how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
wfdudley at gmail.com
Tue Mar 21 22:57:57 UTC 2017
I've got all the bits that numerous sources say are the correct bits (like
Sendmail in 10.x is able to generate it's OWN certificates. I've let it do
However, sendmail still refuses to announce STARTTLS as a capability.
Surely there must be some way to debug this, instead of just thrashing
Is there a debug variable in sendmail that I can turn up to see exactly
doesn't like about the SSl/TLS stuff?
Failing that, is anyone on this list using self-signed certificates? Do
you know the EXACT
sequence of things to do to get this to work?
I have a funny feeling that the "auto-generated" certs created by sendmail
don't work if you
don't have an official cert from Verisign.
This email is free of malware because I run Linux.
On Mon, Mar 20, 2017 at 9:13 AM, William Dudley <wfdudley at gmail.com> wrote:
> The point of this exercise is to allow my Android phone to access my email
> on my FreeBSD 10.3 server, using imap. I had it working last year, and
> with nary an error message, it stopped working. So the email client is
> the native
> Android email client (on a recent Cyanogen Android). My FreeBSD server
> sendmail, and I've been running my own mail domain for about a decade.
> My latest guess (and that's all I can do is guess) is that my self-signed
> expired, and I just need to re-generate them. All the sources on sendmail
> STARTTLS that I've seen so far show configs identical to my config, so from
> this I infer perhaps one or more of my cert files is "bad".
> stunnel may well be a wonderful program, but I really don't want to figure
> out how
> to specify each of the 500 lines in it's config file, especially when the
> doesn't run successfully with it's own sample config file.
> Thanks for your time,
> Bill Dudley
> This email is free of malware because I run Linux.
> On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan <mahan at mahan.org> wrote:
>> On 3/19/17 1:07 PM, William Dudley wrote:
>> > I commented out the lines starting with checkHost, and started stunnel.
>> > It does start, and runs as a daemon. However, it doesn't seem to DO
>> > However, that hasn't changed sendmail's behaviour one iota.
>> > As far as I can tell, stunnel is a massive waste of time.
>> > I don't really want to spend months reading all the stunnel docs to
>> figure out
>> > how to get it to work with sendmail. Sendmail is hard enough on it's
>> own, and
>> > I can mostly control sendmail (well, except for the STARTTLS problem.)
>> > Thanks,
>> > Bill Dudley
>> > This email is free of malware because I run Linux.
>> > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdudley at gmail.com
>> > <mailto:wfdudley at gmail.com>> wrote:
>> > stunnel fails to start with this helpful message:
>> > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com
>> > <http://pop.gmail.com>": Specified option name is not valid here
>> > The line it's complaining about is in the EXAMPLE config file.
>> > So this is not going well, at all.
>> > pop.gmail.com <http://pop.gmail.com> is a valid hostname. I have
>> no idea
>> > what stunnel is complaining about.
>> Okay, Let me share what I do. I believe stunnel needs to run on the same
>> as the sendmail server.
>> First, here is some relevant parts from my stunnel config file:
>> ; Sample stunnel configuration file by Michal Trojnara 2002-2005
>> ; Some options used here may not be adequate for your particular
>> ; Please make sure you understand them (especially the effect of chroot
>> ; Certificate/key is needed in server mode and optional in client mode
>> cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem
>> ;key = /usr/local/etc/stunnel/mail.pem
>> ; Some security enhancements for UNIX systems - comment them out on Win32
>> chroot = /var/stunnel/
>> setuid = stunnel
>> setgid = stunnel
>> ; PID is created inside chroot jail
>> pid = /stunnel.pid
>> ; Some performance tunings
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ;compression = rle
>> ; Workaround for Eudora bug
>> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>> ; Authentication stuff
>> verify = 0
>> ; Some debugging stuff useful for troubleshooting
>> debug = 7
>> output = stunnel.log
>> ; Use it for client mode
>> ;client = yes
>> ; Service-level configuration
>> accept = 995
>> connect = 110
>> accept = 993
>> connect = 143
>> accept = 465
>> connect = 25
>> I run dovecot for my imap server which is listening on port 143:
>> mahan at ns-/usr/local/etc/stunnel 11 # sockstat | grep 110
>> root dovecot 915 22 tcp4 *:110 *:*
>> But I connect from my mail clients (ios mail, thunderbird, ...) to port
>> 993. The
>> mail clients are all configured to use ssl/tls, *not* startttl.
>> My smtp I connect via stunnel over port 465, not port 25 for sending mail.
>> So what are you trying to accomplish? The idea is for your accessing
>> servers in an encrypted fashion. But from your above description, it
>> like you are trying to access your unsecured gmail account using POP3.
>> sure why as the connection from stunnel to pop.gmail.com will be
>> What email client are you trying to use?
More information about the freebsd-questions