# Sendmail and STARTTLS with AUTH



## qsecofr (Jul 21, 2015)

Hi, I've followed handbook instructions in chapter 28.9 to enable authentication - and it works as expected.  Using examples found with Google, I've tried enabling STARTTLS.  But I've obviously missed a configuration step somewhere.


```
1061 root@myhost:/etc/mail # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myhost.my.net ESMTP Sendmail 8.14.7/8.14.5; Tue, 21 Jul 2015 14:58:09 -0700 (PDT)
EHLO localhost
250-myhost.my.net Hello root@localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
```


```
# tail -13 myhost.mc
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl TLS options
define('CERT_DIR', '/etc/mail/certs')dnl
define('confCACERT_PATH', 'CERT_DIR')dnl
define('confCACERT', 'CERT_DIR/cacert.pem')dnl
define('confSERVER_CERT', 'CERT_DIR/smtp_cert.pem')dnl
define('confSERVER_KEY', 'CERT_DIR/smtp_key.pem')dnl
define('confCLIENT_CERT', 'CERT_DIR/smtp_cert.pem')dnl
define('confCLIENT_KEY', 'CERT_DIR/smtp_key.pem')dnl
```

I expected 

```
# cd /etc/mail; make install restart
```
would enable the options in the resulting *.cf file.


```
# CA directory
#O CACertPath
# CA file
#O CACertFile
# Server Cert
#O ServerCertFile
# Server private key
#O ServerKeyFile
# Client Cert
#O ClientCertFile
# Client private key
#O ClientKeyFile
# File containing certificate revocation lists
#O CRLFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under OpenSSL)
#O RandFile
```

But, apparently it didn't.  In /etc/mail/freebsd.cf the options are similarly commented out.  Does /etc/mail/freebsd.mc require editing, or am I barking up the wrong tree?


----------



## wblock@ (Jul 22, 2015)

The first time you run `make` it creates a file called _hostname_.mc.  That is, the name of the host followed by .mc.  Edit that, then build and run with `make all install restart`.


----------



## qsecofr (Jul 22, 2015)

Update:
by increasing loglevel I found the following logged to /var/log/maillog

```
sendmail[27562]: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/certs/smtp_key.pem) failed
```

Googling led me to a couple different sites that suggested sendmail could not open the private key file due it being passphrase protected.  And ultimately I turned up the following URL that concisely listed the certificate & key generation, and sendmail config instructions.
https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html

A subsequent re-install and restart later

```
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myhost.my.net ESMTP Sendmail 8.14.7/8.14.5; Tue, 21 Jul 2015 23:54:16 -0700 (PDT)
EHLO localhost
250-muhost.my.net Hello root@localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
```

Next step: to test with an actual email client, and verify; and verify that password at authentication is in fact encrypted..


----------



## qsecofr (Jul 22, 2015)

wblock@ said:


> The first time you run `make` it creates a file called _hostname_.mc.  That is, the name of the host followed by .mc.  Edit that, then build and run with `make all install restart`.


Yes, yes..  I did have an mc file for my specific host, in which I made all configuration edits.  I think I barked up the wrong tree.  I created the certificate & key differently than as noted in my update to post.  The significance of the passphrase being present didn't occur to me at first.


----------

