From owner-freebsd-questions@freebsd.org Wed Mar 22 06:07:39 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 588AAD15DF5 for ; Wed, 22 Mar 2017 06:07:39 +0000 (UTC) (envelope-from ws@au.dyndns.ws) Received: from ipmail04.adl6.internode.on.net (ipmail04.adl6.internode.on.net [150.101.137.141]) by mx1.freebsd.org (Postfix) with ESMTP id 87BB51F24 for ; Wed, 22 Mar 2017 06:07:37 +0000 (UTC) (envelope-from ws@au.dyndns.ws) Received: from ppp103-111.static.internode.on.net (HELO lillith-iv.ovirt.dyndns.ws) ([150.101.103.111]) by ipmail04.adl6.internode.on.net with ESMTP; 22 Mar 2017 16:32:28 +1030 X-Envelope-From: ws@au.dyndns.ws X-Envelope-To: freebsd-questions@freebsd.org Received: from predator-ii.buffyverse (predator-ii.buffyverse [172.17.17.136]) by lillith-iv.ovirt.dyndns.ws (8.14.9/8.14.9) with ESMTP id v2M62CZS049127; Wed, 22 Mar 2017 16:32:12 +1030 (ACDT) (envelope-from ws@au.dyndns.ws) Message-ID: <1490162531.1981.62.camel@au.dyndns.ws> Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? From: Wayne Sierke To: William Dudley Cc: freebsd-questions@freebsd.org Date: Wed, 22 Mar 2017 16:32:11 +1030 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.1 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Greylist: inspected by milter-greylist-4.6.2 (lillith-iv.ovirt.dyndns.ws [172.17.17.142]); Wed, 22 Mar 2017 16:32:12 +1030 (ACDT) for IP:'172.17.17.136' DOMAIN:'predator-ii.buffyverse' HELO:'predator-ii.buffyverse' FROM:'ws@au.dyndns.ws' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (lillith-iv.ovirt.dyndns.ws [172.17.17.142]); Wed, 22 Mar 2017 16:32:12 +1030 (ACDT) X-Scanned-By: MIMEDefang 2.75 on 172.17.17.142 X-Scanned-By: SpamAssassin 3.004000(2014-02-07) X-Scanned-By: ClamAV X-Spam-Score: -0.999 () ALL_TRUSTED,URIBL_BLOCKED X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2017 06:07:39 -0000 On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote: > I've got all the bits that numerous sources say are the correct bits > (like > in hostname.mc). > > Sendmail in 10.x is able to generate it's OWN certificates.  I've let it do > just that. > > However, sendmail still refuses to announce STARTTLS as a capability. > > Surely there must be some way to debug this, instead of just thrashing > about randomly. > > Is there a debug variable in sendmail that I can turn up to see exactly > what sendmail > doesn't like about the SSl/TLS stuff? Certainly. Increasing the loglevel was suggested on the page that Matthew linked for you earlier. Add this to your .mc: define(`confLOG_Level', `14') These may help, too: https://forums.freebsd.org/threads/52471/ https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html > > Failing that, is anyone on this list using self-signed certificates?  Do > you know the EXACT > sequence of things to do to get this to work? > > I have a funny feeling that the "auto-generated" certs created by sendmail > don't work if you > don't have an official cert from Verisign. > > Bill Dudley > > > This email is free of malware because I run Linux. > > On Mon, Mar 20, 2017 at 9:13 AM, William Dudley wrote: > > > > > The point of this exercise is to allow my Android phone to access my email > > on my FreeBSD 10.3 server, using imap.  I had it working last year, and > > then, > > with nary an error message, it stopped working.  So the email client is > > the native > > Android email client (on a recent Cyanogen Android).  My FreeBSD server > > runs > > sendmail, and I've been running my own mail domain for about a decade. > > > > My latest guess (and that's all I can do is guess) is that my self-signed > > certificates > > expired, and I just need to re-generate them.  All the sources on sendmail > > and > > STARTTLS that I've seen so far show configs identical to my config, so from > > this I infer perhaps one or more of my cert files is "bad". > > > > stunnel may well be a wonderful program, but I really don't want to figure > > out how > > to specify each of the 500 lines in it's config file, especially when the > > software > > doesn't run successfully with it's own sample config file. > > > > Thanks for your time, > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Mon, Mar 20, 2017 at 12:59 AM, Patrick Mahan wrote: > > > > > > > > On 3/19/17 1:07 PM, William Dudley wrote: > > > > > > > > I commented out the lines starting with checkHost, and started stunnel. > > > > It does start, and runs as a daemon.  However, it doesn't seem to DO > > > anything. > > > > > > > > > > > > However, that hasn't changed sendmail's behaviour one iota. > > > > > > > > As far as I can tell, stunnel is a massive waste of time. > > > > > > > > I don't really want to spend months reading all the stunnel docs to > > > figure out > > > > > > > > how to get it to work with sendmail.  Sendmail is hard enough on it's > > > own, and > > > > > > > > I can mostly control sendmail (well, except for the STARTTLS problem.) > > > > > > > > Thanks, > > > > Bill Dudley > > > > > > > > > > > > This email is free of malware because I run Linux. > > > > > > > > On Sun, Mar 19, 2017 at 9:53 AM, William Dudley > > > wfdudley@gmail.com>> wrote: > > > > > > > >     stunnel fails to start with this helpful message: > > > > > > > >     /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com > > > >     ": Specified option name is not valid here > > > > > > > >     The line it's complaining about is in the EXAMPLE config file. > > > > > > > >     So this is not going well, at all. > > > > > > > >     pop.gmail.com is a valid hostname.  I have > > > no idea > > > > > > > >     what stunnel is complaining about. > > > > > > > Okay, Let me share what I do.  I believe stunnel needs to run on the same > > > host > > > as the sendmail server. > > > > > > First, here is some relevant parts from my stunnel config file: > > > > > > ; Sample stunnel configuration file by Michal Trojnara 2002-2005 > > > ; Some options used here may not be adequate for your particular > > > configuration > > > ; Please make sure you understand them (especially the effect of chroot > > > jail) > > > > > > ; Certificate/key is needed in server mode and optional in client mode > > > cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem > > > ;key = /usr/local/etc/stunnel/mail.pem > > > > > > ; Some security enhancements for UNIX systems - comment them out on Win32 > > > chroot = /var/stunnel/ > > > setuid = stunnel > > > setgid = stunnel > > > ; PID is created inside chroot jail > > > pid = /stunnel.pid > > > > > > ; Some performance tunings > > > socket = l:TCP_NODELAY=1 > > > socket = r:TCP_NODELAY=1 > > > ;compression = rle > > > > > > ; Workaround for Eudora bug > > > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > > > > > ; Authentication stuff > > > verify = 0 > > > > > > .... > > > > > > ; Some debugging stuff useful for troubleshooting > > > debug = 7 > > > output = stunnel.log > > > > > > ; Use it for client mode > > > ;client = yes > > > > > > ; Service-level configuration > > > > > > [pop3s] > > > accept  = 995 > > > connect = 110 > > > > > > [imaps] > > > accept  = 993 > > > connect = 143 > > > > > > [smtps] > > > accept  = 465 > > > connect = 25 > > > > > > I run dovecot for my imap server which is listening on port 143: > > > > > > mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110 > > > root     dovecot    915   22 tcp4   *:110                 *:* > > > > > > But I connect from my mail clients (ios mail, thunderbird, ...) to port > > > 993.  The > > > mail clients are all configured to use ssl/tls, *not* startttl. > > > > > > My smtp I connect via stunnel over port 465, not port 25 for sending mail. > > > > > > So what are you trying to accomplish?  The idea is for your accessing > > > these > > > servers in an encrypted fashion.  But from your above description, it > > > sounds > > > like you are trying to access your unsecured gmail account using POP3. > > > Not > > > sure why as the connection from stunnel to pop.gmail.com will be > > > unsecured. > > > > > > What email client are you trying to use? > > > > > > Patrick > > > > > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"