Date: Mon, 20 Mar 2017 09:13:10 -0400 From: William Dudley <wfdudley@gmail.com> To: Patrick Mahan <mahan@mahan.org> Cc: freebsd-questions@freebsd.org Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? Message-ID: <CAFsnNZ%2B_Z-fCH2sHaXxH42KLmWGApqZJWamcy1AOS0oJnYqckA@mail.gmail.com> In-Reply-To: <a990c9a0-fe31-742b-a1bc-56fdd429d8cc@mahan.org> References: <CAFsnNZLNVqA3PwUavhi62Orqg7i-OEsKo9m2Hsj0dwi%2B3iELmg@mail.gmail.com> <b424d91e-a7f4-57b8-174c-e2522c97107f@mahan.org> <CAFsnNZK5LpRyPTLGocMna1O-R0448ZJQ0qu2ZP%2BaE3w2UWwd8Q@mail.gmail.com> <CAFsnNZ%2B0c4EdQxcesohFcJjraoPYwi2v=wVK-QNFPnD7Wta5mQ@mail.gmail.com> <CAFsnNZL1bVCNuYCAe43uK3n6596HhQFpm8Y8S1ZCkNa_t1wGKw@mail.gmail.com> <a990c9a0-fe31-742b-a1bc-56fdd429d8cc@mahan.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The point of this exercise is to allow my Android phone to access my email on my FreeBSD 10.3 server, using imap. I had it working last year, and then, with nary an error message, it stopped working. So the email client is the native Android email client (on a recent Cyanogen Android). My FreeBSD server runs sendmail, and I've been running my own mail domain for about a decade. My latest guess (and that's all I can do is guess) is that my self-signed certificates expired, and I just need to re-generate them. All the sources on sendmail and STARTTLS that I've seen so far show configs identical to my config, so from this I infer perhaps one or more of my cert files is "bad". stunnel may well be a wonderful program, but I really don't want to figure out how to specify each of the 500 lines in it's config file, especially when the software doesn't run successfully with it's own sample config file. Thanks for your time, Bill Dudley This email is free of malware because I run Linux. On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan <mahan@mahan.org> wrote: > On 3/19/17 1:07 PM, William Dudley wrote: > > I commented out the lines starting with checkHost, and started stunnel. > > It does start, and runs as a daemon. However, it doesn't seem to DO > anything. > > > > However, that hasn't changed sendmail's behaviour one iota. > > > > As far as I can tell, stunnel is a massive waste of time. > > > > I don't really want to spend months reading all the stunnel docs to > figure out > > how to get it to work with sendmail. Sendmail is hard enough on it's > own, and > > I can mostly control sendmail (well, except for the STARTTLS problem.) > > > > Thanks, > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdudley@gmail.com > > <mailto:wfdudley@gmail.com>> wrote: > > > > stunnel fails to start with this helpful message: > > > > /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com > > <http://pop.gmail.com>": Specified option name is not valid here > > > > The line it's complaining about is in the EXAMPLE config file. > > > > So this is not going well, at all. > > > > pop.gmail.com <http://pop.gmail.com>; is a valid hostname. I have > no idea > > what stunnel is complaining about. > > > > Okay, Let me share what I do. I believe stunnel needs to run on the same > host > as the sendmail server. > > First, here is some relevant parts from my stunnel config file: > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005 > ; Some options used here may not be adequate for your particular > configuration > ; Please make sure you understand them (especially the effect of chroot > jail) > > ; Certificate/key is needed in server mode and optional in client mode > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem > ;key = /usr/local/etc/stunnel/mail.pem > > ; Some security enhancements for UNIX systems - comment them out on Win32 > chroot = /var/stunnel/ > setuid = stunnel > setgid = stunnel > ; PID is created inside chroot jail > pid = /stunnel.pid > > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ;compression = rle > > ; Workaround for Eudora bug > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > ; Authentication stuff > verify = 0 > > .... > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = stunnel.log > > ; Use it for client mode > ;client = yes > > ; Service-level configuration > > [pop3s] > accept = 995 > connect = 110 > > [imaps] > accept = 993 > connect = 143 > > [smtps] > accept = 465 > connect = 25 > > I run dovecot for my imap server which is listening on port 143: > > mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 > root dovecot 915 22 tcp4 *:110 *:* > > But I connect from my mail clients (ios mail, thunderbird, ...) to port > 993. The > mail clients are all configured to use ssl/tls, *not* startttl. > > My smtp I connect via stunnel over port 465, not port 25 for sending mail. > > So what are you trying to accomplish? The idea is for your accessing these > servers in an encrypted fashion. But from your above description, it > sounds > like you are trying to access your unsecured gmail account using POP3. Not > sure why as the connection from stunnel to pop.gmail.com will be > unsecured. > > What email client are you trying to use? > > Patrick > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZ%2B_Z-fCH2sHaXxH42KLmWGApqZJWamcy1AOS0oJnYqckA>