LE certs and sendmail - no TLS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: camerontech.com

I ran this command: certbot renew && chmod 640 /etc/letsencrypt/live/camerontech.com/*.pem

It produced this output: standard notice that the cert doesn't need to be renewed

My web server is (include version): Apache httpd 2.4.37

The operating system my web server runs on is (include version): RHEL 8

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

I have set this up successfully in the past, so I don't know what I'm doing wrong. I set up LE for my web domain just fine, but when I add these lines to my sendmail.mc, I don't get TLS support.

define(`CERT_DIR', `/etc/letsencrypt/live/camerontech.com')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/fullchain.pem')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')

My cron job that checks for updates looks like this:

#!/bin/bash
certbot renew 
chmod 640 /etc/letsencrypt/archive/camerontech.com/*

But when I telnet localhost 25 I get this:

[root@mail-east ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail-east.camerontech.net ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jan 2021 21:04:09 GMT
ehlo thomas.cameron
250-mail-east.camerontech.net Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

If I use the silly self-signed certs that the RPM generates, I get this:

[root@mail-east ~]# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail-east.camerontech.net ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jan 2021 21:05:02 GMT
ehlo thomas.cameron
250-mail-east.camerontech.net Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

What am I doing wrong?

1 Like

Hi @thomascameron

your port 25 is working - with the correct certificate.

You can't check that with telnet. Use OpenSsl.

openssl s_client -connect mail-east.camerontech.net:25 -servername mail-east.camerontech.net -starttls smtp

That sends the correct certificate:

YourCertificate

-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgISBN7PUrfvYhfDiL34O7pppdqYMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAxMDYwNTQxMDNaFw0yMTA0MDYwNTQxMDNaMBoxGDAWBgNVBAMT
D2NhbWVyb250ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKTcJz8ill3DNPl0b+Fdzg7fAioLGerZ+05VwCGqySoBTFHrkaUirzqAxfId6EZA
6r9wgCJpg9KbSbE3QE7FiCS6iLurhc/TcK9fDJG4Zz1w4iEDPmBdX9KWeFr5ste+
Fp+nfdyXpAf7piTrfwkVKrCsEXYsFBKAhD2jELXVjcrMxc0xGhwRJBiJIs9Wwb/U
7tTVLWovhUoL4WZcSZHXBOgjntaDG4Mc1Vcdi6vTJvEYmacxn6rNFj9q0n6gdeRP
yg5GiqbAXRyNm+k0tFgZFXSnGAAhyn9WdPOUc9q7E2tWBQhjBo05khmnTY/yUf0r
bsXzU0l8MLhmAgCnf2WrgZUCAwEAAaOCBAIwggP+MA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQU41i4KeGao2/lRkdXrDRxrBwwuj0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
Zy8wggHPBgNVHREEggHGMIIBwoIIMy0xNi5jb22CCDMtMTYubmV0gggzLTE2Lm9y
Z4IZYWNtZXdpZGdldGNvcnBvcmF0aW9uLmNvbYIZYWNtZXdpZGdldGNvcnBvcmF0
aW9uLm5ldIIZYWNtZXdpZGdldGNvcnBvcmF0aW9uLm9yZ4ILY2FtZXJvbnMudXOC
D2NhbWVyb250ZWNoLmNvbYIPY2FtZXJvbnRlY2gubmV0gg9jYW1lcm9udGVjaC5v
cmeCEWNodXJjaG9mbGludXguY29tghpkaWdpdGFsdHJhbnNmb3JtYXRpb24uYmxv
Z4INaXRmb3Jnb29kLmNvbYIPbGludXgtbWFnaWMuY29tgg9saW51eC1tYWdpYy5u
ZXSCD2xpbnV4LW1hZ2ljLm9yZ4IPbGludXgtbmluamEuY29tgg1saW51eG5pbmph
LnVzgg5vcGVuc2hpZnQuZ3VydYIPb3BlbnNoaWZ0Lm5pbmphgg10ZGNhbWVyb24u
Y29tgg10ZWNoY2hpY2suY29tgg10ZWNoY2hpY2submV0gg10ZWNoY2hpY2sub3Jn
ghB0aG9tYXNjYW1lcm9uLnVzghF0aHJlZS1zaXh0ZWVuLmNvbTBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3APZc
lC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdtZtaVoAAAQDAEgwRgIh
ALRzncQigAR8DFz/2GdqKyOz4nuGAS4VMR679m49S33tAiEAtkDIOUGaNe4DHYec
MEgzLxVY8C2nLN6ZY0m2vueT+VoAdgCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h
204vWE2iwgAAAXbWbWmlAAAEAwBHMEUCIQD5hk/5iKDzdaXgOkd6rtYCXlmaDSIV
QoXIKcgdnk9MVgIgaNnECwmzAHk0O0niTSUci19IHnFTdQyB25tWBnv/eB8wDQYJ
KoZIhvcNAQELBQADggEBACw/i/S1FeDFDui9hE5CDz6KiA4cs7danzObQHBGwgtC
QT1tw1NG9tNKH7ReJUIgZcZ2Akj0oH2S9kS4Pquq3t+ar9A/BZWQ6DF8jMTelY+J
ILFHUq/gs2qE3LMSuST9gK7J2AOPachuQNr+SqyrjE+IcofvLmUPLs19703J4K15
xlZAj2pvhzy+f+G39e9nSMuqkKVMYN5yapfH8wieVM8Niijzk+nV6OCyi2Pc89u9
Re1scz8dhVOofr8vEXj3vNClsqU9/JaM3C7lBGYCaDDiv3TclM2GwvX9YaiIxK3N
lT1dQAx/OACBr7rXd5sRHJwV7GuVeituv/02HlEvoyU=
-----END CERTIFICATE-----

So I don't see a problem.

2 Likes

I do think that the lack of STARTTLS in the ESMTP banner you saw with telnet is relevant, but I'm guessing you found a solution of your own in between when you posted your first question and when @JuergenAuer did his test.

In general, in this situation, I'd suggest looking in your mail server logs because if there's a problem with the mail server's ability to read or use the certificate, it will probably log it into /var/log rather than explaining the specific details of the problem to "random" clients connecting via SMTP!

1 Like

I'm pretty sure these aren't necessary. I'm not familiair with sendmail, but these options are most likely for client certificate authentication. Chances are you don't want and need that at all.