how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?

William Dudley wfdudley at
Thu Mar 23 16:00:11 UTC 2017

To answer your questions:

Yes, I'm using the right .mc file, and yes, I know how to make && make
install && make restart when I make
changes to it.  (I assume service sendmail restart has the same effect as
"make restart"; it *looks* the same
when I "tail -f /var/log/maillog").

sockstat | grep sendmail
root     sendmail   78456 3  dgram  -> /var/run/logpriv
root     sendmail   78456 4  tcp4   *:25                  *:*
root     sendmail   78456 5  tcp4   *:465                 *:*
root     sendmail   78456 6  tcp4   *:587                 *:*
smmsp    sendmail   78454 3  dgram  -> /var/run/log

So that seems reasonable.

sockstat | grep -E ':25\>'

returns line two from above, so that's the same.

/etc/mail/access has a handful of address "OK"  and address "ERROR" lines
I added to explicitly block or accept various emailers, and this:   RELAY     OK
GreetPause:    0
GreetPause:localhost    0
GreetPause:localhost.localdomain        0        0
srv_features: S

The relay is for my workstation, on the same LAN (obviously).
The GreetPause lines turn off the greeting delay for certain hosts.

AND -- Ah-hah

Hmmm, I don't remember adding any lines that would turn off STARTTLS,
but that's what srv_features: S does.

I'm SURE I didn't add that.  I certainly didn't add it recently.  Perhaps
it was added
 by one of the blind alleys I've been sent down ("stunnel" comes to mind).

So.  Fixed.  Removed that line, "make && make restart" and now STARTTLS
is a capability of sendmail, *again*.

The phone is still unhappy, but that's another problem.
I declare this thread ended.

Thanks everyone, even the snide Mr. Ohlstein, for their time.

Bill Dudley

This email is free of malware because I run Linux.

On Thu, Mar 23, 2017 at 11:27 AM, Matthew Seaman <matthew at>

> On 2017/03/23 15:00, William Dudley wrote:
> > Let's assume that I have no idea what I'm talking about.
> > However, I can successfully report what I SEE.
> >
> > 1. Android's mail app wants to use STARTTLS when it connects to my mail
> > server, for
> > whatever reason (send or receive) isn't important now.  It wants it, and
> I
> > want it to be
> > happy, or else it doesn't work.
> Ah -- in this case, you've potentially got two different software
> systems that could involve STARTTLS.  sendmail would only be involved
> when you send an e-mail.  Otherwise your android device will be
> connecting to an IMAP server -- and that could either be configured to
> listen on port 143 (the port for unencrypted IMAP) and expect to use
> STARTTLS to upgrade to an encrypted connection; or it could listen on
> port 993 which expects TLS straight away.  There is a move by IANA (I
> think) to prefer STARTTLS type mechanisms and so recover all of the
> duplicated-except-for-requiring-TLS port numbers out of /etc/services.
> But, as you say, the sendmail problems need sorting anyhow.  Time to
> worry about IMAP later.
> > 2. When I telnet to port 25 of my mail server, sendmail does NOT announce
> > as one of it's capabilities.  This, despite my having all the
> incantations
> > *apparently" correct
> > in my, fresh self signed cert and key file in
> /etc/mail/certs,
> > and various other
> > things that have been suggested/intimated by various sources.
> Hmmm... well, I don't understand why it isn't working for you.  The
> sendmail in FreeBSD-10.3 is supplied with STARTTLS capabilities compiled
> in and should have certs and keys created for it at install time.
> > It would be nice to solve the problem stated in the Subject of this
> > insanely long thread:
> >
> > Why is my sendmail refusing to announce STARTTLS ?
> It is almost certainly some trivial little oversight, but it's
> impossible to say what that might be.  I'm sure you've been through all
> this already, but have you checked and rechecked the simple and obvious
> stuff:
>    * Have you built and installed a fresh sendmail config:
>       # cd /etc/mail
>       # make
>       # make install
>    * Are you editing the correct .mc file?  The one you want is
>      ${hostname}.mc -- where ${hostname} (if it isn't obvious) is the
>      hostname of your machine.  If this doesn't exist, typing 'make'
>      will create it for you.
>    * Did you restart sendmail after the last config update?
>       # service sendmail restart
>    * Is sendmail listening on the IP numbers and ports you expect it to
>      be listening on?  Or is it some other piece of software
>      entirely answering on port 25?
>       # sockstat | grep sendmail
>       # sockstat | grep -E ':25\>'
>      will provide clues.
>    * Do you have anything in /etc/mail/access ?
>    * What's in /etc/mail/mailwrapper ?
>         Cheers,
>         Matthew

More information about the freebsd-questions mailing list