TLS certificate for sendmail
Getting the certificate:
apt install certbot certbot certonly --webroot #domain name: pomo.komputilo.org #webroot for pomo: directoy apache serves for http://pomo.komputilo.org
To install the certificate in sendmail, insert into /etc/mail/sendmail.mc (partially copied from sendmail.org, and letsencrypt.org):
define(`confCACERT_PATH', `/etc/letsencrypt/live/pomo.komputilo.org')dnl define(`confCACERT', `/etc/letsencrypt/live/pomo.komputilo.org/chain.pem')dnl define(`confSERVER_CERT', `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl define(`confSERVER_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl define(`confCLIENT_CERT', `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl define(`confCLIENT_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl define(`confAUTH_OPTIONS', `A p y')dnl
After changing the sendmail.mc file, run
cd /etc/mail make /etc/init.d/sendmail reload
Note that this fails: sendmail doesn't like the /etc/letsencrypt/archive/pomo.komputilo.org/privkey1.pem file being group&world readable.
chmod 0600 /etc/letsencrypt/live/pomo.komputilo.org/privkey.pem
To test:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 pomo.komputilo.org ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Sat, 18 Apr 2020 10:31:08 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
Issue the ehlo localhost command, and check the response for '250-STARTTLS':
ehlo localhost 250-pomo.komputilo.org Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP
To obtain the certificate (see here):
openssl s_client -connect pomo.komputilo.org:465 -tls1_2
Related to Gmail-TLS-negotiation failed error
Sendmail file permissions
certbot stores all cert files with group/other read permission. This is OK, as they are in a directory that only has owner-access, but sendmail still doesn't trust it, and fails to load the cert files. Currently I'm trying to fix this with:
cat /etc/systemd/system/certbot.service [Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStartPre=/usr/bin/certbot -q renew ExecStart=/bin/chmod -R og-r /etc/letsencrypt/archive/ ExecStartPost=/usr/sbin/service sendmail restart PrivateTmp=true
Other stuff
The dhparam.pem can be generated with:
openssl dhparam -out /etc/mail/certs/dhparam4096.pem 4096
And in sendmail:
define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT
Client email servers that cause:
Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1 Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.
Only way I've found, is disabling TLS for these servers:
Try_TLS:example.com NO
