From nobody Sat Jul 13 17:40:07 2024
X-Original-To: ports@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WLwj22H2Zz5Qn5M
	for <ports@mlmmj.nyi.freebsd.org>; Sat, 13 Jul 2024 17:40:22 +0000 (UTC)
	(envelope-from portmaster@bsdforge.com)
Received: from udns.ultimatedns.net (udns.ultimatedns.net [24.113.41.81])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ultimatedns.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WLwj20RF1z4pRt
	for <ports@freebsd.org>; Sat, 13 Jul 2024 17:40:21 +0000 (UTC)
	(envelope-from portmaster@bsdforge.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: from ultimatedns.net (localhost [127.0.0.1])
	by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 46DHe78L057379;
	Sat, 13 Jul 2024 10:40:14 -0700 (PDT)
	(envelope-from portmaster@bsdforge.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ultimatedns.net;
	s=mx99; t=1720892414; x=1720893014; r=y;
	bh=i6Id2nKvKtV+JMMbCW2ZJrx3Q595kgQrrHJRtC8FTsw=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References;
	b=oByEdviAORl/ndNC3gBjmk/cAsjr3BXJ/ToDjnKAk6K5GWoJQhAJ0rpvFUjKr0dMN
	 7QXO7FjECA9d6oOybhDX/xFzTz5rBJp3VKqQCz9HP2kYazXGuOiW5a+Y3fX92CZCbT
	 hDofCIfeoGIra3YtgUeW5DRnwUVRCTPxy31mG2qiJF04aE6H8kwI7v3ygWaX9nNETB
	 TvtqJgYiK1KuMZX/DP5oPas1B2lwNGORYDwZnA6XeI3GQrQLzknGylr4rL27jSjuJA
	 VUCHxdX/wyh2IzczYsPxy21s27I/EBLct0LNV8C5ZBh1rGHCAijZj0FvKaeLzBPkxE
	 CNdgfcyFSopNQ==
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ports
List-Help: <mailto:ports+help@freebsd.org>
List-Post: <mailto:ports@freebsd.org>
List-Subscribe: <mailto:ports+subscribe@freebsd.org>
List-Unsubscribe: <mailto:ports+unsubscribe@freebsd.org>
X-BeenThere: freebsd-ports@freebsd.org
Sender: owner-freebsd-ports@FreeBSD.org
MIME-Version: 1.0
Date: Sat, 13 Jul 2024 10:40:07 -0700
From: Chris <portmaster@bsdforge.com>
To: bob prohaska <fbsd@www.zefox.net>
Cc: TIM KELLERS <tim@beachpatt.com>, ports@freebsd.org
Subject: Re: Sendmail and TLS, was: Re: Using dma for external incoming mail
In-Reply-To: <ZpKsTQ50dKvFoooe@www.zefox.net>
References: <ZomITiPJuhngG1ap@www.zefox.net>
 <202407070814.4678Ebdm011129@nuc.oldach.net>
 <ZorxE__UukLF0koc@www.zefox.net> <86y16a6x77.fsf@ltc.des.dev>
 <Zo6cSzeD1GJr5m0z@www.zefox.net>
 <8caa7e52-d84e-4e9b-8a24-6deee13764f9@quip.cz>
 <7cedb66b-5573-4a1a-a318-8aeb6d659786@beachpatt.com>
 <ZpKsTQ50dKvFoooe@www.zefox.net>
User-Agent: UDNSMS/17.0
Message-ID: <18eeb7650bbc3f4b43ba152e3fa775fb@bsdforge.com>
X-Sender: portmaster@bsdforge.com
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]
X-Rspamd-Queue-Id: 4WLwj20RF1z4pRt

On 2024-07-13 09:33, bob prohaska wrote:
> On Wed, Jul 10, 2024 at 12:40:31PM -0400, TIM KELLERS wrote:
>> On 7/10/24 11:49 AM, Miroslav Lachman wrote:
>> >
> [snip]
> STARTTLS is present, but no SASLv2. Does it matter? I'm baffled where the
> reference to bob@www.zefox.net came from, unless it's the MX record.
> 
> In the meantime I found a very old "cookbook" for TLS and sendmail at
> https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html
> Is it hopelessly out of date? Certificate and key generation seem
> particularly obscure.
I'm guessing you have:
/etc/mail/pelorus.zefox.org.mc
and
/etc/mail/pelorus.zefox.org.submit.mc

and as it appears from you're message, you also have www.zefox.org as
a web server. I'm going to assume that you also use acme certs
(letsencrypt). If so, you can use those same certs for your MX.
To do so, your /etc/mail/pelorus.zefox.org.mc would also need to contain
something like:
define(`CERT_DIR', `/etc/mail/certs')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')
define(`confCACERT', `CERT_DIR/chain.pem')
define(`confCACERT_PATH', `/usr/local/etc/ssl/ROOT')
define(`confDH_PARAMETERS', `1')

In order for the above to work. You'll need to copy the certs
assigned to your web server to /etc/mail/certs/
It's important that the creation of the certs dir and its contents
have the correct perms. The certs need to be 0400.
> 
> The plan is to test on pelorus.zefox.org, when TLS works rename the
> host to www.zefox.net after migrating user files. I'm guessing this
> will require a repeat of sendmail/TLS configuration. Is that right?
> 
> It's been suggested elsewhere that postfix is a better MTA these days.
> I've no deep preference for sendmail, might postfix be easier, or at
> least more accessibly documented?
> 
> Thank you very much!
> 
> bob prohaska

-- 
--Chris Hutchinson