LE certs and sendmail - no TLS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: camerontech.com

I ran this command: certbot renew && chmod 640 /etc/letsencrypt/live/camerontech.com/*.pem

It produced this output: standard notice that the cert doesn't need to be renewed

My web server is (include version): Apache httpd 2.4.37

The operating system my web server runs on is (include version): RHEL 8

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

I have set this up successfully in the past, so I don't know what I'm doing wrong. I set up LE for my web domain just fine, but when I add these lines to my sendmail.mc, I don't get TLS support.

define(`CERT_DIR', `/etc/letsencrypt/live/camerontech.com')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/fullchain.pem')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')

My cron job that checks for updates looks like this:

#!/bin/bash
certbot renew 
chmod 640 /etc/letsencrypt/archive/camerontech.com/*

But when I telnet localhost 25 I get this:

[root@mail-east ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail-east.camerontech.net ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jan 2021 21:04:09 GMT
ehlo thomas.cameron
250-mail-east.camerontech.net Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

If I use the silly self-signed certs that the RPM generates, I get this:

[root@mail-east ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail-east.camerontech.net ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jan 2021 21:05:02 GMT
ehlo thomas.cameron
250-mail-east.camerontech.net Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

What am I doing wrong?

Hi @thomascameron

your port 25 is working - with the correct certificate.

You can't check that with telnet. Use OpenSsl.

openssl s_client -connect mail-east.camerontech.net:25 -servername mail-east.camerontech.net -starttls smtp

That sends the correct certificate:

So I don't see a problem.

I do think that the lack of STARTTLS in the ESMTP banner you saw with telnet is relevant, but I'm guessing you found a solution of your own in between when you posted your first question and when @JuergenAuer did his test.

In general, in this situation, I'd suggest looking in your mail server logs because if there's a problem with the mail server's ability to read or use the certificate, it will probably log it into /var/log rather than explaining the specific details of the problem to "random" clients connecting via SMTP!

I'm pretty sure these aren't necessary. I'm not familiair with sendmail, but these options are most likely for client certificate authentication. Chances are you don't want and need that at all.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.