Sendmail and STARTTLS
Peter Jeremy
peter at rulingia.com
Tue Nov 29 18:49:32 UTC 2016
Quick overview:
On 2016-Nov-28 13:16:10 -0500, George Mitchell <george+freebsd at m5p.com> wrote:
>Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
> by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
> (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
> for <george+freebsd at m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
> (envelope-from owner-freebsd-hackers at freebsd.org)
This means that you are receeiving mail from FreeBSD.org using TLS
(the "version=... cipher=..." means TLS is active) but your sendmail
cannot verify that the certificate presented by FreeBSD.org is valid
(verify=FAIL). You need to install a set of hashed root certificates
in the direectory specified by confCACERT_PATH.
Received: from mailhost.m5p.com (mailhost.m5p.com [IPv6:2001:418:3fd::f7])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "m5p.com", Issuer "Let's Encrypt Authority X3" (verified
OK))
by mx1.freebsd.org (Postfix) with ESMTPS id E7C2F1897
for <freebsd-hackers at FreeBSD.org>; Mon, 28 Nov 2016 18:16:17 +0000
(UTC)
(envelope-from george+freebsd at m5p.com)
This says that mx1.freebsd.org received your mail via TLS and has validated
your certificate.
>What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George
Note that you want "verify=OK", not YES. Have a read of the STARTTLS
section of /usr/share/sendmail/cf/README
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20161130/5b296612/attachment.sig>
More information about the freebsd-hackers
mailing list