Re: help needed getting sendmail+STARTTLS working on FreeBSD 12 or 13

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: William Dudley <wfdudley_at_gmail.com>
Date: Fri, 10 Feb 2023 15:06:08 UTC
Peter,

Thanks for the tip about "sendmail -d0.1".  I did that with both "base"
sendmail
and ports sendmail, and got this:

base sendmail:

Version 8.16.1
 Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
                MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
                PIPELINING SCANF STARTTLS TCPWRAPPERS TLS_EC
TLS_VRFY_PER_CTX
                USERDB XDEBUG

ports sendmail:

Version 8.17.1
 Compiled with: DANE DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
                MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB
NIS
                PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS
TCPWRAPPERS
                TLS_EC TLS_VRFY_PER_CTX USERDB XDEBUG

So despite various claims on "the internet", base sendmail IS compiled with
STARTTLS.
What is missing in the base version is SASLv2.

So, one mystery solved.  I still can't get STARTTLS to "work", but I
understand a little more.

As to permissions: as stated in the original email, I was getting a
permissions complaint from
sendmail until I made some of the cert files 600.

Bill Dudley


On Fri, Feb 10, 2023 at 5:19 AM <list-freebsd-questions@jyborn.se> wrote:

> Hello!
>
> I'm no expert, but I think your configuration below looks fine.
>
> You have the [x] on TLS, and your mc define lines are identical
> to mine (except different path in CERT_DIR), and I also use
> LetsEncrypt. I don't remember doing anything else than that
> to get STARTTLS working.
>
> What do you see with "/usr/local/sbin/sendmail -d0.1"?
> Do you see STARTTLS in the "Compiled with" lines?
> If you do, then double check that you are running the sendmail
> from ports and not from base.
> (But I don't think that ports sendmail is necessary, I think
> that base sendmail also has the TLS option compiled in.)
>
> Could possibly be a permissions thing.
> My CERT_DIR is 700 root:wheel and the cert files in it are 600 root:wheel.
>
> Peter Olsson
>
> On Thu, Feb 09, 2023 at 08:21:28PM -0500, William Dudley wrote:
> > I cannot get STARTTLS to "work", and all the tutorials I find on the web
> > seem to
> > be using FreeBSD 4 or 5?  I've been running my own mail server for
> > perhaps 15 or 20 years now, so I've been working with sendmail for
> > a long time.
> >
> > PLEASE do not suggest I switch to postfix or one of the MTAs.  I know
> > sendmail and have lots of configuration established, and I don't
> > want to go through that learning curve all over again.
> >
> > So, to the problem at hand.  I've done lots of googling and reading, and
> > this is what I've done:
> >
> > I think I understand that one must build sendmail from ports because
> > the sendmail from pkg does not have TLS compiled in.  (Why the hell not,
> > I don't know).
> >
> > I have both a 12.3-RELEASE-p6 machine and a 13.1-RELEASE-p3 machine,
> > and both act identically badly.
> >
> > I downloaded the latest ports tree (using git) and ran "make config",
> which
> > presents these options:
> >
> >
>  ??????????????????????????????????????????????????????????????????????????????
> sendmail-8.17.1_6
> ???????????????????????????????????????????????????????????????????????????????????????
> >   ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> >   ??? ??? [x] SHMEM            System V shared memory support
>     ???
> > ???
> >   ??? ??? [x] SEM              POSIX semaphores support
>     ???
> > ???
> >   ??? ??? [x] LA               load averages support
>      ???
> > ???
> >   ??? ??? [x] NIS              Network Information Services/YP support
>      ???
> > ???
> >   ??? ??? [x] IPV6             IPv6 protocol support
>      ???
> > ???
> >   ??? ??? [x] TLS              SMTP-TLS and SMTPS support
>     ???
> > ???
> >   ??? ??? [x] DANE             Enable DANE support
>      ???
> > ???
> >   ??? ??? [x] SASL             SASL authentication support
>      ???
> > ???
> >   ??? ??? [x] SASLAUTHD        SASLAUTHD support
>      ???
> > ???
> >   ??? ??? [ ] LDAP             LDAP protocol support
>      ???
> > ???
> >   ??? ??? [ ] BDB              Berkeley DB version 4+ support
>     ???
> > ???
> >   ??? ??? [ ] GDBM             GNU dbm library support (option COMPAT
> needed)???
> > ???
> >   ??? ??? [ ] SOCKETMAP        Enable socketmap feature
>     ???
> > ???
> >   ??? ??? [ ] CYRUSLOOKUP      Enable cyruslookup feature
>     ???
> > ???
> >   ??? ??? [x] BLACKLISTD       Enable blacklistd support
>      ???
> > ???
> >   ??? ??? [ ] SMTPUTF8         Enable unicode address support
>     ???
> > ???
> >   ??? ??? [x] PICKY_HELO_CHECK Enable picky HELO check
>      ???
> > ???
> >   ??? ??? [x] MILTER           Enable milter support
>      ???
> > ???
> >   ??? ??? [ ] MTA_STS          Enable MTA-STS support (option SOCKETMAP
> and T???
> > ???
> >   ??? ??? [ ] TLS_CERT_CHAIN   Enable certificate chain file support
> (incompa???
> > ???
> >   ??? ??? [x] DOCS             Build and/or install documentation
>     ???
> > ???
> >   ???
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> > ???
> >
> >
> ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> >   ???                     <  OK  >           <Cancel>
> >  ???
> >
> > I didn't change any options.  Should I have?
> > Then, of course, "make" and "make install", and then follow the
> > instructions that are printed out
> > at the conclusion of the last step.
> >
> > Next, in my freebsd.mc file, I added this:
> >
> > define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/my-site-name.com
> ')dnl
> > define(`confCACERT_PATH', `CERT_DIR')dnl
> > define(`confCACERT', `CERT_DIR/chain.pem')dnl
> > define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl
> > define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
> > define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl
> >
> > (except of course, I changed "my-site-name.com" to the actual directory
> > where my certs are)
> > (I've been using letsencrypt since late 2017 to generate certificates for
> > the few
> > websites I host.)
> >
> > I changed mailer.conf (both copies) to this:
> >
> > sendmail        /usr/local/sbin/sendmail
> > send-mail       /usr/local/sbin/sendmail
> > mailq           /usr/local/sbin/sendmail
> > newaliases      /usr/local/sbin/sendmail
> > hoststat        /usr/local/sbin/sendmail
> > purgestat       /usr/local/sbin/sendmail
> >
> > So that the sendmail from ports is chosen.
> >
> > I run "make" in the /etc/mail directory, and "make stop" and "make start"
> > to restart sendmail.
> > I found that I had to "chmod 600 privkey.pem" to get sendmail to not
> > complain about that file being
> > group readable:
> >
> > Feb  9 19:51:39 my-site sm-mta[38802]: STARTTLS=client: file
> > /usr/local/etc/letse
> > ncrypt/live/my-site-name.com-0001/privkey.pem unsafe: Group readable file
> >
> > when I run this test:
> >
> > openssl s_client -connect localhost:25 -starttls smtp -showcerts
> >
> > I get this response, showing that STARTTLS isn't announced.
> >
> > CONNECTED(00000003)
> > Didn't find STARTTLS in server response, trying anyway...
> > 547012608:error:1408F10B:SSL routines:ssl3_get_record:wrong version
> > number:ssl/record/ssl3_record.c:332:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 323 bytes and written 326 bytes
> > Verification: OK
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 0 (ok)
> > ---
> >
> > If I telnet into my server, I see this:
> >
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 mail.casano.com ESMTP Sendmail 8.17.1/8.17.1; Thu, 9 Feb 2023
> 18:36:46
> > -0500 (EST)
> > ehlo m2.casano.com
> > 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you
> > 250-ENHANCEDSTATUSCODES
> > 250-PIPELINING
> > 250-8BITMIME
> > 250-SIZE
> > 250-DSN
> > 250-ETRN
> > 250-AUTH PLAIN LOGIN
> > 250-DELIVERBY
> > 250 HELP
> > quit
> >
> > So no announcement of STARTTLS there, either.  The sendmail version is
> the
> > one from ports.  The "stock"
> > version is 8.16.1, as seen here from an earlier test before I enabled the
> > ports version:
> >
> > 220 mail.casano.com ESMTP Sendmail 8.16.1/8.16.1; Wed, 8 Feb 2023
> 16:34:35
> > -0500 (EST)
> >
> > I do see this in /var/log/maillog:
> >
> > Feb  9 19:51:14 my-site sm-mta[38691]: STARTTLS=client, relay=
> > aero4.stememail.com
> > , version=TLSv1.3, verify=FAIL, cipher=TLS_AES_128_GCM_SHA256,
> bits=128/128
> >
> > which looks promising, but then why do the other tests not show STARTTLS
> > present?
> >
> > I think this recitation includes all the changes I made to try to get
> this
> > working.
> > What am I missing?  Are there any tutorials written in this decade for
> > doing this?
> >
> > If you want to poke at my mail server, feel free:  mail.casano.com
> >
> > Thanks,
> > Bill Dudley
> > New Jersey, USA
> >
> > This email is free of malware because I run Linux.
>