how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?

William Dudley wfdudley at gmail.com
Wed Mar 22 14:14:26 UTC 2017 

Turning up the debug level (thanks for pointing out the "code" for that)
revealed this message as sendmail starts:

STARTTLS: CRLFile missing

So I googled that, and found this post (about sendmail on Linux, but the
answer seemed generic enough)

http://www.linuxweblog.com/blogs/sandip/20071019/starttls-crlfile-missing-resolved

So I download all 8Meg of revoke.crl, , put the pointer to the file in
hostname.mc, rebuild hostname.cf, and restart sendmail.

Mar 22 10:09:31 dudley sm-msp-queue[78358]: starting daemon (8.15.2):
queueing at 00:30:00
Mar 22 10:09:31 dudley sm-mta[78360]: starting daemon (8.15.2):
SMTP+queueing at 00:30:00
Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, Diffie-Hellman init,
key=1024 bit (/)
Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, init=1
Mar 22 10:09:31 dudley sm-mta[78360]: started as: /usr/sbin/sendmail -L
sm-mta -bd -q30m

STILL BROKEN, but now there's no error message to give me a clue what is
wrong.

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Mar 2017 10:10:14
-0400 (EDT)
ehlo localhost
250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.casano.com closing connection
Connection closed by foreign host.

Any ideas?

Thanks,
Bill Dudley


This email is free of malware because I run Linux.

On Wed, Mar 22, 2017 at 2:02 AM, Wayne Sierke <ws at au.dyndns.ws> wrote:

> On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote:
> > I've got all the bits that numerous sources say are the correct bits
> > (like
> > in hostname.mc).
> >
> > Sendmail in 10.x is able to generate it's OWN certificates.  I've let it
> do
> > just that.
> >
> > However, sendmail still refuses to announce STARTTLS as a capability.
> >
> > Surely there must be some way to debug this, instead of just thrashing
> > about randomly.
> >
> > Is there a debug variable in sendmail that I can turn up to see exactly
> > what sendmail
> > doesn't like about the SSl/TLS stuff?
>
> Certainly. Increasing the loglevel was suggested on the page that
> Matthew linked for you earlier.
>
> Add this to your <hostname>.mc:
>
> define(`confLOG_Level', `14')
>
> These may help, too:
> https://forums.freebsd.org/threads/52471/
> https://lists.freebsd.org/pipermail/freebsd-questions/
> 2012-August/244636.html
>
>
> >
> > Failing that, is anyone on this list using self-signed certificates?  Do
> > you know the EXACT
> > sequence of things to do to get this to work?
> >
> > I have a funny feeling that the "auto-generated" certs created by
> sendmail
> > don't work if you
> > don't have an official cert from Verisign.
> >
> > Bill Dudley
> >
> >
> > This email is free of malware because I run Linux.
> >
> > On Mon, Mar 20, 2017 at 9:13 AM, William Dudley <wfdudley at gmail.com>
> wrote:
> >
> > >
> > > The point of this exercise is to allow my Android phone to access my
> email
> > > on my FreeBSD 10.3 server, using imap.  I had it working last year, and
> > > then,
> > > with nary an error message, it stopped working.  So the email client is
> > > the native
> > > Android email client (on a recent Cyanogen Android).  My FreeBSD server
> > > runs
> > > sendmail, and I've been running my own mail domain for about a decade.
> > >
> > > My latest guess (and that's all I can do is guess) is that my
> self-signed
> > > certificates
> > > expired, and I just need to re-generate them.  All the sources on
> sendmail
> > > and
> > > STARTTLS that I've seen so far show configs identical to my config, so
> from
> > > this I infer perhaps one or more of my cert files is "bad".
> > >
> > > stunnel may well be a wonderful program, but I really don't want to
> figure
> > > out how
> > > to specify each of the 500 lines in it's config file, especially when
> the
> > > software
> > > doesn't run successfully with it's own sample config file.
> > >
> > > Thanks for your time,
> > > Bill Dudley
> > >
> > >
> > > This email is free of malware because I run Linux.
> > >
> > > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan <mahan at mahan.org>
> wrote:
> > >
> > > >
> > > > On 3/19/17 1:07 PM, William Dudley wrote:
> > > > >
> > > > > I commented out the lines starting with checkHost, and started
> stunnel.
> > > > > It does start, and runs as a daemon.  However, it doesn't seem to
> DO
> > > > anything.
> > > > >
> > > > >
> > > > > However, that hasn't changed sendmail's behaviour one iota.
> > > > >
> > > > > As far as I can tell, stunnel is a massive waste of time.
> > > > >
> > > > > I don't really want to spend months reading all the stunnel docs to
> > > > figure out
> > > > >
> > > > > how to get it to work with sendmail.  Sendmail is hard enough on
> it's
> > > > own, and
> > > > >
> > > > > I can mostly control sendmail (well, except for the STARTTLS
> problem.)
> > > > >
> > > > > Thanks,
> > > > > Bill Dudley
> > > > >
> > > > >
> > > > > This email is free of malware because I run Linux.
> > > > >
> > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <
> wfdudley at gmail.com
> > > > > wfdudley at gmail.com>> wrote:
> > > > >
> > > > >     stunnel fails to start with this helpful message:
> > > > >
> > > > >     /usr/local/etc/stunnel/stunnel.conf:68: "checkHost =
> pop.gmail.com
> > > > >     <http://pop.gmail.com>": Specified option name is not valid
> here
> > > > >
> > > > >     The line it's complaining about is in the EXAMPLE config file.
> > > > >
> > > > >     So this is not going well, at all.
> > > > >
> > > > >     pop.gmail.com <http://pop.gmail.com> is a valid hostname.  I
> have
> > > > no idea
> > > > >
> > > > >     what stunnel is complaining about.
> > > > >
> > > > Okay, Let me share what I do.  I believe stunnel needs to run on the
> same
> > > > host
> > > > as the sendmail server.
> > > >
> > > > First, here is some relevant parts from my stunnel config file:
> > > >
> > > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005
> > > > ; Some options used here may not be adequate for your particular
> > > > configuration
> > > > ; Please make sure you understand them (especially the effect of
> chroot
> > > > jail)
> > > >
> > > > ; Certificate/key is needed in server mode and optional in client
> mode
> > > > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem
> > > > ;key = /usr/local/etc/stunnel/mail.pem
> > > >
> > > > ; Some security enhancements for UNIX systems - comment them out on
> Win32
> > > > chroot = /var/stunnel/
> > > > setuid = stunnel
> > > > setgid = stunnel
> > > > ; PID is created inside chroot jail
> > > > pid = /stunnel.pid
> > > >
> > > > ; Some performance tunings
> > > > socket = l:TCP_NODELAY=1
> > > > socket = r:TCP_NODELAY=1
> > > > ;compression = rle
> > > >
> > > > ; Workaround for Eudora bug
> > > > ;options = DONT_INSERT_EMPTY_FRAGMENTS
> > > >
> > > > ; Authentication stuff
> > > > verify = 0
> > > >
> > > > ....
> > > >
> > > > ; Some debugging stuff useful for troubleshooting
> > > > debug = 7
> > > > output = stunnel.log
> > > >
> > > > ; Use it for client mode
> > > > ;client = yes
> > > >
> > > > ; Service-level configuration
> > > >
> > > > [pop3s]
> > > > accept  = 995
> > > > connect = 110
> > > >
> > > > [imaps]
> > > > accept  = 993
> > > > connect = 143
> > > >
> > > > [smtps]
> > > > accept  = 465
> > > > connect = 25
> > > >
> > > > I run dovecot for my imap server which is listening on port 143:
> > > >
> > > > mahan at ns-/usr/local/etc/stunnel 11 # sockstat | grep 110
> > > > root     dovecot    915   22 tcp4   *:110                 *:*
> > > >
> > > > But I connect from my mail clients (ios mail, thunderbird, ...) to
> port
> > > > 993.  The
> > > > mail clients are all configured to use ssl/tls, *not* startttl.
> > > >
> > > > My smtp I connect via stunnel over port 465, not port 25 for sending
> mail.
> > > >
> > > > So what are you trying to accomplish?  The idea is for your accessing
> > > > these
> > > > servers in an encrypted fashion.  But from your above description, it
> > > > sounds
> > > > like you are trying to access your unsecured gmail account using
> POP3.
> > > > Not
> > > > sure why as the connection from stunnel to pop.gmail.com will be
> > > > unsecured.
> > > >
> > > > What email client are you trying to use?
> > > >
> > > > Patrick
> > > >
> > > >
> > > >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list