1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • sendmail starttls certificates

    From Ralph Spitzner@21:1/5 to All on Tue Aug 2 17:38:25 2022
    I had a certificate from a ca, which came as a cacert.pem and a hostname.pem sendmail.m4 was:
    define(`confCACERT_PATH', `/etc/mail/certs/')
    define(`confCACERT', `/etc/mail/certs/cacert.pem')
    define(`localCERT', `/etc/mail/certs/spitzner.org.pem')dnl define(`confSERVER_CERT', `localCERT')
    define(`confSERVER_KEY', `localCERT')
    tls was working.

    I switched to Let's encrypt and the config no reads:define(`confCACERT_PATH', `/etc/dehydrated/certs/spitzner.org/')
    define(`confCACERT', `/etc/dehydrated/certs/spitzner.org/chain.pem') define(`localCERT', `/etc/dehydrated/certs/spitzner.org/cert.pem')dnl define(`confSERVER_CERT', `localCERT')
    define(`confSERVER_KEY', `localCERT')

    now I just get a :
    454 4.3.3 TLS not available after start sendmail

    the only difference I can see here is that dehydrated uses symlinks for the *.pem files

    any clue as to what's going on here ? (does sendmail not like symlink pem's ?)

    -ralph

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Ralph Spitzner on Tue Aug 2 12:26:12 2022
    Ralph Spitzner wrote:

    454 4.3.3 TLS not available after start sendmail

    What's in the log file? If there is no warning/error,
    try (as root)
    sendmail -Am -bs -O LogLevel=14
    [wait for greeting]
    QUIT

    and check the log again.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ralph Spitzner@21:1/5 to All on Thu Aug 4 12:31:37 2022
    Claus Aßmann wrote on 8/2/22 6:26 PM:
    Ralph Spitzner wrote:

    454 4.3.3 TLS not available after start sendmail

    What's in the log file? If there is no warning/error,
    try (as root)
    sendmail -Am -bs -O LogLevel=14
    [wait for greeting]
    QUIT

    and check the log again.



    thanks, apparently it doesnt like the first line
    Aug 4 12:22:49 hpgate sendmail[4797]: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/dehydrated/certs/spitzner.org/cert.pem) failed
    Aug 4 12:22:49 hpgate sendmail[4797]: STARTTLS=server: error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

    first line is:
    -----BEGIN EC PARAMETERS-----

    the in line 4:
    -----BEGIN EC PRIVATE KEY-----
    I'm just wondering why apache et. al. can use it like that....

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ralph Spitzner@21:1/5 to All on Thu Aug 4 13:34:24 2022
    Claus Aßmann wrote on 8/2/22 6:26 PM:
    Ralph Spitzner wrote:

    454 4.3.3 TLS not available after start sendmail

    What's in the log file? If there is no warning/error,

    copied the key to a tesfile, removed the EC PARAM stuff, recompiled m4 to cf. now it works, just wondering if letsenc will change the key on the next update....

    -rasp

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Ralph Spitzner on Fri Aug 5 00:52:34 2022
    Ralph Spitzner wrote:

    SSL_CTX_use_PrivateKey_file(/etc/dehydrated/certs/spitzner.org/cert.pem) failed

    routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

    -----BEGIN EC PARAMETERS-----

    Don't put "EC Parameters" into the cert/key file,
    obviously the SSL_CTX_use_PrivateKey_file()
    function does not allow that.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From J.O. Aho@21:1/5 to Ralph Spitzner on Fri Aug 5 10:03:48 2022
    On 04/08/2022 13.34, Ralph Spitzner wrote:
    Claus Aßmann wrote on 8/2/22 6:26 PM:
    Ralph Spitzner  wrote:

    454 4.3.3 TLS not available after start sendmail

    What's in the log file? If there is no warning/error,

    copied the key to a tesfile, removed the EC PARAM stuff, recompiled m4
    to cf.
    now it works, just wondering if letsenc will change the key on the next update....

    There are a number of people using sendmail with letsencrypt and devised
    a solution https://www.autonarcosis.com/2019/12/05/sendmail-letsencrypt-and-verifyok/

    --
    //Aho

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ralph Spitzner@21:1/5 to J.O. Aho on Fri Aug 5 13:43:09 2022
    J.O. Aho wrote on 8/5/22 10:03 AM:
    On 04/08/2022 13.34, Ralph Spitzner wrote:
    [...]
    There are a number of people using sendmail with letsencrypt and devised a solution
    https://www.autonarcosis.com/2019/12/05/sendmail-letsencrypt-and-verifyok/


    well it *is* working without the ec params in the key file.
    I found an issue on github dehydrated, claiming the ec params output should be fixed,
    however my dehydrated (latest version 0.7.0) still does write them....

    -rasp

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)