how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?

Wayne Sierke ws at au.dyndns.ws
Wed Mar 22 06:07:39 UTC 2017 

On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote:
> I've got all the bits that numerous sources say are the correct bits
> (like
> in hostname.mc).
> 
> Sendmail in 10.x is able to generate it's OWN certificates.  I've let it do
> just that.
> 
> However, sendmail still refuses to announce STARTTLS as a capability.
> 
> Surely there must be some way to debug this, instead of just thrashing
> about randomly.
> 
> Is there a debug variable in sendmail that I can turn up to see exactly
> what sendmail
> doesn't like about the SSl/TLS stuff?

Certainly. Increasing the loglevel was suggested on the page that
Matthew linked for you earlier.

Add this to your <hostname>.mc:

define(`confLOG_Level', `14')

These may help, too:
https://forums.freebsd.org/threads/52471/
https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html


> 
> Failing that, is anyone on this list using self-signed certificates?  Do
> you know the EXACT
> sequence of things to do to get this to work?
> 
> I have a funny feeling that the "auto-generated" certs created by sendmail
> don't work if you
> don't have an official cert from Verisign.
> 
> Bill Dudley
> 
> 
> This email is free of malware because I run Linux.
> 
> On Mon, Mar 20, 2017 at 9:13 AM, William Dudley <wfdudley at gmail.com> wrote:
> 
> > 
> > The point of this exercise is to allow my Android phone to access my email
> > on my FreeBSD 10.3 server, using imap.  I had it working last year, and
> > then,
> > with nary an error message, it stopped working.  So the email client is
> > the native
> > Android email client (on a recent Cyanogen Android).  My FreeBSD server
> > runs
> > sendmail, and I've been running my own mail domain for about a decade.
> > 
> > My latest guess (and that's all I can do is guess) is that my self-signed
> > certificates
> > expired, and I just need to re-generate them.  All the sources on sendmail
> > and
> > STARTTLS that I've seen so far show configs identical to my config, so from
> > this I infer perhaps one or more of my cert files is "bad".
> > 
> > stunnel may well be a wonderful program, but I really don't want to figure
> > out how
> > to specify each of the 500 lines in it's config file, especially when the
> > software
> > doesn't run successfully with it's own sample config file.
> > 
> > Thanks for your time,
> > Bill Dudley
> > 
> > 
> > This email is free of malware because I run Linux.
> > 
> > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan <mahan at mahan.org> wrote:
> > 
> > > 
> > > On 3/19/17 1:07 PM, William Dudley wrote:
> > > > 
> > > > I commented out the lines starting with checkHost, and started stunnel.
> > > > It does start, and runs as a daemon.  However, it doesn't seem to DO
> > > anything.
> > > > 
> > > > 
> > > > However, that hasn't changed sendmail's behaviour one iota.
> > > > 
> > > > As far as I can tell, stunnel is a massive waste of time.
> > > > 
> > > > I don't really want to spend months reading all the stunnel docs to
> > > figure out
> > > > 
> > > > how to get it to work with sendmail.  Sendmail is hard enough on it's
> > > own, and
> > > > 
> > > > I can mostly control sendmail (well, except for the STARTTLS problem.)
> > > > 
> > > > Thanks,
> > > > Bill Dudley
> > > > 
> > > > 
> > > > This email is free of malware because I run Linux.
> > > > 
> > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdudley at gmail.com
> > > > wfdudley at gmail.com>> wrote:
> > > > 
> > > >     stunnel fails to start with this helpful message:
> > > > 
> > > >     /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com
> > > >     <http://pop.gmail.com>": Specified option name is not valid here
> > > > 
> > > >     The line it's complaining about is in the EXAMPLE config file.
> > > > 
> > > >     So this is not going well, at all.
> > > > 
> > > >     pop.gmail.com <http://pop.gmail.com> is a valid hostname.  I have
> > > no idea
> > > > 
> > > >     what stunnel is complaining about.
> > > > 
> > > Okay, Let me share what I do.  I believe stunnel needs to run on the same
> > > host
> > > as the sendmail server.
> > > 
> > > First, here is some relevant parts from my stunnel config file:
> > > 
> > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005
> > > ; Some options used here may not be adequate for your particular
> > > configuration
> > > ; Please make sure you understand them (especially the effect of chroot
> > > jail)
> > > 
> > > ; Certificate/key is needed in server mode and optional in client mode
> > > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem
> > > ;key = /usr/local/etc/stunnel/mail.pem
> > > 
> > > ; Some security enhancements for UNIX systems - comment them out on Win32
> > > chroot = /var/stunnel/
> > > setuid = stunnel
> > > setgid = stunnel
> > > ; PID is created inside chroot jail
> > > pid = /stunnel.pid
> > > 
> > > ; Some performance tunings
> > > socket = l:TCP_NODELAY=1
> > > socket = r:TCP_NODELAY=1
> > > ;compression = rle
> > > 
> > > ; Workaround for Eudora bug
> > > ;options = DONT_INSERT_EMPTY_FRAGMENTS
> > > 
> > > ; Authentication stuff
> > > verify = 0
> > > 
> > > ....
> > > 
> > > ; Some debugging stuff useful for troubleshooting
> > > debug = 7
> > > output = stunnel.log
> > > 
> > > ; Use it for client mode
> > > ;client = yes
> > > 
> > > ; Service-level configuration
> > > 
> > > [pop3s]
> > > accept  = 995
> > > connect = 110
> > > 
> > > [imaps]
> > > accept  = 993
> > > connect = 143
> > > 
> > > [smtps]
> > > accept  = 465
> > > connect = 25
> > > 
> > > I run dovecot for my imap server which is listening on port 143:
> > > 
> > > mahan at ns-/usr/local/etc/stunnel 11 # sockstat | grep 110
> > > root     dovecot    915   22 tcp4   *:110                 *:*
> > > 
> > > But I connect from my mail clients (ios mail, thunderbird, ...) to port
> > > 993.  The
> > > mail clients are all configured to use ssl/tls, *not* startttl.
> > > 
> > > My smtp I connect via stunnel over port 465, not port 25 for sending mail.
> > > 
> > > So what are you trying to accomplish?  The idea is for your accessing
> > > these
> > > servers in an encrypted fashion.  But from your above description, it
> > > sounds
> > > like you are trying to access your unsecured gmail account using POP3.
> > > Not
> > > sure why as the connection from stunnel to pop.gmail.com will be
> > > unsecured.
> > > 
> > > What email client are you trying to use?
> > > 
> > > Patrick
> > > 
> > > 
> > > 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list