From nobody Sat Oct 21 03:14:09 2023
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SC64Z5vCBz4xM9K
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Sat, 21 Oct 2023 03:14:22 +0000 (UTC)
	(envelope-from freebsd@edvax.de)
Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mout.kundenserver.de", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SC64Z1Q5Tz3flv
	for <freebsd-questions@freebsd.org>; Sat, 21 Oct 2023 03:14:21 +0000 (UTC)
	(envelope-from freebsd@edvax.de)
Authentication-Results: mx1.freebsd.org;
	none
Received: from terra.edvax.de ([178.12.46.17]) by mrelayeu.kundenserver.de
 (mreue106 [213.165.67.113]) with ESMTPSA (Nemesis) id
 1MYN3E-1qxrxI1qRW-00VSRu; Sat, 21 Oct 2023 05:14:18 +0200
Received: from r56.edvax.de (r56 [10.200.1.11])
	(authenticated bits=0)
	by terra.edvax.de (8.17.1/8.17.1) with ESMTPA id 39L3EEAp063047;
	Sat, 21 Oct 2023 05:14:14 +0200 (CEST)
	(envelope-from freebsd@edvax.de)
Date: Sat, 21 Oct 2023 05:14:09 +0200
From: Polytropon <freebsd@edvax.de>
To: William Dudley <wfdudley@gmail.com>
Cc: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: sendmail with TLS
Message-Id: <20231021051409.6a06f084.freebsd@edvax.de>
In-Reply-To: <CAFsnNZ+tmt43TXq3ieegi5di2S2A5maW_hRzzidzD2n3fmJP5Q@mail.gmail.com>
References: <CAFsnNZ+tmt43TXq3ieegi5di2S2A5maW_hRzzidzD2n3fmJP5Q@mail.gmail.com>
Reply-To: Polytropon <freebsd@edvax.de>
Organization: EDVAX
X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2)
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K1:4oXadxZNDzEgHM29zMz7q9VukBvU9efCUJnb9XXYYQSxVd9Y+34
 ybdVoTzwJ0Tx7ExJ09r3Udxh2xh0DRH3Lr+uhcC9vblshru0t9MfoH+zaxt0G8v18a+n7NV
 qSPeklFKXz40021MAz2j8Ozl5tDrUSNV0zgEyeHc8zqUYnaa5OttlULuyLfMt4vvlt4HuSA
 aq7FFEbnvtBzt2HE07lhQ==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:0iYhLD/aBL0=;G9B+RxAs1H3jISj0ldHfqAO46lM
 73EDOT1hFgj1fxleBDXwIUY5GE93h1g4nxd8MRUa16YFC4wa7o+7/h8/Uk3sjUXm+6CC9Rh+3
 UkMZpsKi8YLR2yUSKbEnbqHsmSfUI7lld8BcgniNqKe4y6aU+6+on+c0G/6JQC6EVbi3rFeRQ
 63V3koajvT3FCxJHp84DfLc0b5tjcqcRd/AsphL6kE/lJz8p7IIL6JKC3PnhTbYe5h+TAgTps
 7iwqOKskjfwss2kEPD4PhTluEmOvdMxTq7soEEvMh6A4RWaZ8be98RDlOjWfr/s66A2MzhiW5
 3kj4x7UJYoAgPFmZujYC1l33nFGI+X+JckUauwCb2nKhhoD6Y8TFIKK9lega1U1TvQkG0gXq5
 4JDHfOJobj3qPevXE3bsdiNQIMhUgf17JiM+Dci9pQemrZeFDH8lw8Wra+hGpx7BEA5duRfs3
 kJdGP0B0DL+LMxhlsfVSUWkIrJco6AaBjSPNljwogCustmWdSsY62f+Cl6ZanYQN79WyN5a2v
 7iKBg4NTy/p02esPIjYgXwJkDd6EV+zdSJL3rGj0IUeAuQDvIS6ZrmECdK4uQF/XfP+nptQ/c
 Uis7KtQRQr8/0unkcYhiKjTAKI7i1KbWCZxm4wov7VRWjFzQ7MDigTXvf75Ji7cB1YrdHqaN/
 Zt6kNmU0f20vLAEBbohuMpIFZvHjFApqWfXhIu134NnV2g3P3y3qxuQwFlWJ40sxPr2qS8dCr
 /N+sFCxzcLJ7upBLIZGlP4oIK4fjz2FGAEYbKBo4YoQd05vEYxv/8TNZ3ekaqMZOtiNWBypYd
 Fmbi9YI2CsHGF48oX3DOIsxipfpsZ9eC/wHxGHfWVofAAL6q/s18vjqcemdEXbrssEceFDnUU
 vvtpkMlN/2FseUQ==
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:8560, ipnet:217.72.192.0/20, country:DE]
X-Rspamd-Queue-Id: 4SC64Z1Q5Tz3flv

On Fri, 20 Oct 2023 18:55:56 -0400, William Dudley wrote:
> I'm running FreeBSD 13.2 on i386 on my mail server.
> 
> Some time ago, I built sendmail from ports because "stock" sendmail
> didn't support TLS (apologies if I have the wrong terminology).

Your termini technici are correct. :-)



> Is it still true that stock sendmail doesn't support TLS?  In other words,
> must I continue to build sendmail from ports if I want START_TLS etc.
> to work?

Why "still"? The default sendmail configuration (as brought
by the OS installation) does not include TLS capabilities,
but the software itself does, and it does so because the
underlying SSL libraries offer it (so it's not directly
part of sendmail itself, rather a "library call").

Check your sendmail build options first:

	# sendmail -d0.1 -bt < /dev/null

It should contain STARTTLS, TLS_EC, TLS_VRFY_PER_CTX. It
might be possible that you need more stuff, such as SASL.
In this case, you need to recompile system sendmail (from
/usr/src, with the appropriate options).

Check

https://docs.freebsd.org/en/books/handbook/mail/#SMTP-Auth

In worst case, use Wireshark to determine TLS problems,
such as "version too low" or "requires additional auth".

Also check your OpenSSL configuration (libssl affected).

Determine the actual problem. :-)



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...