# How to enable TLS with Sendmail 8.14.7 on FreeBSD 10.0



## ghana (Apr 10, 2014)

Target: Enable STARTTLS with Sendmail 8.14.7 on freebsd FreeBSD 10.0.

Sendmail is compiled from the freebsd-base FreeBSD base with TLS but it doenst doesn't work*.* The port security/cyrus-sasl2-saslauthd is also installed*.* Any idea what could be wrong? I got 

```
sendmail -d0.1
Version 8.14.7
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2
                SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

============ SYSTEM IDENTITY (after readcf) ============
      (short domain name) $w = host
  (canonical domain name) $j = host.domain.com81.82.83.84
         (subdomain name) $m = domain.com81.82.83.84
              (node name) $k = grendl
========================================================
```

When *I* connect to localhost *I* get:  

```
telnet localhost 25Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host.domain.com81.82.83.84 ESMTP Sendmail 8.14.7/8.14.7; Thu, 10 Apr 2014 23:01:22 +0200 (CEST)
ehlo localhost
250-host.domain.com81.82.83.84 Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
```

freebsd.mc file:

```
divert(0)
VERSIONID(`$FreeBSD: release/10.0.0/etc/sendmail/freebsd.mc 256982 2013-10-23 16:55:20Z jmg $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl


define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)

dnl set SASL options
#TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
#define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`GSSAPI LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI LOGIN STARTTLS PLAIN')dnl

dnl SSL Options
define(`confCACERT_PATH',`/etc/mail/CA')dnl
define(`confCACERT',`/etc/mail/CA/cacert.pem')dnl
define(`confSERVER_CERT',`/etc/mail/CA/server.crt')dnl
define(`confSERVER_KEY',`/etc/mail/CA/server.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
define(`tls_version', `TLSv1')dnl
dnl define(`tls_version`,`TLSv1`)dnl

dnl greylisting option
dnl j,{if_addr},{cert_subject},i,{auth_authen} are already enabled by default
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO``, {verify}'')
define(`confMILTER_MACROS_ENVRCPT', confMILTER_MACROS_ENVRCPT``, {greylist}'')
INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock, F=T, T=R:30s')
```

Regards, Mike


----------



## SirDice (Apr 11, 2014)

TLS runs on port 587 not 25. Port 25 is the 'regular' SMTP port.


----------



## usdmatt (Apr 11, 2014)

Port 587 and 25 both function in the same way. Originally 587 was supposed to be the 'submission' port for submitting email into the SMTP system, and 25 was for server to server delivery. Unfortunately everyone, including all major email clients, use port 25. If services and clients had enforced these two ports by default from the start, with 587 only allowing authenticated users or IP address to submit mail, and 25 only accepting email for domains the server is configured to handle, we've have a lot less open relay problems on the Internet.

An SMTP connection is always started plain, then the STARTTLS command is used to begin a TLS session. You should see STARTTLS in the EHLO output, as below (done on port 25)

```
# telnet 1.2.3.4 25
Trying 1.2.3.4...
Connected to smtp-outbound.domain.net.
Escape character is '^]'.
ehlo localhost
220 smtp-outbound.domain.net ESMTP smtp-b
250-smtp-outbound.domain.net Hello xxx [4.3.2.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 smtp-outbound.domain.net closing connection
Connection closed by foreign host.
```

On this particular server I just did the following (using the auto generated {hostname}.mc file instead of freebsd.mc makes it easier and is the 'right' way to configure Sendmail on FreeBSD)

```
cd /etc/mail
make
ee serverhostname.domain.com.mc
make install restart
```

The only things I've added to the config file for TLS are as follows:

```
dnl TLS
define(`CERT_DIR', `/usr/local/share/certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/ca.crt')
define(`confSERVER_CERT', `CERT_DIR/domain.net-wild.crt')
define(`confSERVER_KEY', `CERT_DIR/domain.net-wild.key')
define(`confCLIENT_CERT', `CERT_DIR/domain.net-wild.crt')
define(`confCLIENT_KEY', `CERT_DIR/domain.net-wild.key')
```

The following also works fine as a way to test if the server is accepting TLS connections

```
openssl s_client -starttls smtp -connect localhost:25
```


----------



## SirDice (Apr 11, 2014)

usdmatt said:
			
		

> Port 587 and 25 both function in the same way.


Ah, right. I didn't know that.



> Originally 587 was supposed to be the 'submission' port for submitting email into the SMTP system, and 25 was for server to server delivery.


Yes, exactly. That was what I had in mind. Port 25 for normal SMTP and 587 for SMTP over SSL/TLS.



> Unfortunately everyone, including all major email clients, use port 25.


The problem with standards is that there are so many of them


----------

