how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?

Matthew Seaman matthew at FreeBSD.org
Sun Mar 19 23:02:54 UTC 2017 

On 19/03/2017 20:04, William Dudley wrote:
> I have all of the stuff you referenced in my ${hostname}.mc.
> 
> I have a dh.param in /etc/mail/certs
> 
> And yet,
> 
> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:02:48
> -0400 (EDT)
> ehlo localhost
> 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-DELIVERBY
> 250 HELP
> quit
> 221 2.0.0 mail.casano.com closing connection
> Connection closed by foreign host.
>
> in which STARTTLS is conspicuous by it's absence.
> 
> Surely I am missing some crucial, undocumented step.
> 
> Is there anything else I should check?
> 

The chapter and verse on setting this up is here:
http://www.sendmail.org/~ca/email/starttls.html

You really only need the stuff on that page up to the 'Operation' section.

Do you have the symbolic link of the cacert hash pointing at the cacert?
Like so:

lucid-nonsense:/etc/mail/certs:% ls -la
total 36
drwxr-xr-x  2 root  wheel     7 Jul 19  2016 ./
drwxr-xr-x  3 root  wheel    22 Feb  5 12:37 ../
lrwxr-xr-x  1 root  wheel    10 Jul 19  2016 5d402486.0@ -> cacert.pem
-rw-r--r--  1 root  wheel  1367 Jul 19  2016 cacert.pem
-rw-r--r--  1 root  wheel   424 May 21  2015 dh.param
-rw-r--r--  1 root  wheel  1415 Jul 19  2016 host.cert
-rw-------  1 root  wheel  1704 Jul 19  2016 host.key

If you need to, create that by:

ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0

Also check permissions -- the host.key file should be owned by
root:wheel and mode 0600 as shown here.

Check in /var/log/maillog for any relevant messages from when you
restarted sendmail or tried sending or receiving messages.

One final sanity check:  does the output from 'sendmail -d0.1' show that
it was compiled with STARTTLS?  If not, then you'll need to choose one
of the following:

  * Install sendmail from ports, compiled with the necessary settings

  * Tweak settings in your src.conf or make.conf and rebuild sendmail
    from the system sources.[*]

  * Upgrade to 11.0, where all this stuff definitely is enabled already.

	Cheers,

	Matthew

[*] ISTR that this sort of thing was not necessary for STARTTLS support,
but it is necessary for SASL support.  However those neurons have mostly
been recycled, since I switched to postfix for all my e-mail needs some
time ago and have never looked back.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170319/71aa9c1e/attachment.sig>

More information about the freebsd-questions mailing list