Sendmail and STARTTLS
George Mitchell
george+freebsd at m5p.com
Tue Nov 29 19:37:17 UTC 2016
On 11/29/16 13:49, Peter Jeremy wrote:
> Quick overview:
> On 2016-Nov-28 13:16:10 -0500, George Mitchell <george+freebsd at m5p.com> wrote:
>> Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
>> by mailhost.m5p.com (8.15.2/8.15.2) with ESMTPS id uARD0t70051256
>> (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
>> for <george+freebsd at m5p.com>; Sun, 27 Nov 2016 08:01:01 -0500 (EST)
>> (envelope-from owner-freebsd-hackers at freebsd.org)
>
> This means that you are receeiving mail from FreeBSD.org using TLS
> (the "version=... cipher=..." means TLS is active) but your sendmail
> cannot verify that the certificate presented by FreeBSD.org is valid
> (verify=FAIL). You need to install a set of hashed root certificates
> in the direectory specified by confCACERT_PATH.
>
> Received: from mailhost.m5p.com (mailhost.m5p.com [IPv6:2001:418:3fd::f7])
> (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
> (Client CN "m5p.com", Issuer "Let's Encrypt Authority X3" (verified
> OK))
> by mx1.freebsd.org (Postfix) with ESMTPS id E7C2F1897
> for <freebsd-hackers at FreeBSD.org>; Mon, 28 Nov 2016 18:16:17 +0000
> (UTC)
> (envelope-from george+freebsd at m5p.com)
>
> This says that mx1.freebsd.org received your mail via TLS and has validated
> your certificate.
>
>> What am I doing wrong? How can I enter VERIFY=YES nirvana? -- George
>
> Note that you want "verify=OK", not YES. Have a read of the STARTTLS
> section of /usr/share/sendmail/cf/README
>
Thanks for the help! -- George
More information about the freebsd-hackers
mailing list