Dear list,

running currently 4.3 generic with sendmail:
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SCANF
                STARTTLS TCPWRAPPERS USERDB XDEBUG
----------------------

did try to setup STARTTLS but I don't think that it works! here are the
modifications in my .mc file:

----------------------
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
---------------------

Following 'man starttls' I should get:

--------------------
 # telnet localhost 25
           Trying ::1...
           Connected to localhost.
           Escape character is '^]'.
           220 localhost ESMTP Sendmail 8.12.1/8.12.1 ready
           EHLO localhost

     After typing EHLO localhost you should receive something like the
follow-
     ing back.

           250-localhost Hello localhost [IPv6:::1], pleased to meet you
           250-ENHANCEDSTATUSCODES
           250-PIPELINING
           250-8BITMIME
           250-SIZE
           250-DSN
           250-ETRN
           250-STARTTLS
           250-DELIVERBY
           250 HELP
----------------------

but I'm missing the '250 STARTTLS' entry from the above output!

Any idea what might gone wrong?

Thanks

George

[ message continues ]

On Thu, Jul 10, 2008 at 02:08:30PM +0200, GVG GVG wrote:


Did you look in your maillogs?

-- 

o--------------------------{ Will Maier }--------------------------o
| web:.......http://www.lfod.us/ | email.........willmaier@ml1.net |
*---------------------[ BSD: Live Free or Die ]--------------------*

[ message continues ]

Yes they do exist:

------------------------------
-bash-3.2$ pwd
/etc/mail/CA
-bash-3.2$ ls -l
total 56
-rw-r--r--  1 root  wheel  1229 Jun 23 17:02 cacert.pem
-rw-r--r--  1 root  wheel   875 Jun 18 13:46 cacert.pm
-rw-------  1 root  wheel  3848 Jun 23 17:11 cert.pem
drwxr-xr-x  2 root  wheel   512 Jun 17 16:25 certs
drwxr-xr-x  2 root  wheel   512 Jun 23 17:17 crl
-rw-------  1 root  wheel     3 Jun 23 17:17 crlnumber
-rw-------  1 root  wheel    68 Jun 23 17:11 index.txt
-rw-------  1 root  wheel    21 Jun 23 17:11 index.txt.attr
-rw-r--r--  1 root  wheel     0 Jun 23 16:46 index.txt.old
-rw-r--r--  1 root  wheel  1679 Jun 23 17:04 key.pem
drwxr-xr-x  2 root  wheel   512 Jun 23 17:11 newcerts
drwx------  2 root  wheel   512 Jun 23 16:53 private
-rw-------  1 root  wheel     3 Jun 23 17:11 serial
-rw-r--r--  1 root  wheel     3 Jun 23 16:46 serial.old
-------------------

and in the mail_log there is nothing recorded! No errors or warnings!

Thanks

George

[ message continues ]

Did you restart sendmail?

-- 

o--------------------------{ Will Maier }--------------------------o
| web:.......http://www.lfod.us/ | email.........willmaier@ml1.net |
*---------------------[ BSD: Live Free or Die ]--------------------*

[ message continues ]

Sorry I did a mistake! The changes in the .mc file are:

----------------
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
--------------

using the same certs for 'server' and 'client'! So the files do exist!

And yes I did restart sendmail! I actually did restart the whole box!

In a sendmail book I found following entry they suggested to put in the .mc
file. Could be the reason for my problems?

--------------
dnl define(`confCRL', `CERT_DIR/crl/crl.pem')dnl
-------------

Thanks

George

[ message continues ]

No. So you updated your .mc file as above, installed it as
/etc/mail/localhost.cf and HUPed sendmail? By default on OpenBSD,
sendmail is started with the following flags:

    -L sm-mta -C/etc/mail/localhost.cf -bd -q30m

If you installed your new .cf file as sendmail.cf, sendmail won't
read it (unless you change or drop the -C flag).

-- 

o--------------------------{ Will Maier }--------------------------o
| web:.......http://www.lfod.us/ | email.........willmaier@ml1.net |
*---------------------[ BSD: Live Free or Die ]--------------------*

[ message continues ]

correct but I didn't install as 'localhost' but as 'sendmail.cf'. My server
does accept mails from the outside world! After that I did restart the box!
Sendmail gets started as:

sendmail_flags="-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X
/[$HOME]/mail_log"

[ message continues ]

Off topic to this thread, but:

On Thu, Jul 10, 2008 at 8:24 AM, GVG GVG <gvgter@googlemail.com> wrote:

Remove -B8BITMIME from that: the -B option is only applicable when
sending email.  Indeed, you should be seeing this error at boot time:
    WARNING: Ignoring submission mode -B option (not in submission mode)

What docs suggested that you add that?

(For the topic of this thread, you did eyeball /var/log/maillog after
restarting, right?)


Philip Guenther

[ message continues ]

I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does 
not on my 4.3 i386 from CD and on 4.4 -current. Were you thinking of 
EightBitMode=mode or do you have any errors on /var/log/maillog with this 
flag?


-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6
Phone: +1 204 885 9535, E-Mail: vsankar@foretell.ca

[ message continues ]

1. man starttls (and see the referenced website).
2. increase the LogLevel (even though those errors should be logged
at the default level.)

[ message continues ]

On Thu, Jul 10, 2008 at 5:01 PM, Claus Assmann <
ca+OpenBSD_misc@zardoc.endmail.org <ca%2BOpenBSD_misc@zardoc.endmail.org>>
I first have to excuse myself cause I claimed that there were no errors in
the log file!

Well, there was no debugging output enabled. Now I did that with '-d0-17.4'
flags!

Still I don't see anything weird in there! I don't know if you can provide
with an example of such an error or warning?

Thanks

George

[ message continues ]

STARTTLS=server: file /etc/mail/smkey.pem unsafe: Group readable file

Either you aren't running sendmail or you broke logging...

[ message continues ]

On Fri, Jul 11, 2008 at 12:12 AM, Claus Assmann <
ca+OpenBSD_misc@zardoc.endmail.org <ca%2BOpenBSD_misc@zardoc.endmail.org>>
unfortunately nothing like the above entry you mentioned appears in my log
files! :-(

Just to summarize, currently there is the 'maillog' and a 'sendmail_log' I
enabled via the -D and -d0-17.4 option in /var/log and a dump of all the
mail traffic enabled via the -X flag. None of them show anything suspicious.
I did grep for 'STARTTLS' and 'unsafe' but no output from all the above
mentioned files!

The only 'STARTTLS" appearance is:
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING
SCANF
                STARTTLS TCPWRAPPERS USERDB XDEBUG
-------------

and yes I do run sendmail and I do send and receive mails! This is a
standard 4.3 installation with no other MTA installed!

Thanks

George

[ message continues ]