Using sendmail as outbound MTA, but with SSL

[Matthias Apitz]

Hello,

Since ages I do use mutt as MUA to leer mit correos (fetched with IMAPs)
and send outboud via a normal senmail configuration in my laptop
(configured in /etc/mail/ the normal way with make). All this works
fine, as said since ages, when I'm in Europe. sendmail delivers the mail
by SMTP to port 25 of my ISP smtp.1blu.de.

When I'm in Cuba, connected via data mobile to the cuban cellphone
network, they block outbound port 25 traffic, for whatever reason and I
have to bypass sendmail with a configuration in mutt to send mails to
smtp.1blu.de:465

I have had a look into the port mail/ssmtp which addresses this problem sending
mail to port 465, but has no queuing etc. of mails.

My question is, is there a way to configure sendmail to use SSL port 465
to the remote mail HUB?

Thanks

matthias


--
Matthias Apitz, ✉ gu...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

[Andrea Venturoli]

On 12/19/25 14:47, Matthias Apitz wrote:

> My question is, is there a way to configure sendmail to use SSL port 465
> to the remote mail HUB?

Personally, since ages, I let sendmail connect to a stunnel instance.
Perhaps nowadays something changed, but I'm not sure; if you find out,
please let us know.

bye & Thanks
av.

[Matthias Apitz]

I tried it with:

ssh -C -L 1025:smtp.1blu.de:25 myac...@www.unixarea.de
Sat Dec 20 13:47:43 CET 2025
myaccount:~$

a test with

telnet localhost 1025

gives in the SSH session:

channel 3: open failed: administratively prohibited: open failed

I've to talk to my ISP about this.

[Marco Moock]

Am 19.12.2025 um 08:47:17 Uhr schrieb Matthias Apitz:

> When I'm in Cuba, connected via data mobile to the cuban cellphone
> network, they block outbound port 25 traffic, for whatever reason

To avoid that hacked end user's devices can act as a spambot.

> and I have to bypass sendmail with a configuration in mutt to send
> mails to smtp.1blu.de:465

The port can be changed, but I dunno is implicit TLS can be enabled for
the esmtp mailer, as sendmail is an MTA and MTAs are not designed to
talk to the submission service.
You might ask that in comp.mail.sendmail.

Running stunnel would be an easy option.

--
Gruß
Marco

Send unsolicited bulk mail to 1766130...@cartoonies.org

[Matthias Apitz]

Hello Marco,

Thanks for the reply.

El día domingo, diciembre 21, 2025 a las 10:45:37a. m. +0100, Marco Moock escribió:

> Am 19.12.2025 um 08:47:17 Uhr schrieb Matthias Apitz:
>
>
> > and I have to bypass sendmail with a configuration in mutt to send
> > mails to smtp.1blu.de:465
>
> The port can be changed, but I dunno is implicit TLS can be enabled for
> the esmtp mailer, as sendmail is an MTA and MTAs are not designed to
> talk to the submission service.
> You might ask that in comp.mail.sendmail.

I was used to use USENET in the 90ties. Does comp.mail.sendmail still
exist?

> Running stunnel would be an easy option.

I've never used stunnel, only SSH and port forwarding. The IP addrs in
question are

for my SSH account:

$ host www.unixarea.de
www.unixarea.de has address 178.254.11.41

for SMTP port 25:

$ host smtp.1blu.de
smtp.1blu.de has address 178.254.4.101

Can I do such stunnel to route SMTP to 178.254.4.101:25 without
involving my ISP before?

I'd even have to compile security/stunnel, but I checked, I can do this
from here in Cuba with my FreeBSD netbook.

[Marco Moock]

On 21.12.2025 08:35 Matthias Apitz <gu...@unixarea.de> wrote:

> El día domingo, diciembre 21, 2025 a las 10:45:37a. m. +0100, Marco
> Moock escribió:
>
> > Am 19.12.2025 um 08:47:17 Uhr schrieb Matthias Apitz:
> >
> >
> > > and I have to bypass sendmail with a configuration in mutt to send
> > > mails to smtp.1blu.de:465
> >
> > The port can be changed, but I dunno is implicit TLS can be enabled
> > for the esmtp mailer, as sendmail is an MTA and MTAs are not
> > designed to talk to the submission service.
> > You might ask that in comp.mail.sendmail.
>
> I was used to use USENET in the 90ties. Does comp.mail.sendmail still
> exist?

Yes and one of the developers is also there. There are also free to use
usenet servers available.

> > Running stunnel would be an easy option.
>
> I've never used stunnel, only SSH and port forwarding. The IP addrs in
> question are

Should be simple to set up.

> Can I do such stunnel to route SMTP to 178.254.4.101:25 without
> involving my ISP before?

Yes, it opens a local unencrypted port and transports that to dst:465
with TLS.

> I'd even have to compile security/stunnel, but I checked, I can do
> this from here in Cuba with my FreeBSD netbook.

Most Linux distributions have that in their repo, a FreeBSD port
is available.

--
kind regards
Marco

Send spam to abfall17...@stinkedores.dorfdsl.de

[Andrea Venturoli]

On 12/21/25 14:35, Matthias Apitz wrote:

>> Running stunnel would be an easy option.
>
> I've never used stunnel, only SSH and port forwarding. The IP addrs in
> question are

I don't think they are the same thing.
AFAIK an ssh tunnel would require ssh on both sides.

> Can I do such stunnel to route SMTP to 178.254.4.101:25 without
> involving my ISP before?

I don't think so, but this is not what you asked in the first place.

What both Marco and I suggested is:
_ local stunnel that listen on local x.y.z.w:25 and forwards the
connection (encrypted) to smtp.1blu.de:465;
_ sendmail configured to send to x.y.z.w:25.

Of course x.y.z.w cannot be 127.0.0.1 if sendmail is already listening
there.

HTH.

bye
av.

[Polytropon]

On Fri, 19 Dec 2025 08:47:17 -0500, Matthias Apitz wrote:
>
> Hello,
>
> Since ages I do use mutt as MUA to leer mit correos (fetched with IMAPs)
> and send outboud via a normal senmail configuration in my laptop
> (configured in /etc/mail/ the normal way with make). All this works
> fine, as said since ages, when I'm in Europe. sendmail delivers the mail
> by SMTP to port 25 of my ISP smtp.1blu.de.
>
> When I'm in Cuba, connected via data mobile to the cuban cellphone
> network, they block outbound port 25 traffic, for whatever reason and I
> have to bypass sendmail with a configuration in mutt to send mails to
> smtp.1blu.de:465
>
> I have had a look into the port mail/ssmtp which addresses this problem sending
> mail to port 465, but has no queuing etc. of mails.
>
> My question is, is there a way to configure sendmail to use SSL port 465
> to the remote mail HUB?

I have a few notes from 2023 / 2024 where I had to deal with a problem
like this (needed to connect to a TLS remote system where my own program
did not support it, so I had to go through sendmail as a "handover" relay).
Allow me to provide the parts of my... pile of... unsorted stupid notes,
incomplete and questionable... which I have also forgotten and do no longer
understand... ;-) I'll add a few comments.



Maybe it still helps?





1. install

cyrus-sasl
cyrus-sasl-saslauthd
(Version 2)

2. check file /usr/local/lib/sasl2/Sendmail.conf

pwcheck_method: saslauthd
mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

3. recompile sendmail with SASL support

check:
# sendmail -d0.1 -bt < /dev/null
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX
NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC
TLS_VRFY_PER_CTX USERDB XDEBUG

missing: SASLv2

add to file /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=/usr/local/lib/libsasl2.so

NB: Handbook 30.9 # 4 is _wrong_ <- !!!
https://docs.freebsd.org/en/books/handbook/mail/#SMTP-Auth

SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL

The -DSASL is wrong, must be defined as "2"!

obtain /usr/src tree via git or freebsd-update (select
"src" distribution) <--- gitup !!!

recompile

# cd /usr/src/lib/libsm
# make
# cd /usr/src/lib/libsmutil
# make
# cd /usr/src/usr.sbin/sendmail
# make
# make install

re-check:

# sendmail -d0.1 -bt < /dev/null
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX
NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG

now: SASLv2 listed

4. enable services in file /etc/rc.conf

sendmail_enable="YES"
saslauthd_enable="YES"

5. add access credentials for SMTP server to send mail to

# cd /etc/mail
# mkdir auth
# chmod 700 auth
# cd auth

create file client-info

AuthInfo:<SMTP server> "U:root" "I:<user name>" "P:<password>"'

user "root" (or "smmsp"?) <- ???

make database

# makemap hash client-info < client-info
# chmod 600 client-info*

authentication will be STARTTLS method

6. configure sendmail to use them and to accept external connections

# cd /etc/mail

create file access to define where user can connect from

<your domain> RELAY
<your IP> RELAY

and

# makemap hash access < access

add /etc/mail/local-host-names for local names that sendmail accepts
as local in addition to "localhost"

<machine name>
<machine name FQDN>

then

# make

modify file <hostname>.mc

comment out:

dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
^^^
only IPv4!

add:

DAEMON_OPTIONS(`Family=inet,Name=MSP-v4,Port=submission,M=Ea')dnl

then add:

define(`SMART_HOST',`<smart host here>')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

and add:

define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

at top add:

FEATURE(access_db)

finally use

# make
# make install
# service sendmail start

to bring config changes into effect and restart sendmail service


<port> 587 = STARTTLS
<port> 465 = SSL/TLS <--- YOU NEED THIS!

define('RELAY_MAILER_ARGS', 'TCP $h <port>')dnl
define('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE('authinfo','hash /etc/mail/auth/smtp-auth.db')dnl
define(`confAUTH_OPTIONS', `A p y')dnl

?




https://docs.oracle.com/en/operating-systems/oracle-linux/6/admin/configure-sendmail.html


https://www.akadia.com/services/sendmail_relay.html








--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...