how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?

Matthew Seaman matthew at
Thu Mar 23 15:27:27 UTC 2017

On 2017/03/23 15:00, William Dudley wrote:
> Let's assume that I have no idea what I'm talking about.
> However, I can successfully report what I SEE.
> 1. Android's mail app wants to use STARTTLS when it connects to my mail
> server, for
> whatever reason (send or receive) isn't important now.  It wants it, and I
> want it to be
> happy, or else it doesn't work.

Ah -- in this case, you've potentially got two different software
systems that could involve STARTTLS.  sendmail would only be involved
when you send an e-mail.  Otherwise your android device will be
connecting to an IMAP server -- and that could either be configured to
listen on port 143 (the port for unencrypted IMAP) and expect to use
STARTTLS to upgrade to an encrypted connection; or it could listen on
port 993 which expects TLS straight away.  There is a move by IANA (I
think) to prefer STARTTLS type mechanisms and so recover all of the
duplicated-except-for-requiring-TLS port numbers out of /etc/services.

But, as you say, the sendmail problems need sorting anyhow.  Time to
worry about IMAP later.

> 2. When I telnet to port 25 of my mail server, sendmail does NOT announce
> as one of it's capabilities.  This, despite my having all the incantations
> *apparently" correct
> in my, fresh self signed cert and key file in /etc/mail/certs,
> and various other
> things that have been suggested/intimated by various sources.

Hmmm... well, I don't understand why it isn't working for you.  The
sendmail in FreeBSD-10.3 is supplied with STARTTLS capabilities compiled
in and should have certs and keys created for it at install time.

> It would be nice to solve the problem stated in the Subject of this
> insanely long thread:
> Why is my sendmail refusing to announce STARTTLS ?

It is almost certainly some trivial little oversight, but it's
impossible to say what that might be.  I'm sure you've been through all
this already, but have you checked and rechecked the simple and obvious

   * Have you built and installed a fresh sendmail config:

      # cd /etc/mail
      # make
      # make install

   * Are you editing the correct .mc file?  The one you want is
     ${hostname}.mc -- where ${hostname} (if it isn't obvious) is the
     hostname of your machine.  If this doesn't exist, typing 'make'
     will create it for you.

   * Did you restart sendmail after the last config update?

      # service sendmail restart

   * Is sendmail listening on the IP numbers and ports you expect it to
     be listening on?  Or is it some other piece of software
     entirely answering on port 25?

      # sockstat | grep sendmail
      # sockstat | grep -E ':25\>'

     will provide clues.

   * Do you have anything in /etc/mail/access ?

   * What's in /etc/mail/mailwrapper ?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list