how do I get STARTTLS working with sendmail on FreeBSD 10.3 ?
736 views
Skip to first unread message
William Dudley
Mar 18, 2017, 6:44:33 PM3/18/17
to freebsd-...@freebsd.org
A google search does not reveal a useful answer.
I just want to use a self-signed certificate so I can get my email from my
FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
I don't really want to switch to postfix, qmail, etc. etc.
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
I just want to use a self-signed certificate so I can get my email from my
FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
I don't really want to switch to postfix, qmail, etc. etc.
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Patrick Mahan
Mar 18, 2017, 11:21:26 PM3/18/17
to freebsd-...@freebsd.org
On 3/18/17 3:44 PM, William Dudley wrote:
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
>
> Thanks,
> Bill Dudley
>
Have you considered using stunnel(8)? I use it to front my sendmail and
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
>
> Thanks,
> Bill Dudley
>
other servers that I want to make a secure connection.
Patrick
William Dudley
Mar 19, 2017, 9:44:42 AM3/19/17
to Patrick Mahan, freebsd-...@freebsd.org
I'll look into this, but a quick read of the stunnel docs, I don't see
STARTTLS mentioned,
and I thought that was a requirement.
Bill Dudley
This email is free of malware because I run Linux.
> To unsubscribe, send any mail to "freebsd-questions-
> unsub...@freebsd.org"
STARTTLS mentioned,
and I thought that was a requirement.
Bill Dudley
This email is free of malware because I run Linux.
> unsub...@freebsd.org"
William Dudley
Mar 19, 2017, 9:53:43 AM3/19/17
to Patrick Mahan, freebsd-...@freebsd.org
stunnel fails to start with this helpful message:
/usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com":
Specified option name is not valid here
The line it's complaining about is in the EXAMPLE config file.
So this is not going well, at all.
pop.gmail.com is a valid hostname. I have no idea what stunnel is
complaining about.
Bill Dudley
This email is free of malware because I run Linux.
/usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com":
Specified option name is not valid here
The line it's complaining about is in the EXAMPLE config file.
So this is not going well, at all.
pop.gmail.com is a valid hostname. I have no idea what stunnel is
complaining about.
Bill Dudley
This email is free of malware because I run Linux.
On Sun, Mar 19, 2017 at 9:44 AM, William Dudley <wfdu...@gmail.com> wrote:
> I'll look into this, but a quick read of the stunnel docs, I don't see
> STARTTLS mentioned,
> and I thought that was a requirement.
>
> Bill Dudley
>
>
> This email is free of malware because I run Linux.
>
> On Sat, Mar 18, 2017 at 11:21 PM, Patrick Mahan <ma...@mahan.org> wrote:
>
>> On 3/18/17 3:44 PM, William Dudley wrote:
>> > A google search does not reveal a useful answer.
>> >
>> > I just want to use a self-signed certificate so I can get my email from
>> my
>> > FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
>> > I don't really want to switch to postfix, qmail, etc. etc.
>> >
>> > Thanks,
>> > Bill Dudley
>> >
>>
>> Have you considered using stunnel(8)? I use it to front my sendmail and
>> other servers that I want to make a secure connection.
>>
>> Patrick
>>
>> _______________________________________________
>> freebsd-...@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe
> I'll look into this, but a quick read of the stunnel docs, I don't see
> STARTTLS mentioned,
> and I thought that was a requirement.
>
> Bill Dudley
>
>
> This email is free of malware because I run Linux.
>
> On Sat, Mar 18, 2017 at 11:21 PM, Patrick Mahan <ma...@mahan.org> wrote:
>
>> On 3/18/17 3:44 PM, William Dudley wrote:
>> > A google search does not reveal a useful answer.
>> >
>> > I just want to use a self-signed certificate so I can get my email from
>> my
>> > FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
>> > I don't really want to switch to postfix, qmail, etc. etc.
>> >
>> > Thanks,
>> > Bill Dudley
>> >
>>
>> Have you considered using stunnel(8)? I use it to front my sendmail and
>> other servers that I want to make a secure connection.
>>
>> Patrick
>>
>> _______________________________________________
>> freebsd-...@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
Matthew Seaman
Mar 19, 2017, 10:34:57 AM3/19/17
to freebsd-...@freebsd.org
On 18/03/2017 22:44, William Dudley wrote:
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
Hmm... STARTTLS capability is enabled by default in freebsd.mc in 11.0
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
-- I think it might be on 10.3 as well.
Anyhow, you need the following sort of thing in your ${hostname}.mc --
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
and you need to create all of the host.key and host.cert and cacert.pem
and dh.param files. That's mostly covered here:
http://www.sendmail.org/~ca/email/other/cagreg.html
Note that for e-mail purposes you don't generally need a certificate
signed by a well known CA -- just self signed is fine. With e-mail,
it's more important to ensure privacy in transit rather than to identify
the party you're corresponding with.
The dh.param file you can generate by:
openssl dHParam -outform PEM -out dh.param 2048
IIRC adding all this will allow your sendmail install to support
STARTTLS, but not make it require STARTTLS. I believe there's a
DAEMON_OPTIONS setting to achieve that, but I'd need to look that up.
Get hold of the O'Reilly sendmail book if you're interested -- it has
details of all this stuff.
Cheers,
Matthew
Gerard Seibert
Mar 19, 2017, 11:16:52 AM3/19/17
to User questions
On Sun, 19 Mar 2017 14:34:34 +0000, Matthew Seaman stated:
> The dh.param file you can generate by:
>
> openssl dHParam -outform PEM -out dh.param 2048
Are you sure about that command? I receive the following error message:
openssl dHParam -outform PEM -out dh.param 2048
openssl:Error: 'dHParam' is an invalid command.
However, using lower case, ie. 'dhparam' works fine.
--
Carmel
> The dh.param file you can generate by:
>
> openssl dHParam -outform PEM -out dh.param 2048
openssl dHParam -outform PEM -out dh.param 2048
However, using lower case, ie. 'dhparam' works fine.
--
Carmel
William Dudley
Mar 19, 2017, 4:04:56 PM3/19/17
to Matthew Seaman, freebsd-...@freebsd.org
I have all of the stuff you referenced in my ${hostname}.mc.
I have a dh.param in /etc/mail/certs
And yet,
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:02:48
-0400 (EDT)
ehlo localhost
250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.casano.com closing connection
Connection closed by foreign host.
in which STARTTLS is conspicuous by it's absence.
Surely I am missing some crucial, undocumented step.
Is there anything else I should check?
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
On Sun, Mar 19, 2017 at 10:34 AM, Matthew Seaman <mat...@freebsd.org>
wrote:
I have a dh.param in /etc/mail/certs
And yet,
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:02:48
-0400 (EDT)
ehlo localhost
250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.casano.com closing connection
Connection closed by foreign host.
in which STARTTLS is conspicuous by it's absence.
Surely I am missing some crucial, undocumented step.
Is there anything else I should check?
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
wrote:
William Dudley
Mar 19, 2017, 4:07:57 PM3/19/17
to Patrick Mahan, freebsd-...@freebsd.org
I commented out the lines starting with checkHost, and started stunnel.
It does start, and runs as a daemon. However, it doesn't seem to DO
anything.
However, that hasn't changed sendmail's behaviour one iota.
As far as I can tell, stunnel is a massive waste of time.
I don't really want to spend months reading all the stunnel docs to figure
out
how to get it to work with sendmail. Sendmail is hard enough on it's own,
and
I can mostly control sendmail (well, except for the STARTTLS problem.)
Thanks,
It does start, and runs as a daemon. However, it doesn't seem to DO
anything.
However, that hasn't changed sendmail's behaviour one iota.
As far as I can tell, stunnel is a massive waste of time.
I don't really want to spend months reading all the stunnel docs to figure
out
how to get it to work with sendmail. Sendmail is hard enough on it's own,
and
I can mostly control sendmail (well, except for the STARTTLS problem.)
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
This email is free of malware because I run Linux.
Matthew Seaman
Mar 19, 2017, 6:40:39 PM3/19/17
to freebsd-...@freebsd.org
On 19/03/2017 15:16, Gerard Seibert wrote:
> On Sun, 19 Mar 2017 14:34:34 +0000, Matthew Seaman stated:
>
>> The dh.param file you can generate by:
>>
>> openssl dHParam -outform PEM -out dh.param 2048
>
> Are you sure about that command? I receive the following error message:
>
> openssl dHParam -outform PEM -out dh.param 2048
> openssl:Error: 'dHParam' is an invalid command.
>
> However, using lower case, ie. 'dhparam' works fine.
>
Ooops. Perils of copying from the web without checking everything
> On Sun, 19 Mar 2017 14:34:34 +0000, Matthew Seaman stated:
>
>> The dh.param file you can generate by:
>>
>> openssl dHParam -outform PEM -out dh.param 2048
>
> Are you sure about that command? I receive the following error message:
>
> openssl dHParam -outform PEM -out dh.param 2048
> openssl:Error: 'dHParam' is an invalid command.
>
> However, using lower case, ie. 'dhparam' works fine.
>
yourself. I knew the command was /something/ like that, but clearly the
details escaped me.
Oh, and while you're thinking about DH parameters, consulting this site
should prove illuminating: https://www.weakdh.org/
Cheers,
Matthew
Matthew Seaman
Mar 19, 2017, 7:03:03 PM3/19/17
to William Dudley, freebsd-...@freebsd.org
http://www.sendmail.org/~ca/email/starttls.html
You really only need the stuff on that page up to the 'Operation' section.
Do you have the symbolic link of the cacert hash pointing at the cacert?
Like so:
lucid-nonsense:/etc/mail/certs:% ls -la
total 36
drwxr-xr-x 2 root wheel 7 Jul 19 2016 ./
drwxr-xr-x 3 root wheel 22 Feb 5 12:37 ../
lrwxr-xr-x 1 root wheel 10 Jul 19 2016 5d402486.0@ -> cacert.pem
-rw-r--r-- 1 root wheel 1367 Jul 19 2016 cacert.pem
-rw-r--r-- 1 root wheel 424 May 21 2015 dh.param
-rw-r--r-- 1 root wheel 1415 Jul 19 2016 host.cert
-rw------- 1 root wheel 1704 Jul 19 2016 host.key
If you need to, create that by:
ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
Also check permissions -- the host.key file should be owned by
root:wheel and mode 0600 as shown here.
Check in /var/log/maillog for any relevant messages from when you
restarted sendmail or tried sending or receiving messages.
One final sanity check: does the output from 'sendmail -d0.1' show that
it was compiled with STARTTLS? If not, then you'll need to choose one
of the following:
* Install sendmail from ports, compiled with the necessary settings
* Tweak settings in your src.conf or make.conf and rebuild sendmail
from the system sources.[*]
* Upgrade to 11.0, where all this stuff definitely is enabled already.
Cheers,
Matthew
[*] ISTR that this sort of thing was not necessary for STARTTLS support,
but it is necessary for SASL support. However those neurons have mostly
been recycled, since I switched to postfix for all my e-mail needs some
time ago and have never looked back.
Patrick Mahan
Mar 20, 2017, 12:59:58 AM3/20/17
to William Dudley, freebsd-...@freebsd.org
On 3/19/17 1:07 PM, William Dudley wrote:
> I commented out the lines starting with checkHost, and started stunnel.
> It does start, and runs as a daemon. However, it doesn't seem to DO anything.
>
> However, that hasn't changed sendmail's behaviour one iota.
>
> As far as I can tell, stunnel is a massive waste of time.
>
> I don't really want to spend months reading all the stunnel docs to figure out
> how to get it to work with sendmail. Sendmail is hard enough on it's own, and
> I can mostly control sendmail (well, except for the STARTTLS problem.)
>
> Thanks,
> Bill Dudley
>
>
> This email is free of malware because I run Linux.
>
> On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdu...@gmail.com
> <mailto:wfdu...@gmail.com>> wrote:
>
> stunnel fails to start with this helpful message:
>
> /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com
> <http://pop.gmail.com>": Specified option name is not valid here
> I commented out the lines starting with checkHost, and started stunnel.
> It does start, and runs as a daemon. However, it doesn't seem to DO anything.
>
> However, that hasn't changed sendmail's behaviour one iota.
>
> As far as I can tell, stunnel is a massive waste of time.
>
> I don't really want to spend months reading all the stunnel docs to figure out
> how to get it to work with sendmail. Sendmail is hard enough on it's own, and
> I can mostly control sendmail (well, except for the STARTTLS problem.)
>
> Thanks,
> Bill Dudley
>
>
> This email is free of malware because I run Linux.
>
> On Sun, Mar 19, 2017 at 9:53 AM, William Dudley <wfdu...@gmail.com
> <mailto:wfdu...@gmail.com>> wrote:
>
> stunnel fails to start with this helpful message:
>
> /usr/local/etc/stunnel/stunnel.conf:68: "checkHost = pop.gmail.com
>
> The line it's complaining about is in the EXAMPLE config file.
>
> So this is not going well, at all.
>
> pop.gmail.com <http://pop.gmail.com> is a valid hostname. I have no idea
> The line it's complaining about is in the EXAMPLE config file.
>
> So this is not going well, at all.
>
> what stunnel is complaining about.
>
Okay, Let me share what I do. I believe stunnel needs to run on the same host
>
as the sendmail server.
First, here is some relevant parts from my stunnel config file:
; Sample stunnel configuration file by Michal Trojnara 2002-2005
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/sslcerts/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/stunnel/
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
verify = 0
....
; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[smtps]
accept = 465
connect = 25
I run dovecot for my imap server which is listening on port 143:
mahan@ns-/usr/local/etc/stunnel 11 # sockstat | grep 110
root dovecot 915 22 tcp4 *:110 *:*
But I connect from my mail clients (ios mail, thunderbird, ...) to port 993. The
mail clients are all configured to use ssl/tls, *not* startttl.
My smtp I connect via stunnel over port 465, not port 25 for sending mail.
So what are you trying to accomplish? The idea is for your accessing these
servers in an encrypted fashion. But from your above description, it sounds
like you are trying to access your unsecured gmail account using POP3. Not
sure why as the connection from stunnel to pop.gmail.com will be unsecured.
What email client are you trying to use?
Patrick
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
William Dudley
Mar 20, 2017, 9:13:22 AM3/20/17
to Patrick Mahan, freebsd-...@freebsd.org
The point of this exercise is to allow my Android phone to access my email
on my FreeBSD 10.3 server, using imap. I had it working last year, and
then,
with nary an error message, it stopped working. So the email client is the
native
Android email client (on a recent Cyanogen Android). My FreeBSD server runs
sendmail, and I've been running my own mail domain for about a decade.
My latest guess (and that's all I can do is guess) is that my self-signed
certificates
expired, and I just need to re-generate them. All the sources on sendmail
and
STARTTLS that I've seen so far show configs identical to my config, so from
this I infer perhaps one or more of my cert files is "bad".
stunnel may well be a wonderful program, but I really don't want to figure
out how
to specify each of the 500 lines in it's config file, especially when the
software
doesn't run successfully with it's own sample config file.
Thanks for your time,
on my FreeBSD 10.3 server, using imap. I had it working last year, and
then,
with nary an error message, it stopped working. So the email client is the
native
Android email client (on a recent Cyanogen Android). My FreeBSD server runs
sendmail, and I've been running my own mail domain for about a decade.
My latest guess (and that's all I can do is guess) is that my self-signed
certificates
expired, and I just need to re-generate them. All the sources on sendmail
and
STARTTLS that I've seen so far show configs identical to my config, so from
this I infer perhaps one or more of my cert files is "bad".
stunnel may well be a wonderful program, but I really don't want to figure
out how
to specify each of the 500 lines in it's config file, especially when the
software
doesn't run successfully with it's own sample config file.
Thanks for your time,
Bill Dudley
This email is free of malware because I run Linux.
This email is free of malware because I run Linux.
William Dudley
Mar 21, 2017, 6:58:08 PM3/21/17
to freebsd-...@freebsd.org
I've got all the bits that numerous sources say are the correct bits (like
in hostname.mc).
Sendmail in 10.x is able to generate it's OWN certificates. I've let it do
just that.
However, sendmail still refuses to announce STARTTLS as a capability.
Surely there must be some way to debug this, instead of just thrashing
about randomly.
Is there a debug variable in sendmail that I can turn up to see exactly
what sendmail
doesn't like about the SSl/TLS stuff?
Failing that, is anyone on this list using self-signed certificates? Do
you know the EXACT
sequence of things to do to get this to work?
I have a funny feeling that the "auto-generated" certs created by sendmail
don't work if you
don't have an official cert from Verisign.
Bill Dudley
This email is free of malware because I run Linux.
in hostname.mc).
Sendmail in 10.x is able to generate it's OWN certificates. I've let it do
just that.
However, sendmail still refuses to announce STARTTLS as a capability.
Surely there must be some way to debug this, instead of just thrashing
about randomly.
Is there a debug variable in sendmail that I can turn up to see exactly
what sendmail
doesn't like about the SSl/TLS stuff?
Failing that, is anyone on this list using self-signed certificates? Do
you know the EXACT
sequence of things to do to get this to work?
I have a funny feeling that the "auto-generated" certs created by sendmail
don't work if you
don't have an official cert from Verisign.
Bill Dudley
This email is free of malware because I run Linux.
Wayne Sierke
Mar 22, 2017, 2:07:52 AM3/22/17
to William Dudley, freebsd-...@freebsd.org
On Tue, 2017-03-21 at 18:57 -0400, William Dudley wrote:
> I've got all the bits that numerous sources say are the correct bits
> (like
> in hostname.mc).
>
> Sendmail in 10.x is able to generate it's OWN certificates. I've let it do
> just that.
>
> However, sendmail still refuses to announce STARTTLS as a capability.
>
> Surely there must be some way to debug this, instead of just thrashing
> about randomly.
>
> Is there a debug variable in sendmail that I can turn up to see exactly
> what sendmail
> doesn't like about the SSl/TLS stuff?
> I've got all the bits that numerous sources say are the correct bits
> (like
> in hostname.mc).
>
> Sendmail in 10.x is able to generate it's OWN certificates. I've let it do
> just that.
>
> However, sendmail still refuses to announce STARTTLS as a capability.
>
> Surely there must be some way to debug this, instead of just thrashing
> about randomly.
>
> Is there a debug variable in sendmail that I can turn up to see exactly
> what sendmail
> doesn't like about the SSl/TLS stuff?
Certainly. Increasing the loglevel was suggested on the page that
Matthew linked for you earlier.
Add this to your <hostname>.mc:
define(`confLOG_Level', `14')
These may help, too:
https://forums.freebsd.org/threads/52471/
https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html
William Dudley
Mar 22, 2017, 10:14:41 AM3/22/17
to Wayne Sierke, freebsd-...@freebsd.org
Turning up the debug level (thanks for pointing out the "code" for that)
revealed this message as sendmail starts:
STARTTLS: CRLFile missing
So I googled that, and found this post (about sendmail on Linux, but the
answer seemed generic enough)
http://www.linuxweblog.com/blogs/sandip/20071019/starttls-crlfile-missing-resolved
So I download all 8Meg of revoke.crl, , put the pointer to the file in
hostname.mc, rebuild hostname.cf, and restart sendmail.
Mar 22 10:09:31 dudley sm-msp-queue[78358]: starting daemon (8.15.2):
queueing@00:30:00
Mar 22 10:09:31 dudley sm-mta[78360]: starting daemon (8.15.2):
SMTP+queueing@00:30:00
Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, Diffie-Hellman init,
key=1024 bit (/)
Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, init=1
Mar 22 10:09:31 dudley sm-mta[78360]: started as: /usr/sbin/sendmail -L
sm-mta -bd -q30m
STILL BROKEN, but now there's no error message to give me a clue what is
wrong.
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Mar 2017 10:10:14
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
> > To unsubscribe, send any mail to "freebsd-questions-
> unsub...@freebsd.org"
revealed this message as sendmail starts:
STARTTLS: CRLFile missing
So I googled that, and found this post (about sendmail on Linux, but the
answer seemed generic enough)
http://www.linuxweblog.com/blogs/sandip/20071019/starttls-crlfile-missing-resolved
So I download all 8Meg of revoke.crl, , put the pointer to the file in
hostname.mc, rebuild hostname.cf, and restart sendmail.
Mar 22 10:09:31 dudley sm-msp-queue[78358]: starting daemon (8.15.2):
queueing@00:30:00
Mar 22 10:09:31 dudley sm-mta[78360]: starting daemon (8.15.2):
SMTP+queueing@00:30:00
Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, Diffie-Hellman init,
key=1024 bit (/)
Mar 22 10:09:31 dudley sm-mta[78360]: STARTTLS=server, init=1
Mar 22 10:09:31 dudley sm-mta[78360]: started as: /usr/sbin/sendmail -L
sm-mta -bd -q30m
STILL BROKEN, but now there's no error message to give me a clue what is
wrong.
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
-0400 (EDT)
ehlo localhost
250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.casano.com closing connection
Connection closed by foreign host.
Any ideas?
ehlo localhost
250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.casano.com closing connection
Connection closed by foreign host.
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
> unsub...@freebsd.org"
Jim Ohlstein
Mar 22, 2017, 8:18:27 PM3/22/17
to William Dudley, freebsd-...@freebsd.org
Hello,
On 3/18/17 6:44 PM, William Dudley wrote:
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
>
I'm sorry to be the one to break it to you after all this time and
effort, but AFAIK Sendmail speaks neither POP3 nor IMAP so you cannot
use it as an MDA. You can use it to *send* email from your phone, but
not to retrieve it. You also can use it to forward mails to another
email address from which you can retrieve it, of that's what you want.
If you want to retrieve emails using your phone's email client, you will
need an MDA. I use mail/dovecot2.
I know that you do not want to install a different MTA, but after all
this effort I'd suggest trying Exim. TLS is supported out of the box (in
the default ports/packages configuration) and is extremely easy to
configure [1]. You can use Dovecot authorization [2] with Exim, killing
two birds with one stone.
[1]
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
- see Section 6
[2] http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
--
Jim Ohlstein
"Never argue with a fool, onlookers may not be able to tell the
difference." - Mark Twain
On 3/18/17 6:44 PM, William Dudley wrote:
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
>
effort, but AFAIK Sendmail speaks neither POP3 nor IMAP so you cannot
use it as an MDA. You can use it to *send* email from your phone, but
not to retrieve it. You also can use it to forward mails to another
email address from which you can retrieve it, of that's what you want.
If you want to retrieve emails using your phone's email client, you will
need an MDA. I use mail/dovecot2.
I know that you do not want to install a different MTA, but after all
this effort I'd suggest trying Exim. TLS is supported out of the box (in
the default ports/packages configuration) and is extremely easy to
configure [1]. You can use Dovecot authorization [2] with Exim, killing
two birds with one stone.
[1]
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
- see Section 6
[2] http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
--
Jim Ohlstein
"Never argue with a fool, onlookers may not be able to tell the
difference." - Mark Twain
William Dudley
Mar 22, 2017, 8:32:24 PM3/22/17
to Jim Ohlstein, freebsd-...@freebsd.org
I have news for you. Unless this feature was just removed from
sendmail/FreeBSD, it should
work. It WAS WORKING until November 2016.
Bill Dudley
This email is free of malware because I run Linux.
sendmail/FreeBSD, it should
work. It WAS WORKING until November 2016.
Bill Dudley
This email is free of malware because I run Linux.
Jim Ohlstein
Mar 22, 2017, 9:37:04 PM3/22/17
to William Dudley, freebsd-...@freebsd.org
Hello,
On 3/22/17 8:32 PM, William Dudley wrote:
> I have news for you. Unless this feature was just removed from
> sendmail/FreeBSD, it should
> work. It WAS WORKING until November 2016.
That would be news. I guess you have a super Sendmail that listens for
and accepts POP3(s)/IMAP(s) connections. That would be interesting since
Sendmail is an SMTP(s) server. I won't bother you again since you are
clearly more knowledgeable than I.
> <http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html>
On 3/22/17 8:32 PM, William Dudley wrote:
> I have news for you. Unless this feature was just removed from
> sendmail/FreeBSD, it should
> work. It WAS WORKING until November 2016.
and accepts POP3(s)/IMAP(s) connections. That would be interesting since
Sendmail is an SMTP(s) server. I won't bother you again since you are
clearly more knowledgeable than I.
William Dudley
Mar 22, 2017, 10:42:06 PM3/22/17
to Jim Ohlstein, freebsd-...@freebsd.org
There's another layer in there, popd or imapd or whatever, but the point
is, I've been
using sendmail on FreeBSD for at least a decade. I had STARTTLS working
with sendmail
just last year. So your assertion that I have to run some other MTA could
not be true.
But thanks for your time. I welcome all suggestions, even ones that don't
pan out.
Bill Dudley
This email is free of malware because I run Linux.
is, I've been
using sendmail on FreeBSD for at least a decade. I had STARTTLS working
with sendmail
just last year. So your assertion that I have to run some other MTA could
not be true.
But thanks for your time. I welcome all suggestions, even ones that don't
pan out.
Bill Dudley
This email is free of malware because I run Linux.
Jim Ohlstein
Mar 22, 2017, 11:25:27 PM3/22/17
to William Dudley, freebsd-...@freebsd.org
Your entire question is ridiculous since Sendmail will never be useful for retrieving email from a remote server. Ever. To do that you need a POP/IMAP server. That was my point. Still is.
I only suggested you consider another agent since this one is proving difficult for you to configure. I never said you "had to" do anything, but you will need more than Sendmail to use your phone's email client.
But keep going, you're doing great.
Jim Ohlstein
I only suggested you consider another agent since this one is proving difficult for you to configure. I never said you "had to" do anything, but you will need more than Sendmail to use your phone's email client.
But keep going, you're doing great.
Jim Ohlstein
Arthur Chance
Mar 23, 2017, 8:21:36 AM3/23/17
to Jim Ohlstein, William Dudley, freebsd-...@freebsd.org
On 23/03/2017 03:25, Jim Ohlstein wrote:
> Your entire question is ridiculous since Sendmail will never be
> useful for retrieving email from a remote server. Ever. To do that
> you need a POP/IMAP server. That was my point. Still is.
If you'd been paying attention you'd have noticed lines in his mail like
> Your entire question is ridiculous since Sendmail will never be
> useful for retrieving email from a remote server. Ever. To do that
> you need a POP/IMAP server. That was my point. Still is.
> telnet localhost 25
which is rather a clue that he's talking about the sending side rather
than the receiving side.
> I only suggested you consider another agent since this one is
> proving difficult for you to configure. I never said you "had to" do
> anything, but you will need more than Sendmail to use your phone's
> email client.
securely via SMTP and sendmail.
> But keep going, you're doing great.
[Much snippage]
>>> "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain
--
By June 1949, people had begun to realize that it was not so easy to
get a program right as had at one time appeared. It was on one of my
journeys between the EDSAC room and the punching equipment that the
realization came over me with full force that a good part of the
remainder of my life was going to be spent in finding errors in my own
programs.
-- Maurice Wilkes
Ian Smith
Mar 23, 2017, 9:16:56 AM3/23/17
to William Dudley, freebsd-...@freebsd.org
In freebsd-questions Digest, Vol 668, Issue 5, Message: 12
On Wed, 22 Mar 2017 22:41:54 -0400 William Dudley <wfdu...@gmail.com> wrote:
OK, I'll join in this messy top-posting orgy, rearranged somewhat and
including some bits pasted in from earlier posts. I've been reading
these - not carefully enough - without being able to put my finger on
what weird thing is going on here until Jim pointed out the obvious:
> >> On Wed, Mar 22, 2017 at 8:18 PM, Jim Ohlstein <j...@ohlste.in
> >> <mailto:j...@ohlste.in>> wrote:
> >>
> >> Hello,
> >>
> >> On 3/18/17 6:44 PM, William Dudley wrote:
> >>
> >> A google search does not reveal a useful answer.
> >>
> >> I just want to use a self-signed certificate so I can get my
> >> email from my
> >> FreeBSD mail server to my cell phone. My FreeBSD server runs
> >> sendmail.
> >> I don't really want to switch to postfix, qmail, etc. etc.
> >>
> >>
> >> I'm sorry to be the one to break it to you after all this time and
> >> effort, but AFAIK Sendmail speaks neither POP3 nor IMAP so you
> >> cannot use it as an MDA. You can use it to *send* email from your
> >> phone, but not to retrieve it. You also can use it to forward mails
> >> to another email address from which you can retrieve it, of that's
> >> what you want.
> >>
> >> If you want to retrieve emails using your phone's email client, you
> >> will need an MDA. I use mail/dovecot2.
And earlier, William, you'd stated:
: I just want to use a self-signed certificate so I can get my email
: The point of this exercise is to allow my Android phone to access my
: email on my FreeBSD 10.3 server, using imap. I had it working last
: year, and then, with nary an error message, it stopped working. So
: the email client is the native Android email client (on a recent
: Cyanogen Android). My FreeBSD server runs sendmail, and I've been
: running my own mail domain for about a decade.
"Using imap", right? Not SMTP, which your Android client will use to
SEND mail to your/any SMTP server, but IMAP (or POP3 if you prefer),
which means picking up from an IMAP (and/or POP3) server, right?
Jim is absolutely right here: sendmail does not talk IMAP, nor POP3.
It receives messages from other SMTP servers, or clients, and sends to
other SMTP servers. That's it, ignoring the intermediate submission
agent dance. It transmits from its mailqueue, and receives into user's
INBOX, from where IMAP/POP3 accesses it.
> There's another layer in there, popd or imapd or whatever, but the point
> is, I've been
> using sendmail on FreeBSD for at least a decade. I had STARTTLS working
> with sendmail
> just last year. So your assertion that I have to run some other MTA could
> not be true.
I've been using sendmail since '98, but still don't use STARTTLS, which
is why I've steered clear of this topic to date :)
Well, is it imapd/popd/popper or whatever? Whatever, that's what your
phone will be talking to. Does IT require STARTTLS to deliver mail to
your phone? Does your phone require STARTTLS to pickup from a POP/IMAP
server - mine sure doesn't. Has anything changed in $whatever's setup,
or requirements? I think that's where you should be looking.
> But thanks for your time. I welcome all suggestions, even ones that don't
> pan out.
I suggest acknowledging Jim is correct, and figure out what's wrong with
your $whatever. Other contributors including Matthew - whose knowledge
is far beyond mine or most people on this subject - perhaps, like me,
hadn't twigged that your problem is pick up, NOT sending from sendmail.
cheers, Ian
On Wed, 22 Mar 2017 22:41:54 -0400 William Dudley <wfdu...@gmail.com> wrote:
OK, I'll join in this messy top-posting orgy, rearranged somewhat and
including some bits pasted in from earlier posts. I've been reading
these - not carefully enough - without being able to put my finger on
what weird thing is going on here until Jim pointed out the obvious:
> >> On Wed, Mar 22, 2017 at 8:18 PM, Jim Ohlstein <j...@ohlste.in
> >> <mailto:j...@ohlste.in>> wrote:
> >>
> >> Hello,
> >>
> >> On 3/18/17 6:44 PM, William Dudley wrote:
> >>
> >> A google search does not reveal a useful answer.
> >>
> >> I just want to use a self-signed certificate so I can get my
> >> email from my
> >> FreeBSD mail server to my cell phone. My FreeBSD server runs
> >> sendmail.
> >> I don't really want to switch to postfix, qmail, etc. etc.
> >>
> >>
> >> I'm sorry to be the one to break it to you after all this time and
> >> effort, but AFAIK Sendmail speaks neither POP3 nor IMAP so you
> >> cannot use it as an MDA. You can use it to *send* email from your
> >> phone, but not to retrieve it. You also can use it to forward mails
> >> to another email address from which you can retrieve it, of that's
> >> what you want.
> >>
> >> If you want to retrieve emails using your phone's email client, you
> >> will need an MDA. I use mail/dovecot2.
: I just want to use a self-signed certificate so I can get my email
: from my FreeBSD mail server to my cell phone. My FreeBSD server runs
: sendmail.
and more specifically:
: sendmail.
: The point of this exercise is to allow my Android phone to access my
: email on my FreeBSD 10.3 server, using imap. I had it working last
: year, and then, with nary an error message, it stopped working. So
: the email client is the native Android email client (on a recent
: Cyanogen Android). My FreeBSD server runs sendmail, and I've been
: running my own mail domain for about a decade.
SEND mail to your/any SMTP server, but IMAP (or POP3 if you prefer),
which means picking up from an IMAP (and/or POP3) server, right?
Jim is absolutely right here: sendmail does not talk IMAP, nor POP3.
It receives messages from other SMTP servers, or clients, and sends to
other SMTP servers. That's it, ignoring the intermediate submission
agent dance. It transmits from its mailqueue, and receives into user's
INBOX, from where IMAP/POP3 accesses it.
> There's another layer in there, popd or imapd or whatever, but the point
> is, I've been
> using sendmail on FreeBSD for at least a decade. I had STARTTLS working
> with sendmail
> just last year. So your assertion that I have to run some other MTA could
> not be true.
is why I've steered clear of this topic to date :)
Well, is it imapd/popd/popper or whatever? Whatever, that's what your
phone will be talking to. Does IT require STARTTLS to deliver mail to
your phone? Does your phone require STARTTLS to pickup from a POP/IMAP
server - mine sure doesn't. Has anything changed in $whatever's setup,
or requirements? I think that's where you should be looking.
> But thanks for your time. I welcome all suggestions, even ones that don't
> pan out.
your $whatever. Other contributors including Matthew - whose knowledge
is far beyond mine or most people on this subject - perhaps, like me,
hadn't twigged that your problem is pick up, NOT sending from sendmail.
cheers, Ian
Jim Ohlstein
Mar 23, 2017, 9:39:25 AM3/23/17
to Arthur Chance, William Dudley, freebsd-...@freebsd.org
Hello,
On 3/23/17 8:21 AM, Arthur Chance wrote:
> On 23/03/2017 03:25, Jim Ohlstein wrote:
>> Your entire question is ridiculous since Sendmail will never be
>> useful for retrieving email from a remote server. Ever. To do that
>> you need a POP/IMAP server. That was my point. Still is.
>
> If you'd been paying attention you'd have noticed lines in his mail like
>
>> telnet localhost 25
>
> which is rather a clue that he's talking about the sending side rather
> than the receiving side.
If you'd been paying attention, you'd have noticed lines his initial
post to the list (emphasis mine):
I just want to use a self-signed certificate so I can *get my email from
my FreeBSD mail server to my cell phone*.
This is rather a clue that he's talking about the receiving side rather
than the sending side.
I don't see anything about sending, and from the content of his
responses that insisted that it was working for this purpose, and I'm
not convinced the issue was not lost on him. I think until last night he
was of the belief that he was using Sendmail to retrieve his email. In
my first email I informed him that he cannot use Sendmail to retrieve
email because Sendmail does not act as a POP3 server or as an IMAP
server. His exact response:
I have news for you. Unless this feature was just removed from
sendmail/FreeBSD, it should work. It WAS WORKING until November 2016.
That doesn't sound to me like someone who actually knew the difference.
Hopefully he does now.
>
>> I only suggested you consider another agent since this one is
>> proving difficult for you to configure. I never said you "had to" do
>> anything, but you will need more than Sendmail to use your phone's
>> email client.
>
> I'm sure he's aware of this, but is having problems *sending* mail
> securely via SMTP and sendmail.
From where did you glean this? See above.
>
>> But keep going, you're doing great.
>
> Quite possibly a little better than some other people.
>
> [Much snippage]
>
>>>> "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain
>
> [Except for that. :-)]
Cute. Rather sophomoric, but still cute.
>
>
--
Jim Ohlstein
"Never argue with a fool, onlookers may not be able to tell the
difference." - Mark Twain
On 3/23/17 8:21 AM, Arthur Chance wrote:
> On 23/03/2017 03:25, Jim Ohlstein wrote:
>> Your entire question is ridiculous since Sendmail will never be
>> useful for retrieving email from a remote server. Ever. To do that
>> you need a POP/IMAP server. That was my point. Still is.
>
> If you'd been paying attention you'd have noticed lines in his mail like
>
>> telnet localhost 25
>
> which is rather a clue that he's talking about the sending side rather
> than the receiving side.
post to the list (emphasis mine):
I just want to use a self-signed certificate so I can *get my email from
my FreeBSD mail server to my cell phone*.
This is rather a clue that he's talking about the receiving side rather
than the sending side.
I don't see anything about sending, and from the content of his
responses that insisted that it was working for this purpose, and I'm
not convinced the issue was not lost on him. I think until last night he
was of the belief that he was using Sendmail to retrieve his email. In
my first email I informed him that he cannot use Sendmail to retrieve
email because Sendmail does not act as a POP3 server or as an IMAP
server. His exact response:
I have news for you. Unless this feature was just removed from
sendmail/FreeBSD, it should work. It WAS WORKING until November 2016.
Hopefully he does now.
>
>> I only suggested you consider another agent since this one is
>> proving difficult for you to configure. I never said you "had to" do
>> anything, but you will need more than Sendmail to use your phone's
>> email client.
>
> I'm sure he's aware of this, but is having problems *sending* mail
> securely via SMTP and sendmail.
>
>> But keep going, you're doing great.
>
> Quite possibly a little better than some other people.
>
> [Much snippage]
>
>>>> "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain
>
> [Except for that. :-)]
>
>
--
Jim Ohlstein
"Never argue with a fool, onlookers may not be able to tell the
difference." - Mark Twain
Bernt Hansson
Mar 23, 2017, 9:40:40 AM3/23/17
to William Dudley, freebsd-...@freebsd.org
On 2017-03-18 23:44, William Dudley wrote:
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
>
> Thanks,
> Bill Dudley
>
>
Sendmail can not do that. You need some other means to provide
> A google search does not reveal a useful answer.
>
> I just want to use a self-signed certificate so I can get my email from my
> FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail.
> I don't really want to switch to postfix, qmail, etc. etc.
>
> Thanks,
> Bill Dudley
>
>
that function i.e qpopper spop pop imap or others, there's plenty.
Matthew Seaman
Mar 23, 2017, 10:20:51 AM3/23/17
to freebsd-...@freebsd.org
On 2017/03/23 13:16, Ian Smith wrote:
> I suggest acknowledging Jim is correct, and figure out what's wrong with
> your $whatever. Other contributors including Matthew - whose knowledge
> is far beyond mine or most people on this subject - perhaps, like me,
> hadn't twigged that your problem is pick up, NOT sending from sendmail.
I very nearly asked about the relevance of sendmail to the problem at
> I suggest acknowledging Jim is correct, and figure out what's wrong with
> your $whatever. Other contributors including Matthew - whose knowledge
> is far beyond mine or most people on this subject - perhaps, like me,
> hadn't twigged that your problem is pick up, NOT sending from sendmail.
hand, but I came to the conclusion that the OP meant sendmail when he
said sendmail, even if he did say 'read' rather than 'send' on one occasion.
Cheers,
Matthew
William Dudley
Mar 23, 2017, 11:00:19 AM3/23/17
to Matthew Seaman, freebsd-...@freebsd.org
Let's assume that I have no idea what I'm talking about.
However, I can successfully report what I SEE.
1. Android's mail app wants to use STARTTLS when it connects to my mail
server, for
whatever reason (send or receive) isn't important now. It wants it, and I
want it to be
happy, or else it doesn't work.
2. When I telnet to port 25 of my mail server, sendmail does NOT announce
STARTTLS
as one of it's capabilities. This, despite my having all the incantations
*apparently" correct
in my hostname.mc, fresh self signed cert and key file in /etc/mail/certs,
and various other
things that have been suggested/intimated by various sources.
It would be nice to solve the problem stated in the Subject of this
insanely long thread:
Why is my sendmail refusing to announce STARTTLS ?
Thanks,
wrote:
However, I can successfully report what I SEE.
1. Android's mail app wants to use STARTTLS when it connects to my mail
server, for
whatever reason (send or receive) isn't important now. It wants it, and I
want it to be
happy, or else it doesn't work.
2. When I telnet to port 25 of my mail server, sendmail does NOT announce
STARTTLS
as one of it's capabilities. This, despite my having all the incantations
*apparently" correct
in my hostname.mc, fresh self signed cert and key file in /etc/mail/certs,
and various other
things that have been suggested/intimated by various sources.
It would be nice to solve the problem stated in the Subject of this
insanely long thread:
Why is my sendmail refusing to announce STARTTLS ?
Thanks,
Bill Dudley
This email is free of malware because I run Linux.
On Thu, Mar 23, 2017 at 10:20 AM, Matthew Seaman <mat...@freebsd.org>
This email is free of malware because I run Linux.
wrote:
Matthew Seaman
Mar 23, 2017, 11:27:38 AM3/23/17
to William Dudley, freebsd-...@freebsd.org
On 2017/03/23 15:00, William Dudley wrote:
> Let's assume that I have no idea what I'm talking about.
> However, I can successfully report what I SEE.
>
> 1. Android's mail app wants to use STARTTLS when it connects to my mail
> server, for
> whatever reason (send or receive) isn't important now. It wants it, and I
> want it to be
> happy, or else it doesn't work.
Ah -- in this case, you've potentially got two different software
> Let's assume that I have no idea what I'm talking about.
> However, I can successfully report what I SEE.
>
> 1. Android's mail app wants to use STARTTLS when it connects to my mail
> server, for
> whatever reason (send or receive) isn't important now. It wants it, and I
> want it to be
> happy, or else it doesn't work.
systems that could involve STARTTLS. sendmail would only be involved
when you send an e-mail. Otherwise your android device will be
connecting to an IMAP server -- and that could either be configured to
listen on port 143 (the port for unencrypted IMAP) and expect to use
STARTTLS to upgrade to an encrypted connection; or it could listen on
port 993 which expects TLS straight away. There is a move by IANA (I
think) to prefer STARTTLS type mechanisms and so recover all of the
duplicated-except-for-requiring-TLS port numbers out of /etc/services.
But, as you say, the sendmail problems need sorting anyhow. Time to
worry about IMAP later.
> 2. When I telnet to port 25 of my mail server, sendmail does NOT announce
> STARTTLS
> as one of it's capabilities. This, despite my having all the incantations
> *apparently" correct
> in my hostname.mc, fresh self signed cert and key file in /etc/mail/certs,
> and various other
> things that have been suggested/intimated by various sources.
sendmail in FreeBSD-10.3 is supplied with STARTTLS capabilities compiled
in and should have certs and keys created for it at install time.
> It would be nice to solve the problem stated in the Subject of this
> insanely long thread:
>
> Why is my sendmail refusing to announce STARTTLS ?
impossible to say what that might be. I'm sure you've been through all
this already, but have you checked and rechecked the simple and obvious
stuff:
* Have you built and installed a fresh sendmail config:
# cd /etc/mail
# make
# make install
* Are you editing the correct .mc file? The one you want is
${hostname}.mc -- where ${hostname} (if it isn't obvious) is the
hostname of your machine. If this doesn't exist, typing 'make'
will create it for you.
* Did you restart sendmail after the last config update?
# service sendmail restart
* Is sendmail listening on the IP numbers and ports you expect it to
be listening on? Or is it some other piece of software
entirely answering on port 25?
# sockstat | grep sendmail
# sockstat | grep -E ':25\>'
will provide clues.
* Do you have anything in /etc/mail/access ?
* What's in /etc/mail/mailwrapper ?
Cheers,
Matthew
Arthur Chance
Mar 23, 2017, 11:32:01 AM3/23/17
to Matthew Seaman, freebsd-...@freebsd.org
response to EHLO isn't usually the act of a novice.
--
By June 1949, people had begun to realize that it was not so easy to
get a program right as had at one time appeared. It was on one of my
journeys between the EDSAC room and the punching equipment that the
realization came over me with full force that a good part of the
remainder of my life was going to be spent in finding errors in my own
programs.
-- Maurice Wilkes
Jim Ohlstein
Mar 23, 2017, 11:32:50 AM3/23/17
to Arthur Chance, freebsd-...@freebsd.org, William Dudley
Hello,
On 3/23/17 11:05 AM, Arthur Chance wrote:
>
> --- Extract ---
>
> Generally speaking, you don't telnet into port 25, issue an EHLO to see
> what capabilities the server has and complain that STARTTLS is still
> missing unless you're trying to sort out the SMTP side of life. Also,
> that's not the sort of thing a newbie usually tries.
>
> He also wrote (apologies for the lousy formatting, various mailers have
> hacked it about)
> to use IMAP are confusing, but I thought that was because he'd got into
> a "can't see the wood for the trees" state of confusion. Fighting
> recalcitrant software for a few days tends to do that. But it could be
> he truly is clueless and thrashing.
Perhaps it's hard to tell, but your quote above was conveniently taken
out of context. A more full rendition might be a clue as to his
cluelessness:
The point of this exercise is to allow my Android phone to access my
email on my FreeBSD 10.3 server, using imap. I had it working last
year, and then, with nary an error message, it stopped working. So the
email client is the native Android email client (on a recent Cyanogen
Android). My FreeBSD server runs sendmail, and I've been running my own
mail domain for about a decade.
Here he speaks directly about accessing his email using IMAP. Looks
pretty clear to me. In fact, I don't think it could be clearer.
I would wager he is posting the results of commands found in Google
searches without completely understanding what they mean, or
understanding that he will NEVER retrieve email with Sendmail, at least
until now. Running [his] "own mail domain for about a decade" may be as
simple as using shared hosting on a cPanel server as his signature
suggests he's using Linux. It doesn't mean he knows what he's doing. In
fact, the evidence strongly suggests the opposite.
Oh, and the idiom is "can't see the forest for the trees".
>
>>> [Much snippage]
>>>
>>>>>> "Never argue with a fool, onlookers may not be able to tell the
>>>>>> difference." - Mark Twain
>>>
>>> [Except for that. :-)]
>>
>> Cute. Rather sophomoric, but still cute.
>
> I've never been sure about the exact details of the US university
> system, having gone through a much older one on the other side of the
> Atlantic, but I'm probably about 50 years too old to be a sophomore.
> However, while I've definitely aged, I will be the first to admit I've
> not necessarily matured. :-)
>
You should look at the definition of sophomoric. This link may help you:
https://www.merriam-webster.com/dictionary/sophomoric
On 3/23/17 11:05 AM, Arthur Chance wrote:
> On 23/03/2017 13:39, Jim Ohlstein wrote:
>> Hello,
>>
>> On 3/23/17 8:21 AM, Arthur Chance wrote:
>>> On 23/03/2017 03:25, Jim Ohlstein wrote:
>>>> Your entire question is ridiculous since Sendmail will never be
>>>> useful for retrieving email from a remote server. Ever. To do that
>>>> you need a POP/IMAP server. That was my point. Still is.
>>>
>>> If you'd been paying attention you'd have noticed lines in his mail like
>>>
>>>> telnet localhost 25
>>>
>>> which is rather a clue that he's talking about the sending side rather
>>> than the receiving side.
>>
>> If you'd been paying attention, you'd have noticed lines his initial
>> post to the list (emphasis mine):
>>
>>
>> I just want to use a self-signed certificate so I can *get my email from
>> my FreeBSD mail server to my cell phone*.
>>
>>
>> This is rather a clue that he's talking about the receiving side rather
>> than the sending side.
>
> I was basing it on
>> Hello,
>>
>> On 3/23/17 8:21 AM, Arthur Chance wrote:
>>> On 23/03/2017 03:25, Jim Ohlstein wrote:
>>>> Your entire question is ridiculous since Sendmail will never be
>>>> useful for retrieving email from a remote server. Ever. To do that
>>>> you need a POP/IMAP server. That was my point. Still is.
>>>
>>> If you'd been paying attention you'd have noticed lines in his mail like
>>>
>>>> telnet localhost 25
>>>
>>> which is rather a clue that he's talking about the sending side rather
>>> than the receiving side.
>>
>> If you'd been paying attention, you'd have noticed lines his initial
>> post to the list (emphasis mine):
>>
>>
>> I just want to use a self-signed certificate so I can *get my email from
>> my FreeBSD mail server to my cell phone*.
>>
>>
>> This is rather a clue that he's talking about the receiving side rather
>> than the sending side.
>
>
> --- Extract ---
> STILL BROKEN, but now there's no error message to give me a clue what is
> wrong.
>
> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Mar 2017 10:10:14
> -0400 (EDT)
> ehlo localhost
> 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-DELIVERBY
> 250 HELP
> quit
> 221 2.0.0 mail.casano.com closing connection
> Connection closed by foreign host.
> ----
> wrong.
>
> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Mar 2017 10:10:14
> -0400 (EDT)
> ehlo localhost
> 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-DELIVERBY
> 250 HELP
> quit
> 221 2.0.0 mail.casano.com closing connection
> Connection closed by foreign host.
>
> Generally speaking, you don't telnet into port 25, issue an EHLO to see
> what capabilities the server has and complain that STARTTLS is still
> missing unless you're trying to sort out the SMTP side of life. Also,
> that's not the sort of thing a newbie usually tries.
>
> He also wrote (apologies for the lousy formatting, various mailers have
> hacked it about)
>
>>> My FreeBSD server
>>> runs
>>> sendmail, and I've been running my own mail domain for about a decade.
>>>
>>> My FreeBSD server
>>> runs
>>> sendmail, and I've been running my own mail domain for about a decade.
>>>
>>> My latest guess (and that's all I can do is guess) is that my
> self-signed
>>> certificates
>>> expired, and I just need to re-generate them. All the sources on
> sendmail
>>> and
>>> STARTTLS that I've seen so far show configs identical to my config, so
> from
>>> this I infer perhaps one or more of my cert files is "bad".
>
> Which really doesn't sound like a novice. Yes, the remarks about wanting
> self-signed
>>> certificates
>>> expired, and I just need to re-generate them. All the sources on
> sendmail
>>> and
>>> STARTTLS that I've seen so far show configs identical to my config, so
> from
>>> this I infer perhaps one or more of my cert files is "bad".
>
> to use IMAP are confusing, but I thought that was because he'd got into
> a "can't see the wood for the trees" state of confusion. Fighting
> recalcitrant software for a few days tends to do that. But it could be
> he truly is clueless and thrashing.
Perhaps it's hard to tell, but your quote above was conveniently taken
out of context. A more full rendition might be a clue as to his
cluelessness:
The point of this exercise is to allow my Android phone to access my
email on my FreeBSD 10.3 server, using imap. I had it working last
year, and then, with nary an error message, it stopped working. So the
email client is the native Android email client (on a recent Cyanogen
Android). My FreeBSD server runs sendmail, and I've been running my own
mail domain for about a decade.
pretty clear to me. In fact, I don't think it could be clearer.
I would wager he is posting the results of commands found in Google
searches without completely understanding what they mean, or
understanding that he will NEVER retrieve email with Sendmail, at least
until now. Running [his] "own mail domain for about a decade" may be as
simple as using shared hosting on a cPanel server as his signature
suggests he's using Linux. It doesn't mean he knows what he's doing. In
fact, the evidence strongly suggests the opposite.
Oh, and the idiom is "can't see the forest for the trees".
>
>>> [Much snippage]
>>>
>>>>>> "Never argue with a fool, onlookers may not be able to tell the
>>>>>> difference." - Mark Twain
>>>
>>> [Except for that. :-)]
>>
>> Cute. Rather sophomoric, but still cute.
>
> system, having gone through a much older one on the other side of the
> Atlantic, but I'm probably about 50 years too old to be a sophomore.
> However, while I've definitely aged, I will be the first to admit I've
> not necessarily matured. :-)
>
You should look at the definition of sophomoric. This link may help you:
https://www.merriam-webster.com/dictionary/sophomoric
Gerard Seibert
Mar 23, 2017, 11:34:39 AM3/23/17
to User questions
On Thu, 23 Mar 2017 11:00:07 -0400, William Dudley stated:
> It would be nice to solve the problem stated in the Subject of this
> insanely long thread:
>
> Why is my sendmail refusing to announce STARTTLS ?
Have you given and consideration to trying this URL:
https://www.proofpoint.com/us/sendmail-open-source
You might be able to find what you want under "SUPPORT".
--
Carmel
> It would be nice to solve the problem stated in the Subject of this
> insanely long thread:
>
> Why is my sendmail refusing to announce STARTTLS ?
https://www.proofpoint.com/us/sendmail-open-source
You might be able to find what you want under "SUPPORT".
--
Carmel
Gerard Seibert
Mar 23, 2017, 11:38:18 AM3/23/17
to User questions
On Thu, 23 Mar 2017 11:00:07 -0400, William Dudley stated:
> It would be nice to solve the problem stated in the Subject of this
> insanely long thread:
>
> Why is my sendmail refusing to announce STARTTLS ?
You could also try this:
> insanely long thread:
>
> Why is my sendmail refusing to announce STARTTLS ?
http://www.sendmail.org/~ca/email/starttls.html
--
Carmel
Matthias Apitz
Mar 23, 2017, 11:48:05 AM3/23/17
to freebsd-...@freebsd.org
Hi,
With intention I have not included the lines of the tread into my
reply...
Can first the OP (Original Poster), clarify what he/she wants todo
exactly. If it is, fetching mails *from* his/her FreeBSD server to some
other device, then sendmail is not involved here at all, but setting up
some IMAP or POP3 server on the FreeBSD box.
If he/she wants send mail from the device to the FreeBSD server as 1st
MX hop, then ofc he/she must setup a MTA on this server.
So, let's first clarify, about what the issue is exactly.
matthias
--
Matthias Apitz, ✉ gu...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045
Aus "Nie wieder Krieg!" wurde "Nie wieder Krieg ohne Deutschlands Truppen"
The "No wars anymore!" changed now to "No wars anymore without German battle groups!"
El "¡Nunca jamás guerra!" ha cambiado a "¡Nunca jamás guerra sin tropas alemanas!"
William Dudley
Mar 23, 2017, 12:00:25 PM3/23/17
to Matthew Seaman, freebsd-...@freebsd.org
To answer your questions:
Yes, I'm using the right .mc file, and yes, I know how to make && make
install && make restart when I make
changes to it. (I assume service sendmail restart has the same effect as
"make restart"; it *looks* the same
when I "tail -f /var/log/maillog").
sockstat | grep sendmail
root sendmail 78456 3 dgram -> /var/run/logpriv
root sendmail 78456 4 tcp4 *:25 *:*
root sendmail 78456 5 tcp4 *:465 *:*
root sendmail 78456 6 tcp4 *:587 *:*
smmsp sendmail 78454 3 dgram -> /var/run/log
So that seems reasonable.
sockstat | grep -E ':25\>'
returns line two from above, so that's the same.
/etc/mail/access has a handful of address "OK" and address "ERROR" lines
I added to explicitly block or accept various emailers, and this:
192.168.27.26 RELAY
junkemailfilter.com OK
GreetPause:192.168.27.26 0
GreetPause:localhost 0
GreetPause:localhost.localdomain 0
GreetPause:pascal.junkemailfilter.com 0
srv_features: S
The relay is for my workstation, on the same LAN (obviously).
The GreetPause lines turn off the greeting delay for certain hosts.
AND -- Ah-hah
Hmmm, I don't remember adding any lines that would turn off STARTTLS,
but that's what srv_features: S does.
I'm SURE I didn't add that. I certainly didn't add it recently. Perhaps
it was added
by one of the blind alleys I've been sent down ("stunnel" comes to mind).
So. Fixed. Removed that line, "make && make restart" and now STARTTLS
is a capability of sendmail, *again*.
The phone is still unhappy, but that's another problem.
I declare this thread ended.
Thanks everyone, even the snide Mr. Ohlstein, for their time.
Bill Dudley
This email is free of malware because I run Linux.
On Thu, Mar 23, 2017 at 11:27 AM, Matthew Seaman <mat...@freebsd.org>
wrote:
Yes, I'm using the right .mc file, and yes, I know how to make && make
install && make restart when I make
changes to it. (I assume service sendmail restart has the same effect as
"make restart"; it *looks* the same
when I "tail -f /var/log/maillog").
sockstat | grep sendmail
root sendmail 78456 3 dgram -> /var/run/logpriv
root sendmail 78456 4 tcp4 *:25 *:*
root sendmail 78456 5 tcp4 *:465 *:*
root sendmail 78456 6 tcp4 *:587 *:*
smmsp sendmail 78454 3 dgram -> /var/run/log
So that seems reasonable.
sockstat | grep -E ':25\>'
returns line two from above, so that's the same.
/etc/mail/access has a handful of address "OK" and address "ERROR" lines
I added to explicitly block or accept various emailers, and this:
192.168.27.26 RELAY
junkemailfilter.com OK
GreetPause:192.168.27.26 0
GreetPause:localhost 0
GreetPause:localhost.localdomain 0
GreetPause:pascal.junkemailfilter.com 0
srv_features: S
The relay is for my workstation, on the same LAN (obviously).
The GreetPause lines turn off the greeting delay for certain hosts.
AND -- Ah-hah
Hmmm, I don't remember adding any lines that would turn off STARTTLS,
but that's what srv_features: S does.
I'm SURE I didn't add that. I certainly didn't add it recently. Perhaps
it was added
by one of the blind alleys I've been sent down ("stunnel" comes to mind).
So. Fixed. Removed that line, "make && make restart" and now STARTTLS
is a capability of sendmail, *again*.
The phone is still unhappy, but that's another problem.
I declare this thread ended.
Thanks everyone, even the snide Mr. Ohlstein, for their time.
Bill Dudley
This email is free of malware because I run Linux.
wrote:
RW via freebsd-questions
Mar 23, 2017, 1:05:28 PM3/23/17
to freebsd-...@freebsd.org
On Thu, 23 Mar 2017 12:00:08 -0400
William Dudley wrote:
> Hmmm, I don't remember adding any lines that would turn off STARTTLS,
> but that's what srv_features: S does.
>
> I'm SURE I didn't add that. I certainly didn't add it recently.
> Perhaps it was added
> by one of the blind alleys I've been sent down ("stunnel" comes to
> mind).
>
> So. Fixed. Removed that line, "make && make restart" and now
> STARTTLS is a capability of sendmail, *again*.
>
> The phone is still unhappy, but that's another problem.
> I declare this thread ended.
>
> Thanks everyone, even the snide Mr. Ohlstein, for their time.
If you turned-off STARTTLS in the course of the thread, in what you
William Dudley wrote:
> Hmmm, I don't remember adding any lines that would turn off STARTTLS,
> but that's what srv_features: S does.
>
> I'm SURE I didn't add that. I certainly didn't add it recently.
> Perhaps it was added
> by one of the blind alleys I've been sent down ("stunnel" comes to
> mind).
>
> So. Fixed. Removed that line, "make && make restart" and now
> STARTTLS is a capability of sendmail, *again*.
>
> The phone is still unhappy, but that's another problem.
> I declare this thread ended.
>
> Thanks everyone, even the snide Mr. Ohlstein, for their time.
refer to as "one of the blind alleys", then it seems to me that
Mr. Ohlstein was right all along.
Valeri Galtsev
Mar 23, 2017, 1:17:47 PM3/23/17
to freebsd-...@freebsd.org
Sorry about top posting.
Can we, please, close this thread for good?
It sound like the OP has no idea what he is talking about. Being able to
observe things and report them to the community is definitely not
sufficient to make community do system administration of your machine for
you. It usually is assumed that the one asking for help is capable to do
what he is trying to do and has exhausted all resources in serious
attempts to solve the problem he hit himself before asking others for
help.
No offense intended, all I stated above is just my observation (and as
every human I am prone to making mistakes).
Valeri
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
William Dudley
Mar 23, 2017, 1:31:46 PM3/23/17
to Valeri Galtsev, RW, freebsd-...@freebsd.org
I'm terribly sorry that I'm not an absolute expert on every single aspect
of FreeBSD.
But then, if I was, I wouldn't have asked on this list, would I?
I didn't EXPLICITLY turn off STARTTLS. As far as I know, it was turned off
as a
side effect of some OTHER installation.
I did what I thought was due diligence by doing extensive googling and
reading all I
could find about getting STARTTLS working. NONE of the references I found,
or
that others suggested I read, mentioned that STARTTLS could be turned off in
the access file.
I'm a retired software developer (perl on unix and Linux) and a hobby
sysadmin.
I've been running FreeBSD for a stupid long time -- certainly over 10
years, and
running my own mail server, web server, etc. for all that time. But
becoming a
FreeBSD guru isn't my first priority in life.
I tried my very best to ask an intelligent question, and even if my
explanation for
WHY I wanted this to work was amiss, the QUESTION was valid, and "we" did
eventually arrive at THE answer.
Again, thanks to EVERYONE for helping, or attempting to.
Bill Dudley
This email is free of malware because I run Linux.
On Thu, Mar 23, 2017 at 1:17 PM, Valeri Galtsev <gal...@kicp.uchicago.edu>
wrote:
> To unsubscribe, send any mail to "freebsd-questions-
> unsub...@freebsd.org"
of FreeBSD.
But then, if I was, I wouldn't have asked on this list, would I?
I didn't EXPLICITLY turn off STARTTLS. As far as I know, it was turned off
as a
side effect of some OTHER installation.
I did what I thought was due diligence by doing extensive googling and
reading all I
could find about getting STARTTLS working. NONE of the references I found,
or
that others suggested I read, mentioned that STARTTLS could be turned off in
the access file.
I'm a retired software developer (perl on unix and Linux) and a hobby
sysadmin.
I've been running FreeBSD for a stupid long time -- certainly over 10
years, and
running my own mail server, web server, etc. for all that time. But
becoming a
FreeBSD guru isn't my first priority in life.
I tried my very best to ask an intelligent question, and even if my
explanation for
WHY I wanted this to work was amiss, the QUESTION was valid, and "we" did
eventually arrive at THE answer.
Again, thanks to EVERYONE for helping, or attempting to.
Bill Dudley
This email is free of malware because I run Linux.
wrote:
> unsub...@freebsd.org"
Reply all
Reply to author
Forward
0 new messages