freebsd using sendmail with tls

Matthew Seaman m.seaman at
Sat Nov 10 08:22:31 PST 2007

Hash: SHA256

Jonathan Horne wrote:
> i know, slightly off topic, but is *on* a freebsd server... right?
> my smtp is the only remaining part of my email system, that has no encryption 
> options, and i think i would like to add tls (even tho i rarely send smtp 
> mail from outside my lan).  my setup is right now, fairly basic (only 
> includes spamassassin, sasl2, and procmail).  even tho i dont much about it, 
> i say tls instead of ssl, as i have a few outlook clients, that would surely 
> annoy me 'do you really want to use this certificate', and it would surely be 
> each time i sent a mail.  im also assuming that hopefully tls might not do 
> this.

Adding TLS / SSL capability to the stock FreeBSD sendmail is easy.
You need something like the following in your /etc/mail/$(hostname).cf:

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

This defines two keys and certs for sendmail to use -- one set for
where sendmail is the server and the other for where it is the client.
As shown, you can use the same key and cert for either role, and it
will work pretty well all the time.  Occasionally however you may run
into systems that get snotty about the distinction between client and
server certs -- in that case, the STARTTLS negociation would fail
and you'ld probably end up sending the message in plain text.  That's
not a huge disadvantage given that the majority of mail systems on the
net don't offer the possibility of TLS in any case.

Unlike eg. HTTPS, there's no big thing about buying a server cert signed
by one of the well known CAs -- TLS is more about anti-snooping than
assurance of the other parties identity.  While you can get e-mail certs
from, eg. Thawte for free, they are generally aimed at use in e-mail
client applications.  E-mail servers almost exclusively use self-signed certificates.  To generate a self-signed cert, you can follow the
instructions here:

That's a very basic set of instructions. There are some more expansive
general instructions on setting up TLS at:

You don't need to worry about the section of the instructions about
compiling sendmail with SSL support -- that's all already enabled in the 
system sendmail.

> before i spend hours and hours googling out my instructions on how to so do, 
> does the tls session operate over the standard port 25, or is this what is 
> referred to as the smtps port?  and if so, can the server accept either 
> version over the same port?

E-mails generally use the 'STARTTLS' approach -- that is, you make
an initial unencrypted connection on the usual port 25 and then turn
that into an encrypted connection over the same port numbers.

There is an alternative approach using port 465, where encryption
is assumed from the very beginning (much more like how HTTPS works)
This is not used by the majority of MTAs out there on the 'net -- I
believe it exists to support certain client software that can't do
STARTTLS when submitting new messages.

If you're using eg. Thunderbird, then it supports STARTTLS perfectly
well and you only need port 25 -- possibly port 587 if you want to be
compliant with RFC 2476.



- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla -


More information about the freebsd-questions mailing list