Date: Sun, 19 Mar 2017 23:02:47 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: William Dudley <wfdudley@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <dc1f26f7-58bc-ac28-1a09-605806fe7bfd@FreeBSD.org> In-Reply-To: <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com> References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com> <e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org> <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6
Content-Type: multipart/mixed; boundary="jiieWqFMOJ3p6fH1rFecmnkiqFLTARAGn";
protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: William Dudley <wfdudley@gmail.com>
Cc: freebsd-questions@freebsd.org
Message-ID: <dc1f26f7-58bc-ac28-1a09-605806fe7bfd@FreeBSD.org>
Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi+3iELmg@mail.gmail.com>
<e0147881-7d8f-3153-a179-24a0daf1f354@FreeBSD.org>
<CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>
In-Reply-To: <CAFsnNZL2=BfQrMCT7c7eMn8ikqPKXpUiKVtCUias4mqWJZurCw@mail.gmail.com>
--jiieWqFMOJ3p6fH1rFecmnkiqFLTARAGn
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 19/03/2017 20:04, William Dudley wrote:
> I have all of the stuff you referenced in my ${hostname}.mc.
>=20
> I have a dh.param in /etc/mail/certs
>=20
> And yet,
>=20
> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:0=
2:48
> -0400 (EDT)
> ehlo localhost
> 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-DELIVERBY
> 250 HELP
> quit
> 221 2.0.0 mail.casano.com closing connection
> Connection closed by foreign host.
>
> in which STARTTLS is conspicuous by it's absence.
>=20
> Surely I am missing some crucial, undocumented step.
>=20
> Is there anything else I should check?
>=20
The chapter and verse on setting this up is here:
http://www.sendmail.org/~ca/email/starttls.html
You really only need the stuff on that page up to the 'Operation' section=
=2E
Do you have the symbolic link of the cacert hash pointing at the cacert?
Like so:
lucid-nonsense:/etc/mail/certs:% ls -la
total 36
drwxr-xr-x 2 root wheel 7 Jul 19 2016 ./
drwxr-xr-x 3 root wheel 22 Feb 5 12:37 ../
lrwxr-xr-x 1 root wheel 10 Jul 19 2016 5d402486.0@ -> cacert.pem
-rw-r--r-- 1 root wheel 1367 Jul 19 2016 cacert.pem
-rw-r--r-- 1 root wheel 424 May 21 2015 dh.param
-rw-r--r-- 1 root wheel 1415 Jul 19 2016 host.cert
-rw------- 1 root wheel 1704 Jul 19 2016 host.key
If you need to, create that by:
ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
Also check permissions -- the host.key file should be owned by
root:wheel and mode 0600 as shown here.
Check in /var/log/maillog for any relevant messages from when you
restarted sendmail or tried sending or receiving messages.
One final sanity check: does the output from 'sendmail -d0.1' show that
it was compiled with STARTTLS? If not, then you'll need to choose one
of the following:
* Install sendmail from ports, compiled with the necessary settings
* Tweak settings in your src.conf or make.conf and rebuild sendmail
from the system sources.[*]
* Upgrade to 11.0, where all this stuff definitely is enabled already.
Cheers,
Matthew
[*] ISTR that this sort of thing was not necessary for STARTTLS support,
but it is necessary for SASL support. However those neurons have mostly
been recycled, since I switched to postfix for all my e-mail needs some
time ago and have never looked back.
--jiieWqFMOJ3p6fH1rFecmnkiqFLTARAGn--
--nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJYzw4XXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT7qsP/A8C6JjoZJEl5pbrhxKuqiAp
GA8JR/gnyTguy9dWnTaLbksFpzer+p18jKE2e9nGEb2vXY1cyQ89AgoDa53VzxTB
9X93BjNRcl/Fuh1kObrtCWZSY15CZ5/2pfgt6z0rcn1SYkw0cgRe55QicT4muVTk
Z9NOPARNwKHHe0nf1vEZ8ed/OKfeEZfycXZ1TR+F/wM8vARpNdr/3Lz3uebCMAEN
2JtZ0OP1IIpZ7OeaIDH2qTAoxhY7XaBAdquvo+Ni7xJd6gzrv9AHUODLxxkMvxru
IB55gVIs9J7VTtyexdp6G3JTFDsbde+rtyQGtvgz2oxBrUo9etjRMLeFifOk+QT3
xzwzpBOOxad7FsBTQzWv6emTplYPA4RmErP2zDYs9J2oDBI8k7s1v74tYguXQUxD
9xc8X2Hw/XKgE1jFdpkVEN3RONEQMszQgGQPE57J6WiofQ4JotzNGm0w+FLdqUk6
+UO3o2najZyrMFPbUQlRMob+Knt48C3JS8oTmEd46JcyAw5w84/cbSIutnX3gM/I
KNbi+ges8bb1BAMxo3fWmgIRfagiB/tsTdaQb8ZqtZHc2QKB9pe29aTyGw49izSB
pGSCM0a3WQhNRyGYRZfQZk5wUTyZn9WDtLnkKGPwWsU5t2ZUAPhswHOY29XfP5Jw
KKK09F4koofySjBHZFl+
=lahR
-----END PGP SIGNATURE-----
--nKbL2JT6CFjtmoa9m6MS2REhVTukK8aq6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dc1f26f7-58bc-ac28-1a09-605806fe7bfd>