Sendmail and STARTTLS
George Mitchell
george+freebsd at m5p.com
Mon Nov 28 18:16:18 UTC 2016
I have a shiny new Let's Encrypt certificate. I believe it is properly
installed on my mail server, and https://ssl-tools.net/mailservers/
says my certificate is trustworthy and protocol is secure. (I'm not
[yet] using DNS-based authentication.) Despite all these encouraging
signs, my maillog is filled with STARTTLS VERIFY=NO and VERIFY=FAIL
messages. A typical email header entry says:
Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <george+freebsd at m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
(envelope-from owner-freebsd-hackers at freebsd.org)
My sendmail.cf says:
O
CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
(When I used the default values, ssl-tools accused me of using a
weak protocol, so I started experimenting with values gleaned from
around the net, to no avail so far.)
What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George
More information about the freebsd-hackers
mailing list