From owner-freebsd-questions@freebsd.org Sun Mar 19 14:34:47 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 107B5D13D3C for ; Sun, 19 Mar 2017 14:34:47 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8B9F38ED for ; Sun, 19 Mar 2017 14:34:46 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 063D510BBF for ; Sun, 19 Mar 2017 14:34:41 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/063D510BBF; dkim=none; dkim-atps=neutral Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? To: freebsd-questions@freebsd.org References: From: Matthew Seaman Message-ID: Date: Sun, 19 Mar 2017 14:34:34 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Mar 2017 14:34:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu Content-Type: multipart/mixed; boundary="ChNXfME8TR2mFm4aXRnPLfSwmkineoRxK"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? References: In-Reply-To: --ChNXfME8TR2mFm4aXRnPLfSwmkineoRxK Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 18/03/2017 22:44, William Dudley wrote: > A google search does not reveal a useful answer. >=20 > I just want to use a self-signed certificate so I can get my email from= my > FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.= > I don't really want to switch to postfix, qmail, etc. etc. Hmm... STARTTLS capability is enabled by default in freebsd.mc in 11.0 -- I think it might be on 10.3 as well. Anyhow, you need the following sort of thing in your ${hostname}.mc -- define(`CERT_DIR', `/etc/mail/certs')dnl define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl define(`confSERVER_KEY', `CERT_DIR/host.key')dnl define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl and you need to create all of the host.key and host.cert and cacert.pem and dh.param files. That's mostly covered here: http://www.sendmail.org/~ca/email/other/cagreg.html Note that for e-mail purposes you don't generally need a certificate signed by a well known CA -- just self signed is fine. With e-mail, it's more important to ensure privacy in transit rather than to identify the party you're corresponding with. The dh.param file you can generate by: openssl dHParam -outform PEM -out dh.param 2048 IIRC adding all this will allow your sendmail install to support STARTTLS, but not make it require STARTTLS. I believe there's a DAEMON_OPTIONS setting to achieve that, but I'd need to look that up. Get hold of the O'Reilly sendmail book if you're interested -- it has details of all this stuff. Cheers, Matthew --ChNXfME8TR2mFm4aXRnPLfSwmkineoRxK-- --NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYzpcAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATE/4P/jDSyitxdt3tHoL1fORqeaPO +7NfHv+cIdlY5EUr8+pCYPkmz/d4AEi+LfbsUzgct+8qH+wATyfTdIEEi3xgKngu Zn/jYyNslieQ3e666IiBcLaxdpeMsC/yRmqmEC5RRsHUVPqgP4EK1dN8ZcVEPucq 08A4LF12brbEYRxK7kvtlhF9utBZcNwvu0SRlf9WqO+0cBW5QCqcBQaqEfOEyGin xbYOuM06YlYp4G2DYAI5UoueplzI0F7ETykV8URMYnw30I++nF9UdnZiWyPNJ8OG QgYsuDwtpZwpquM1hmS1QctLH6UZFc+X46sN2moTzRRRx4othQpZEaJogrGaawaC Y9uBSg0KSweIfKMCuNuyNivmSIo+V4CdBhXLA3+eYQkD1NdruTOZxj4HVYhAjMzJ X6zVAInFLVeg9sCfolOUIANURBYCBDufxLZEHI2bY5UshImLQXLqh8c9YZ78pNwF xaYVtZjB1nRDPPV0cOcQr2Z1wvmUr/i+4t99+scmPEcOni2P0/SHLPdip80EkQyS nvnsjUNUZVD2vpjG0fSO2JGbHNi4n/D4E1VmjMWFMbbZy3Z/fBdkeFG+rrqT6kyj IzXz4tDr7aFhBRogIIF4vE3hfnuiigCDlaFHYDPO6CpjEqxbpLjmAyvpXPTq5X2+ 7+jJ/KbISh7P6bdw20It =Iw7O -----END PGP SIGNATURE----- --NIshmi2hnHbjjfjn3ipgQ4fXDnjDbL8Qu--