Re: Sendmail and TLS, was: Re: Using dma for external incoming mail
- In reply to: bob prohaska : "Sendmail and TLS, was: Re: Using dma for external incoming mail"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 13 Jul 2024 17:40:07 UTC
On 2024-07-13 09:33, bob prohaska wrote: > On Wed, Jul 10, 2024 at 12:40:31PM -0400, TIM KELLERS wrote: >> On 7/10/24 11:49 AM, Miroslav Lachman wrote: >> > > [snip] > STARTTLS is present, but no SASLv2. Does it matter? I'm baffled where the > reference to bob@www.zefox.net came from, unless it's the MX record. > > In the meantime I found a very old "cookbook" for TLS and sendmail at > https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html > Is it hopelessly out of date? Certificate and key generation seem > particularly obscure. I'm guessing you have: /etc/mail/pelorus.zefox.org.mc and /etc/mail/pelorus.zefox.org.submit.mc and as it appears from you're message, you also have www.zefox.org as a web server. I'm going to assume that you also use acme certs (letsencrypt). If so, you can use those same certs for your MX. To do so, your /etc/mail/pelorus.zefox.org.mc would also need to contain something like: define(`CERT_DIR', `/etc/mail/certs') define(`confSERVER_CERT', `CERT_DIR/cert.pem') define(`confSERVER_KEY', `CERT_DIR/privkey.pem') define(`confCLIENT_CERT', `CERT_DIR/cert.pem') define(`confCLIENT_KEY', `CERT_DIR/privkey.pem') define(`confCACERT', `CERT_DIR/chain.pem') define(`confCACERT_PATH', `/usr/local/etc/ssl/ROOT') define(`confDH_PARAMETERS', `1') In order for the above to work. You'll need to copy the certs assigned to your web server to /etc/mail/certs/ It's important that the creation of the certs dir and its contents have the correct perms. The certs need to be 0400. > > The plan is to test on pelorus.zefox.org, when TLS works rename the > host to www.zefox.net after migrating user files. I'm guessing this > will require a repeat of sendmail/TLS configuration. Is that right? > > It's been suggested elsewhere that postfix is a better MTA these days. > I've no deep preference for sendmail, might postfix be easier, or at > least more accessibly documented? > > Thank you very much! > > bob prohaska -- --Chris Hutchinson