Date: Wed, 22 Mar 2017 16:32:11 +1030 From: Wayne Sierke <ws@au.dyndns.ws> To: William Dudley <wfdudley@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <1490162531.1981.62.camel@au.dyndns.ws> In-Reply-To: <CAFsnNZ%2BX4c=bVT5EXqeow-B9Dk-9LSr5g4xSy4yN19yQPDebpA@mail.gmail.com> References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com> <b424d91e-a7f4-57b8-174c-e2522c97107f@mahan.org> <CAFsnNZK5LpRyPTLGocMna1O-R0448ZJQ0qu2ZP%2BaE3w2UWwd8Q@mail.gmail.com> <CAFsnNZ%2B0c4EdQxcesohFcJjraoPYwi2v=wVK-QNFPnD7Wta5mQ@mail.gmail.com> <CAFsnNZL1bVCNuYCAe43uK3n6596HhQFpm8Y8S1ZCkNa_t1wGKw@mail.gmail.com> <a990c9a0-fe31-742b-a1bc-56fdd429d8cc@mahan.org> <CAFsnNZ%2B_Z-fCH2sHaXxH42KLmWGApqZJWamcy1AOS0oJnYqckA@mail.gmail.com> <CAFsnNZ%2BX4c=bVT5EXqeow-B9Dk-9LSr5g4xSy4yN19yQPDebpA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote: > I've got all the bits that numerous sources say are the correct bits > (like > in hostname.mc). > > Sendmail in 10.x is able to generate it's OWN certificates. I've let it do > just that. > > However, sendmail still refuses to announce STARTTLS as a capability. > > Surely there must be some way to debug this, instead of just thrashing > about randomly. > > Is there a debug variable in sendmail that I can turn up to see exactly > what sendmail > doesn't like about the SSl/TLS stuff? Certainly. Increasing the loglevel was suggested on the page that Matthew linked for you earlier. Add this to your <hostname>.mc: define(`confLOG_Level', `14') These may help, too: https://forums.freebsd.org/threads/52471/ https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html > > Failing that, is anyone on this list using self-signed certificates? Do > you know the EXACT > sequence of things to do to get this to work? > > I have a funny feeling that the "auto-generated" certs created by sendmail > don't work if you > don't have an official cert from Verisign. > > Bill Dudley > > > This email is free of malware because I run Linux. > > On Mon, Mar 20, 2017 at 9:13 AM, William Dudley <wfdudley@gmail.com> wrote: > > > > > The point of this exercise is to allow my Android phone to access my email > > on my FreeBSD 10.3 server, using imap. I had it working last year, and > > then, > > with nary an error message, it stopped working. So the email client is > > the native > > Android email client (on a recent Cyanogen Android). My FreeBSD server > > runs > > sendmail, and I've been running my own mail domain for about a decade. > > > > My latest guess (and that's all I can do is guess) is that my self-signed > > certificates > > expired, and I just need to re-generate them. All the sources on sendmail > > and > > STARTTLS that I've seen so far show configs identical to my config, so from > > this I infer perhaps one or more of my cert files is "bad". > > > > stunnel may well be a wonderful program, but I really don't want to figure > > out how > > to specify each of the 500 lines in it's config file, especially when the > > software > > doesn't run successfully with it's own sample config file. > > > > Thanks for your time, > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan <mahan@mahan.org> wrote: > > > > > > > > On 3/19/17 1:07 PM, William Dudley wrote: > > > > > > > > I commented out the lines starting with checkHost, and started stunnel. > > > > It does start, and runs as a daemon. However, it doesn't seem to DO > > > anything. > > > > > > > > > > > > However, that hasn't changed sendmail's behaviour one iota. > > > > > > > > As far as I can tell, stunnel is a massive waste of time. > > > > > > > > I don't really want to spend months reading all the stunnel docs to > > > figure out > > > > > > > > how to get it to work with sendmail. Sendmail is hard enough on it's > > > own, and > > > > > > > > I can mostly control sendmail (well, except for the STARTTLS problem.) > > > > > > > > Thanks, > > > > Bill Dudley > > > > > > > > > > > > This email is free of malware because I run Linux. > > > > > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdudley@gmail.com > > > > wfdudley@gmail.com>> wrote: > > > > > > > > stunnel fails to start with this helpful message: > > > > > > > > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com > > > > <http://pop.gmail.com>": Specified option name is not valid here > > > > > > > > The line it's complaining about is in the EXAMPLE config file. > > > > > > > > So this is not going well, at all. > > > > > > > > pop.gmail.com <http://pop.gmail.com>; is a valid hostname. I have > > > no idea > > > > > > > > what stunnel is complaining about. > > > > > > > Okay, Let me share what I do. I believe stunnel needs to run on the same > > > host > > > as the sendmail server. > > > > > > First, here is some relevant parts from my stunnel config file: > > > > > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005 > > > ; Some options used here may not be adequate for your particular > > > configuration > > > ; Please make sure you understand them (especially the effect of chroot > > > jail) > > > > > > ; Certificate/key is needed in server mode and optional in client mode > > > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem > > > ;key = /usr/local/etc/stunnel/mail.pem > > > > > > ; Some security enhancements for UNIX systems - comment them out on Win32 > > > chroot = /var/stunnel/ > > > setuid = stunnel > > > setgid = stunnel > > > ; PID is created inside chroot jail > > > pid = /stunnel.pid > > > > > > ; Some performance tunings > > > socket = l:TCP_NODELAY=1 > > > socket = r:TCP_NODELAY=1 > > > ;compression = rle > > > > > > ; Workaround for Eudora bug > > > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > > > > > ; Authentication stuff > > > verify = 0 > > > > > > .... > > > > > > ; Some debugging stuff useful for troubleshooting > > > debug = 7 > > > output = stunnel.log > > > > > > ; Use it for client mode > > > ;client = yes > > > > > > ; Service-level configuration > > > > > > [pop3s] > > > accept = 995 > > > connect = 110 > > > > > > [imaps] > > > accept = 993 > > > connect = 143 > > > > > > [smtps] > > > accept = 465 > > > connect = 25 > > > > > > I run dovecot for my imap server which is listening on port 143: > > > > > > mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 > > > root dovecot 915 22 tcp4 *:110 *:* > > > > > > But I connect from my mail clients (ios mail, thunderbird, ...) to port > > > 993. The > > > mail clients are all configured to use ssl/tls, *not* startttl. > > > > > > My smtp I connect via stunnel over port 465, not port 25 for sending mail. > > > > > > So what are you trying to accomplish? The idea is for your accessing > > > these > > > servers in an encrypted fashion. But from your above description, it > > > sounds > > > like you are trying to access your unsecured gmail account using POP3. > > > Not > > > sure why as the connection from stunnel to pop.gmail.com will be > > > unsecured. > > > > > > What email client are you trying to use? > > > > > > Patrick > > > > > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1490162531.1981.62.camel>