;/usr/local/sbin/sendmail -d0.1&quot;?<br>
Do you see STARTTLS in the &quot;Compiled with&quot; lines?<br>
If you do, then double check that you are running the sendmail<br>
from ports and not from base.<br>
(But I don&#39;t think that ports sendmail is necessary, I think<br>
that base sendmail also has the TLS option compiled in.)<br>
<br>
Could possibly be a permissions thing.<br>
My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.<=
br>
<br>
Peter Olsson<br>
<br>
On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:<br>
&gt; I cannot get STARTTLS to &quot;work&quot;, and all the tutorials I fin=
d on the web<br>
&gt; seem to<br>
&gt; be using FreeBSD 4 or 5?=C2=A0 I&#39;ve been running my own mail serve=
r for<br>
&gt; perhaps 15 or 20 years now, so I&#39;ve been working with sendmail for=
<br>
&gt; a long time.<br>
&gt; <br>
&gt; PLEASE do not suggest I switch to postfix or one of the MTAs.=C2=A0 I =
know<br>
&gt; sendmail and have lots of configuration established, and I don&#39;t<b=
r>
&gt; want to go through that learning curve all over again.<br>
&gt; <br>
&gt; So, to the problem at hand.=C2=A0 I&#39;ve done lots of googling and r=
eading, and<br>
&gt; this is what I&#39;ve done:<br>
&gt; <br>
&gt; I think I understand that one must build sendmail from ports because<b=
r>
&gt; the sendmail from pkg does not have TLS compiled in.=C2=A0 (Why the he=
ll not,<br>
&gt; I don&#39;t know).<br>
&gt; <br>
&gt; I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,<b=
r>
&gt; and both act identically badly.<br>
&gt; <br>
&gt; I downloaded the latest ports tree (using git) and ran &quot;make conf=
ig&quot;, which<br>
&gt; presents these options:<br>
&gt; <br>
&gt;=C2=A0 =C2=A0??????????????????????????????????????????????????????????=
???????????????????? sendmail-8.17.1_6 ????????????????????????????????????=
???????????????????????????????????????????????????<br>
&gt;=C2=A0 =C2=A0??? ??????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
??????<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] SHMEM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 System V shared memory support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] SEM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 POSIX semaphores support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] LA=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0load averages support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] NIS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 Network Information Services/YP support=C2=A0 =C2=A0 =C2=A0 =C2=A0??=
?<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] IPV6=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0IPv6 protocol support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] TLS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 SMTP-TLS and SMTPS support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] DANE=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0Enable DANE support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] SASL=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0SASL authentication support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] SASLAUTHD=C2=A0 =C2=A0 =C2=A0 =C2=A0 SASLAUTHD=
 support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] LDAP=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0LDAP protocol support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] BDB=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 Berkeley DB version 4+ support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] GDBM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0GNU dbm library support (option COMPAT needed)???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] SOCKETMAP=C2=A0 =C2=A0 =C2=A0 =C2=A0 Enable so=
cketmap feature=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] CYRUSLOOKUP=C2=A0 =C2=A0 =C2=A0 Enable cyruslo=
okup feature=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] BLACKLISTD=C2=A0 =C2=A0 =C2=A0 =C2=A0Enable bl=
acklistd support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] SMTPUTF8=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Enab=
le unicode address support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check=C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] MILTER=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0Enable milter support=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] MTA_STS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Enab=
le MTA-STS support (option SOCKETMAP and T???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [ ] TLS_CERT_CHAIN=C2=A0 =C2=A0Enable certificate =
chain file support (incompa???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??? [x] DOCS=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0Build and/or install documentation=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 ???<br>
&gt; ???<br>
&gt;=C2=A0 =C2=A0??? ??????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
??????<br>
&gt; ???<br>
&gt; <br>
&gt; ??????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
???????????????????????????????????????????????????????????????????????????=
??<br>
&gt;=C2=A0 =C2=A0???=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0&lt;=C2=A0 OK=C2=A0 &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0&lt;Cancel&gt;<br>
&gt;=C2=A0 ???<br>
&gt; <br>
&gt; I didn&#39;t change any options.=C2=A0 Should I have?<br>
&gt; Then, of course, &quot;make&quot; and &quot;make install&quot;, and th=
en follow the<br>
&gt; instructions that are printed out<br>
&gt; at the conclusion of the last step.<br>
&gt; <br>
&gt; Next, in my <a href=3D"http://freebsd.mc" rel=3D"noreferrer" target=3D=
"_blank">freebsd.mc</a> file, I added this:<br>
&gt; <br>
&gt; define(`CERT_DIR&#39;, `/usr/local/etc/letsencrypt/live/<a href=3D"htt=
p://my-site-name.com" rel=3D"noreferrer" target=3D"_blank">my-site-name.com=
</a>&#39;)dnl<br>
&gt; define(`confCACERT_PATH&#39;, `CERT_DIR&#39;)dnl<br>
&gt; define(`confCACERT&#39;, `CERT_DIR/chain.pem&#39;)dnl<br>
&gt; define(`confSERVER_CERT&#39;, `CERT_DIR/cert.pem&#39;)dnl<br>
&gt; define(`confSERVER_KEY&#39;, `CERT_DIR/privkey.pem&#39;)dnl<br>
&gt; define(`confCLIENT_CERT&#39;, `CERT_DIR/cert.pem&#39;)dnl<br>
&gt; define(`confCLIENT_KEY&#39;, `CERT_DIR/privkey.pem&#39;)dnl<br>
&gt; <br>
&gt; (except of course, I changed &quot;<a href=3D"http://my-site-name.com"=
 rel=3D"noreferrer" target=3D"_blank">my-site-name.com</a>&quot; to the act=
ual directory<br>
&gt; where my certs are)<br>
&gt; (I&#39;ve been using letsencrypt since late 2017 to generate certifica=
tes for<br>
&gt; the few<br>
&gt; websites I host.)<br>
&gt; <br>
&gt; I changed mailer.conf (both copies) to this:<br>
&gt; <br>
&gt; sendmail=C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail<br>
&gt; send-mail=C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail<br>
&gt; mailq=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail=
<br>
&gt; newaliases=C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail<br>
&gt; hoststat=C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/local/sbin/sendmail<br>
&gt; purgestat=C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/sbin/sendmail<br>
&gt; <br>
&gt; So that the sendmail from ports is chosen.<br>
&gt; <br>
&gt; I run &quot;make&quot; in the /etc/mail directory, and &quot;make stop=
&quot; and &quot;make start&quot;<br>
&gt; to restart sendmail.<br>
&gt; I found that I had to &quot;chmod 600 privkey.pem&quot; to get sendmai=
l to not<br>
&gt; complain about that file being<br>
&gt; group readable:<br>
&gt; <br>
&gt; Feb=C2=A0 9 19:51:39 my-site sm-mta[38802]: STARTTLS=3Dclient: file<br=
>
&gt; /usr/local/etc/letse<br>
&gt; ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable f=
ile<br>
&gt; <br>
&gt; when I run this test:<br>
&gt; <br>
&gt; openssl s_client -connect localhost:25 -starttls smtp -showcerts<br>
&gt; <br>
&gt; I get this response, showing that STARTTLS isn&#39;t announced.<br>
&gt; <br>
&gt; CONNECTED(00000003)<br>
&gt; Didn&#39;t find STARTTLS in server response, trying anyway...<br>
&gt; 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version<br=
>
&gt; number:ssl/record/ssl3_record.c:332:<br>
&gt; ---<br>
&gt; no peer certificate available<br>
&gt; ---<br>
&gt; No client certificate CA names sent<br>
&gt; ---<br>
&gt; SSL handshake has read 323 bytes and written 326 bytes<br>
&gt; Verification: OK<br>
&gt; ---<br>
&gt; New, (NONE), Cipher is (NONE)<br>
&gt; Secure Renegotiation IS NOT supported<br>
&gt; Compression: NONE<br>
&gt; Expansion: NONE<br>
&gt; No ALPN negotiated<br>
&gt; Early data was not sent<br>
&gt; Verify return code: 0 (ok)<br>
&gt; ---<br>
&gt; <br>
&gt; If I telnet into my server, I see this:<br>
&gt; <br>
&gt; Trying 127.0.0.1...<br>
&gt; Connected to localhost.<br>
&gt; Escape character is &#39;^]&#39;.<br>
&gt; 220 <a href=3D"http://mail.casano.com" rel=3D"noreferrer" target=3D"_b=
lank">mail.casano.com</a> ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:=
36:46<br>
&gt; -0500 (EST)<br>
&gt; ehlo <a href=3D"http://m2.casano.com" rel=3D"noreferrer" target=3D"_bl=
ank">m2.casano.com</a><br>
&gt; <a href=3D"http://250-mail.casano.com" rel=3D"noreferrer" target=3D"_b=
lank">250-mail.casano.com</a> Hello localhost [127.0.0.1], pleased to meet =
you<br>
&gt; 250-ENHANCEDSTATUSCODES<br>
&gt; 250-PIPELINING<br>
&gt; 250-8BITMIME<br>
&gt; 250-SIZE<br>
&gt; 250-DSN<br>
&gt; 250-ETRN<br>
&gt; 250-AUTH PLAIN LOGIN<br>
&gt; 250-DELIVERBY<br>
&gt; 250 HELP<br>
&gt; quit<br>
&gt; <br>
&gt; So no announcement of STARTTLS there, either.=C2=A0 The sendmail versi=
on is the<br>
&gt; one from ports.=C2=A0 The &quot;stock&quot;<br>
&gt; version is 8.16.1, as seen here from an earlier test before I enabled =
the<br>
&gt; ports version:<br>
&gt; <br>
&gt; 220 <a href=3D"http://mail.casano.com" rel=3D"noreferrer" target=3D"_b=
lank">mail.casano.com</a> ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:=
34:35<br>
&gt; -0500 (EST)<br>
&gt; <br>
&gt; I do see this in /var/log/maillog:<br>
&gt; <br>
&gt; Feb=C2=A0 9 19:51:14 my-site sm-mta[38691]: STARTTLS=3Dclient, relay=
=3D<br>
&gt; <a href=3D"http://aero4.stememail.com" rel=3D"noreferrer" target=3D"_b=
lank">aero4.stememail.com</a><br>
&gt; , version=3DTLSv1.3, verify=3DFAIL, cipher=3DTLS_AES_128_GCM_SHA256, b=
its=3D128/128<br>
&gt; <br>
&gt; which looks promising, but then why do the other tests not show STARTT=
LS<br>
&gt; present?<br>
&gt; <br>
&gt; I think this recitation includes all the changes I made to try to get =
this<br>
&gt; working.<br>
&gt; What am I missing?=C2=A0 Are there any tutorials written in this decad=
e for<br>
&gt; doing this?<br>
&gt; <br>
&gt; If you want to poke at my mail server, feel free:=C2=A0 <a href=3D"htt=
p://mail.casano.com" rel=3D"noreferrer" target=3D"_blank">mail.casano.com</=
a><br>
&gt; <br>
&gt; Thanks,<br>
&gt; Bill Dudley<br>
&gt; New Jersey, USA<br>
&gt; <br>
&gt; This email is free of malware because I run Linux.<br>
</blockquote></div>

--0000000000005f830305f459d7af--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZJoYPMDcbX7N-nm4Ea_w0SgdJdakQ3zvV_XK3eDxhUhoQ>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact