Sendmail and STARTTLS

Peter Jeremy peter at rulingia.com
Tue Nov 29 18:49:32 UTC 2016


Quick overview:
On 2016-Nov-28 13:16:10 -0500, George Mitchell <george+freebsd at m5p.com> wrote:
>Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
>	by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
>	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
>	for <george+freebsd at m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
>	(envelope-from owner-freebsd-hackers at freebsd.org)

This means that you are receeiving mail from FreeBSD.org using TLS
(the "version=... cipher=..." means TLS is active) but your sendmail
cannot verify that the certificate presented by FreeBSD.org is valid
(verify=FAIL).  You need to install a set of hashed root certificates
in the direectory specified by confCACERT_PATH.

Received: from mailhost.m5p.com (mailhost.m5p.com [IPv6:2001:418:3fd::f7])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (Client CN "m5p.com", Issuer "Let's Encrypt Authority X3" (verified
        OK))
        by mx1.freebsd.org (Postfix) with ESMTPS id E7C2F1897
        for <freebsd-hackers at FreeBSD.org>; Mon, 28 Nov 2016 18:16:17 +0000
        (UTC)
        (envelope-from george+freebsd at m5p.com)
							
This says that mx1.freebsd.org received your mail via TLS and has validated
your certificate.

>What am I doing wrong?  How can I enter VERIFY=YES nirvana?  -- George

Note that you want "verify=OK", not YES.  Have a read of the STARTTLS
section of /usr/share/sendmail/cf/README

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20161130/5b296612/attachment.sig>


More information about the freebsd-hackers mailing list