Sendmail and STARTTLS
Gregory Shapiro
gshapiro at freebsd.org
Tue Nov 29 17:42:37 UTC 2016
On Tue, Nov 29, 2016 at 10:49:45AM -0500, George Mitchell wrote:
> On 11/28/16 14:19, George Mitchell wrote:
> > [...]
> >>> What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George
> > [...]
>
> Okay, I have convinced myself that I am misinterpreting what my mail
> log is telling me. I did a packet capture of the last email message
> I received from mx2.freebsd.org, and even though the STARTTLS entry
> tells me "VERIFY=FAIL", the headers and content of the email were
> encrypted anyway. It's just that either mx2.freebsd.org couldn't
> verify that mailhost.m5p.com is really mailhost.m5p.com, or the other
> way around. That's annoying, but the main point of the exercise wasto
> encrypt the data, and that's what is happening. So I'm happier now,
> though at some point I would like the identify verification to work
> correctly as well. Baby steps ... -- George
Yes, you were misinterpreting the logs. STARTTLS provides both encryption and authentication. The verify= tells you the result of the authentication portion. When you connect to mx2.freebsd.org, it is telling you whether your MTA can verify it is actually talking to mx2.freebsd.org by verifying the certificate returned by mx2.freebsd.org and comparing it to the list of trusted signers in confCACERT_PATH. Note that has nothing to do with whether mx2.freebsd.org was able to verify your cert unless you see it in a Received header.
More information about the freebsd-hackers
mailing list