opensslto crack open and to verify your certificate and the certificate chain at the following: Acquia: Verifying the validity of an SSL certificate
maillog(jump to end of log and search backwards for "stopping"), following "stopping daemon", there will be a line "starting daemon", followed by "STARTTLS: CRLFile missing", but STARTTLS does still work. I have since put the NetSol "OV" file here, and everything seems to be working. I've also put back my expensive NetSol wildcard certs, and that's working fine now...
Also note that this is working without the DAEMON_OPTIONS described below.
When building your self-signed cert, where it asks for your name or your FQDN, be sure to give it this servers actual FQDN as this is used by the cert verification. It must exactly match the server name, which I'm assuming came from a DNS lookup.
sendmail -O LogLevel=14 -bs -Am
and check maillog for more info.
I had gotten it all working on a twin system with a self-signed cert. I ftped the self-signed over to this one and set this up to use the self-signed instead of my expensive NetSol cert. Everything suddenly started working, though obviously checktls shows a self-signed. I've tested the real cert extensively, it has integrity, so I'm confused. Maybe work on it some more tmw, at least I have a clue where to focus now.
DAEMON_OPTIONS(`Port=smtp, Family=inet, Addr=your-domainname
, Name=MTA, M=bh')
DAEMON_OPTIONS(`Port=smtps, Family=inet, Addr=your-domainname
, Name=TLSMTA, M=bh')
Anyways, something interesting that I learned, was that the spammers would favor my secondary MX server. As my spam control mechanism was all built on the primary, this caused me a problem. The secondary would accept the spam from the outside world, then try to relay it through the primary, and it would be rejected - the secondary is now stuck holding this stinker. So I just stopped using a secondary MX.
The reason to explain all this, is that now that I'm trying once again to have a secondary MX, I must finally get it working completely. I actually did have it mostly working for about a year now, but I never bothered with the details like STARTTLS, etc.
The issue here, is that to do this properly, you should have a commercial issued cert for this (the secondary), server. I'm not willing to spend hundreds of dollars each year just for this. The alternative is a self-signed cert. Bear in mind that the primary will use my commercial full-out cert, but the secondary will use a self-signed. Lastly, this will not do an authenticate verify, but the email itself will at least be passed encrypted.
openssl req -new -x509 -keyout brix-cakey.pem -out brix-cacert.pem -days 365
openssl req -nodes -new -x509 -keyout brix-sendmailkey.pem -out brix-sendmailcert.pem -days 365
openssl x509 -noout -text -in brix-sendmail.pem
And of course test with checktls.com
You should expect "Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate So email is encrypted but the recipient domain is not verified" as the only error/warning.
Ok, now just to make things more confusing, I'm going to try a "free" cert. I really hope I don't regret this. The biggest issue is the damn things all expire every 90 days. And that's the long ones, comodo is only 30 days - what's the fucking use?
10. What Appears in Logs and Headers? As STARTTLS-enabled mail servers communicate among themselves, it is almost certain (from my experience so far) that purchased certificates will fail to verify. ("verify=FAIL" will appear in the maillog.) If the server acting as a client doesn't offer a certificate, then "verify=NO" will appear in the mail log. (Clients acting as clients--which rarely have certificates at all--will also cause "verify=NO" to appear in the log.)Something interesting to try here, is to search/grep for "verify=". In the same log where I'm seeing "reason=unable to get local issuer certificate", I'm seeing Ok. They're all the big guys, Google, Microsoft, Amazon, DigiCert, IsoMedia. Yet Earthlink and myregisteredsite are "OK". This makes me believe the error message is misleading - I assumed "local" meant ME. Thjis would indicate the error is on their end.
20191215 - Getting back to TLS issues.
Still seeing log entries like the following:
sendmail: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
I've found an extremely useful test website: http://www.checktls.com/. Try full debug option for gory details. Note that the last thing shown pretty much matches what you'll see from the following
FYI: The above checktls website makes it clear that the email message is being encrypted, what's happening is that the verification of my domain name is failing.
openssl verify -CAfile AddTrustExternalCARoot.crt -untrusted 20170411-vncert-ov_chain.txt SECURE.VINTNERS.NET.crt
openssl s_client -starttls smtp -connect localhost:25
Went back to NetSol website and looked carefully at the installation instructions, while reading between the lines. They describe several different filenames than the ones they provided me, which is why this never happened right over a year ago. There was no
Apache_Plesk_install.txt file. So I
followed their instructions, sort of by
ca-bundle.com. I then went into my editor, and
OV_NetworkSolutionsOVServerCA2.crt, and then
concatenated onto that,
Then changed the .mc file confCACERT to CERT_DIR/ca-bundle.crt,
remade the .cf file, and restarted sendmail.
20190130 - Still struggling with STARTTLS
Jan 30 18:07:00 pedicel sendmail: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256I'm worried about the "verify=fail". I've tried changing the following line in .mc as follows, we'll see if this works. Explanation: it's trying to verify against my existing web cert which is for "secure.vintners.net", however sendmail thinks it's "pedicel.vintners.net" (which is the base system's name):
DAEMON_OPTIONS(`Port=smtps, Addr=pedicel.vintners.net, Name=TLSMTA')
DAEMON_OPTIONS(`Port=smtps, Addr=secure.vintners.net, Name=TLSMTA')
I followed instructions to generate a key from this.
openssl req -newkey rsa:2048 -nodes -keyout
secure.vintners.net.key -out secure.vintners.net.csr
I have installed saslv2 from pkg. Check with
ps ax | grep
sasl -- you'll see several occurances of
Check that sendmail was compiled with sasl.
sendmail -d0.4 -bv root
Look for SASLv2 in the "Compiled with:" list.
Compiled with: DNSMAP IPV6_FULL LOG MAP_REGEX MATCHGECOS MILTER
MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
PICKY_HELO_CHECK PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
Canonical name: pedicel.vintners.net
UUCP nodename: pedicel.vintners.net
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = pedicel
(canonical domain name) $j = secure.vintners.net
(subdomain name) $m = vintners.net
(node name) $k = pedicel.vintners.net
firstname.lastname@example.org... deliverable: mailer esmtp, host gmail.com., user email@example.com
Check that sendmail was compiled with STARTTLS, it should be in the same list as sasl above.
Check for proper cert installation, at a command line run:
sendmail -O LogLevel=14 -bs -Am
tail -n 50 /var/log/maillog and look for errors.
STARTTLS: CRLFile missing. Internet search
says this a benign error that can be ignored, but I'm having problems
so will try to fix this. Downloading from:
http://crl.cacert.org/revoke.crl (Note file is much longer than it thinks it is and download takes about 5 times the estimated)
I have this installed in a subdirectory under my root user's home directory. The groups and permissions are set appropriately. See below discussion of 20200326.
gethostbyaddr(nnn.nnn.nnn.nnn) failed: 1
DAEMON_OPTIONS(`Port=smtp, Address=nnn.nnn.nnn.nnn, Name=MTA')
Please note that 'make install' in
/etc/mail does not work. Use:
diff -cw hostname
.cf sendmail.cf to check your changes.
.cf sendmail.cf to install it.
is my own script.)
Actually, looks like my sendmail-restart doesn't do it either -- do:
service sendmail stop
service sendmail start
STARTTLS=server, error: file /root/cert//secure.vintners.net.key unsafefollowed by either Group readable file or Permission denied:
chmod 600 *.key
chown root *.key
/etc/groupand add each username, seperated by a comma and no space, to the group you'll use for access.
chgrp[group used] all the files you'll be accessing in that dir
chgrp .[group used]
chmod 750 .
define(`confDONT_BLAME_SENDMAIL', ``GroupReadableKeyFile'')in your .mc file.
ps ax | grep sasl
openssl s_client -connect localhost:25
openssl verify chain.pem
openssl verify -CAfile chain.pem cert.pem