On 2024-07-13 09:33, bob prohaska wrote:
On Wed, Jul 10, 2024 at 12:40:31PM -0400, TIM KELLERS wrote:
On 7/10/24 11:49 AM, Miroslav Lachman wrote:
>
[snip]
STARTTLS is present, but no SASLv2. Does it matter? I'm baffled where the
reference to b...@www.zefox.net came from, unless it's the MX record.
In the meantime I found a very old "cookbook" for TLS and sendmail at
https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html
Is it hopelessly out of date? Certificate and key generation seem
particularly obscure.
I'm guessing you have:
/etc/mail/pelorus.zefox.org.mc
and
/etc/mail/pelorus.zefox.org.submit.mc
and as it appears from you're message, you also have www.zefox.org as
a web server. I'm going to assume that you also use acme certs
(letsencrypt). If so, you can use those same certs for your MX.
To do so, your /etc/mail/pelorus.zefox.org.mc would also need to contain
something like:
define(`CERT_DIR', `/etc/mail/certs')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')
define(`confCACERT', `CERT_DIR/chain.pem')
define(`confCACERT_PATH', `/usr/local/etc/ssl/ROOT')
define(`confDH_PARAMETERS', `1')
In order for the above to work. You'll need to copy the certs
assigned to your web server to /etc/mail/certs/
It's important that the creation of the certs dir and its contents
have the correct perms. The certs need to be 0400.
The plan is to test on pelorus.zefox.org, when TLS works rename the
host to www.zefox.net after migrating user files. I'm guessing this
will require a repeat of sendmail/TLS configuration. Is that right?
It's been suggested elsewhere that postfix is a better MTA these days.
I've no deep preference for sendmail, might postfix be easier, or at
least more accessibly documented?
Thank you very much!
bob prohaska
--
--Chris Hutchinson
