Sendmail and STARTTLS
George Mitchell
george+freebsd at m5p.com
Mon Nov 28 19:19:17 UTC 2016
On 11/28/16 13:35, Gregory Shapiro wrote:
>> Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
>> by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
>> (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
>> for <george+freebsd at m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
>> (envelope-from owner-freebsd-hackers at freebsd.org)
>>
>> (When I used the default values, ssl-tools accused me of using a
>> weak protocol, so I started experimenting with values gleaned from
>> around the net, to no avail so far.)
>>
>> What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George
>
> Verification is via these settings. You'll need a populated set of root certificates in the directory you pick.
>
> M4 Variable Name Configuration [Default] & Description
> ================ ============= =======================
> confCACERT_PATH CACertPath [undefined] Path to directory with
> certificates of CAs which must contain
> their hashes as filenames or links.
> confCACERT CACertFile [undefined] File containing at least
> one CA certificate.
Like this?
define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/m5p.com')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/chain.pem')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')
>
> Finally, review section 6.6.1 of op.me:
>
> % gunzip -c /usr/share/doc/smm/08.sendmailop/paper.ascii.gz | less
> [...]
Rechecking this now ... -- George
More information about the freebsd-hackers
mailing list