help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 10 Feb 2023 01:21:28 UTC
I cannot get STARTTLS to "work", and all the tutorials I find on the web seem to be using FreeBSD 4 or 5? I've been running my own mail server for perhaps 15 or 20 years now, so I've been working with sendmail for a long time. PLEASE do not suggest I switch to postfix or one of the MTAs. I know sendmail and have lots of configuration established, and I don't want to go through that learning curve all over again. So, to the problem at hand. I've done lots of googling and reading, and this is what I've done: I think I understand that one must build sendmail from ports because the sendmail from pkg does not have TLS compiled in. (Why the hell not, I don't know). I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine, and both act identically badly. I downloaded the latest ports tree (using git) and ran "make config", which presents these options: ┌───────────────────────── sendmail-8.17.1_6 ────────────────────────────┐ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ [x] SHMEM System V shared memory support │ │ │ │ [x] SEM POSIX semaphores support │ │ │ │ [x] LA load averages support │ │ │ │ [x] NIS Network Information Services/YP support │ │ │ │ [x] IPV6 IPv6 protocol support │ │ │ │ [x] TLS SMTP-TLS and SMTPS support │ │ │ │ [x] DANE Enable DANE support │ │ │ │ [x] SASL SASL authentication support │ │ │ │ [x] SASLAUTHD SASLAUTHD support │ │ │ │ [ ] LDAP LDAP protocol support │ │ │ │ [ ] BDB Berkeley DB version 4+ support │ │ │ │ [ ] GDBM GNU dbm library support (option COMPAT needed)│ │ │ │ [ ] SOCKETMAP Enable socketmap feature │ │ │ │ [ ] CYRUSLOOKUP Enable cyruslookup feature │ │ │ │ [x] BLACKLISTD Enable blacklistd support │ │ │ │ [ ] SMTPUTF8 Enable unicode address support │ │ │ │ [x] PICKY_HELO_CHECK Enable picky HELO check │ │ │ │ [x] MILTER Enable milter support │ │ │ │ [ ] MTA_STS Enable MTA-STS support (option SOCKETMAP and T│ │ │ │ [ ] TLS_CERT_CHAIN Enable certificate chain file support (incompa│ │ │ │ [x] DOCS Build and/or install documentation │ │ │ └────────────────────────────────────────────────────────────────────┘ │ ├────────────────────────────────────────────────────────────────────────┤ │ < OK > <Cancel> │ I didn't change any options. Should I have? Then, of course, "make" and "make install", and then follow the instructions that are printed out at the conclusion of the last step. Next, in my freebsd.mc file, I added this: define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/chain.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl (except of course, I changed "my-site-name.com" to the actual directory where my certs are) (I've been using letsencrypt since late 2017 to generate certificates for the few websites I host.) I changed mailer.conf (both copies) to this: sendmail /usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail hoststat /usr/local/sbin/sendmail purgestat /usr/local/sbin/sendmail So that the sendmail from ports is chosen. I run "make" in the /etc/mail directory, and "make stop" and "make start" to restart sendmail. I found that I had to "chmod 600 privkey.pem" to get sendmail to not complain about that file being group readable: Feb 9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file /usr/local/etc/letse ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file when I run this test: openssl s_client -connect localhost:25 -starttls smtp -showcerts I get this response, showing that STARTTLS isn't announced. CONNECTED(00000003) Didn't find STARTTLS in server response, trying anyway... 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 323 bytes and written 326 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- If I telnet into my server, I see this: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023 18:36:46 -0500 (EST) ehlo m2.casano.com 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH PLAIN LOGIN 250-DELIVERBY 250 HELP quit So no announcement of STARTTLS there, either. The sendmail version is the one from ports. The "stock" version is 8.16.1, as seen here from an earlier test before I enabled the ports version: 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023 16:34:35 -0500 (EST) I do see this in /var/log/maillog: Feb 9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay= aero4.stememail.com ., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256, bits=128/128 which looks promising, but then why do the other tests not show STARTTLS present? I think this recitation includes all the changes I made to try to get this working. What am I missing? Are there any tutorials written in this decade for doing this? If you want to poke at my mail server, feel free: mail.casano.com Thanks, Bill Dudley New Jersey, USA This email is free of malware because I run Linux.