how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?

Patrick Mahan mahan at mahan.org
Mon Mar 20 04:59:44 UTC 2017 

On 3/19/17 1:07 PM, William Dudley wrote:
> I commented out the lines starting with checkHost, and started stunnel.
> It does start, and runs as a daemon.  However, it doesn't seem to DO anything.
> 
> However, that hasn't changed sendmail's behaviour one iota.
> 
> As far as I can tell, stunnel is a massive waste of time.
> 
> I don't really want to spend months reading all the stunnel docs to figure out
> how to get it to work with sendmail.  Sendmail is hard enough on it's own, and
> I can mostly control sendmail (well, except for the STARTTLS problem.)
> 
> Thanks,
> Bill Dudley
> 
> 
> This email is free of malware because I run Linux.
> 
> On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdudley at gmail.com
> <mailto:wfdudley at gmail.com>> wrote:
> 
>     stunnel fails to start with this helpful message:
> 
>     /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com
>     <http://pop.gmail.com>": Specified option name is not valid here
> 
>     The line it's complaining about is in the EXAMPLE config file.
> 
>     So this is not going well, at all.
> 
>     pop.gmail.com <http://pop.gmail.com> is a valid hostname.  I have no idea
>     what stunnel is complaining about.
> 

Okay, Let me share what I do.  I believe stunnel needs to run on the same host
as the sendmail server.

First, here is some relevant parts from my stunnel config file:

; Sample stunnel configuration file by Michal Trojnara 2002-2005
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/stunnel/
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
verify = 0

....

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143

[smtps]
accept  = 465
connect = 25

I run dovecot for my imap server which is listening on port 143:

mahan at ns-/usr/local/etc/stunnel 11 # sockstat | grep 110
root     dovecot    915   22 tcp4   *:110                 *:*

But I connect from my mail clients (ios mail, thunderbird, ...) to port 993.  The
mail clients are all configured to use ssl/tls, *not* startttl.

My smtp I connect via stunnel over port 465, not port 25 for sending mail.

So what are you trying to accomplish?  The idea is for your accessing these
servers in an encrypted fashion.  But from your above description, it sounds
like you are trying to access your unsecured gmail account using POP3.  Not
sure why as the connection from stunnel to pop.gmail.com will be unsecured.

What email client are you trying to use?

Patrick

More information about the freebsd-questions mailing list