Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

A programming language is low level when its programs require attention to the irrelevant.

computers / comp.mail.sendmail / sendmail starttls certificates

SubjectAuthor
* sendmail starttls certificatesRalph Spitzner
`* Re: sendmail starttls certificatesClaus Aßmann
 +* Re: sendmail starttls certificatesRalph Spitzner
 |`- Re: sendmail starttls certificatesClaus Aßmann
 `* Re: sendmail starttls certificatesRalph Spitzner
  `* Re: sendmail starttls certificatesJ.O. Aho
   `- Re: sendmail starttls certificatesRalph Spitzner

1
sendmail starttls certificates

<tcbgdf$1iuc2$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=527&group=comp.mail.sendmail#527

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: ras...@spitzner.org (Ralph Spitzner)
Newsgroups: comp.mail.sendmail
Subject: sendmail starttls certificates
Date: Tue, 2 Aug 2022 17:38:25 +0200
Organization: A noiseless patient Spider
Lines: 23
Message-ID: <tcbgdf$1iuc2$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 2 Aug 2022 15:38:23 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="e36910a27a7b9a4bd234b3c39bfbd4b1";
logging-data="1669506"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/hUf412+AAzHPE6ns2+zNWQyeJZ3CKJmg="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0 SeaMonkey/2.53.13
Cancel-Lock: sha1:yyhv4LOD67bGSrk/hM9tGGIqwQw=
X-Mozilla-News-Host: snews://new.eternal-september.org:563
 by: Ralph Spitzner - Tue, 2 Aug 2022 15:38 UTC

I had a certificate from a ca, which came as a cacert.pem and a hostname.pem sendmail.m4 was:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/cacert.pem')
define(`localCERT', `/etc/mail/certs/spitzner.org.pem')dnl
define(`confSERVER_CERT', `localCERT')
define(`confSERVER_KEY', `localCERT')
tls was working.

I switched to Let's encrypt and the config no reads:define(`confCACERT_PATH', `/etc/dehydrated/certs/spitzner.org/')
define(`confCACERT', `/etc/dehydrated/certs/spitzner.org/chain.pem')
define(`localCERT', `/etc/dehydrated/certs/spitzner.org/cert.pem')dnl
define(`confSERVER_CERT', `localCERT')
define(`confSERVER_KEY', `localCERT')

now I just get a :
454 4.3.3 TLS not available after start sendmail

the only difference I can see here is that dehydrated uses symlinks for the *.pem files

any clue as to what's going on here ? (does sendmail not like symlink pem's ?)

-ralph

Re: sendmail starttls certificates

<tcbj74$7m7$1@news.misty.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=528&group=comp.mail.sendmail#528

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: sendmail starttls certificates
Date: Tue, 2 Aug 2022 12:26:12 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <tcbj74$7m7$1@news.misty.com>
References: <tcbgdf$1iuc2$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 2 Aug 2022 16:26:12 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="7879"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Tue, 2 Aug 2022 16:26 UTC

Ralph Spitzner wrote:

> 454 4.3.3 TLS not available after start sendmail

What's in the log file? If there is no warning/error,
try (as root)
sendmail -Am -bs -O LogLevel=14
[wait for greeting]
QUIT

and check the log again.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: sendmail starttls certificates

<tcg766$2plse$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=529&group=comp.mail.sendmail#529

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: ras...@spitzner.org (Ralph Spitzner)
Newsgroups: comp.mail.sendmail
Subject: Re: sendmail starttls certificates
Date: Thu, 4 Aug 2022 12:31:37 +0200
Organization: A noiseless patient Spider
Lines: 25
Message-ID: <tcg766$2plse$1@dont-email.me>
References: <tcbgdf$1iuc2$1@dont-email.me> <tcbj74$7m7$1@news.misty.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 4 Aug 2022 10:31:34 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="20046014c96628500cbc295d01e12fc5";
logging-data="2938766"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX197t7E4RNI7mTxO95qrIdGcG04KDqk5ZSU="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0 SeaMonkey/2.53.13
Cancel-Lock: sha1:jWbt0F3DTqEfaDP9xm6gBoNjCjk=
In-Reply-To: <tcbj74$7m7$1@news.misty.com>
 by: Ralph Spitzner - Thu, 4 Aug 2022 10:31 UTC

Claus Aßmann wrote on 8/2/22 6:26 PM:
> Ralph Spitzner wrote:
>
>> 454 4.3.3 TLS not available after start sendmail
>
> What's in the log file? If there is no warning/error,
> try (as root)
> sendmail -Am -bs -O LogLevel=14
> [wait for greeting]
> QUIT
>
> and check the log again.
>
>

thanks, apparently it doesnt like the first line
Aug 4 12:22:49 hpgate sendmail[4797]: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/dehydrated/certs/spitzner.org/cert.pem) failed
Aug 4 12:22:49 hpgate sendmail[4797]: STARTTLS=server: error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

first line is:
-----BEGIN EC PARAMETERS-----

the in line 4:
-----BEGIN EC PRIVATE KEY-----
I'm just wondering why apache et. al. can use it like that....

Re: sendmail starttls certificates

<tcgart$2q1t9$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=530&group=comp.mail.sendmail#530

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: ras...@spitzner.org (Ralph Spitzner)
Newsgroups: comp.mail.sendmail
Subject: Re: sendmail starttls certificates
Date: Thu, 4 Aug 2022 13:34:24 +0200
Organization: A noiseless patient Spider
Lines: 11
Message-ID: <tcgart$2q1t9$1@dont-email.me>
References: <tcbgdf$1iuc2$1@dont-email.me> <tcbj74$7m7$1@news.misty.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 4 Aug 2022 11:34:21 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="20046014c96628500cbc295d01e12fc5";
logging-data="2951081"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19mGEW2GhFhokpSt4yAtdaRrGQhorcUkww="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0 SeaMonkey/2.53.13
Cancel-Lock: sha1:lV/Bi3m/lDkG4djajeg/UCKkCIY=
In-Reply-To: <tcbj74$7m7$1@news.misty.com>
 by: Ralph Spitzner - Thu, 4 Aug 2022 11:34 UTC

Claus Aßmann wrote on 8/2/22 6:26 PM:
> Ralph Spitzner wrote:
>
>> 454 4.3.3 TLS not available after start sendmail
>
> What's in the log file? If there is no warning/error,

copied the key to a tesfile, removed the EC PARAM stuff, recompiled m4 to cf.
now it works, just wondering if letsenc will change the key on the next update....

-rasp

Re: sendmail starttls certificates

<tci7mi$ag6$1@news.misty.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=531&group=comp.mail.sendmail#531

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: sendmail starttls certificates
Date: Fri, 5 Aug 2022 00:52:34 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <tci7mi$ag6$1@news.misty.com>
References: <tcbgdf$1iuc2$1@dont-email.me> <tcbj74$7m7$1@news.misty.com> <tcg766$2plse$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 5 Aug 2022 04:52:34 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="10758"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Fri, 5 Aug 2022 04:52 UTC

Ralph Spitzner wrote:

> SSL_CTX_use_PrivateKey_file(/etc/dehydrated/certs/spitzner.org/cert.pem)
> failed

> routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY
> PRIVATE KEY

> -----BEGIN EC PARAMETERS-----

Don't put "EC Parameters" into the cert/key file,
obviously the SSL_CTX_use_PrivateKey_file()
function does not allow that.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: sendmail starttls certificates

<jl4174Fn3ogU1@mid.individual.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=532&group=comp.mail.sendmail#532

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@example.net (J.O. Aho)
Newsgroups: comp.mail.sendmail
Subject: Re: sendmail starttls certificates
Date: Fri, 5 Aug 2022 10:03:48 +0200
Lines: 20
Message-ID: <jl4174Fn3ogU1@mid.individual.net>
References: <tcbgdf$1iuc2$1@dont-email.me> <tcbj74$7m7$1@news.misty.com>
<tcgart$2q1t9$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net tvvGRdWJv/SPs9KaW2jD8gU4FGKN3Thyicu/oUo4Yh0zPK+6u2
Cancel-Lock: sha1:H9pvSvkv8NC0vD57ZAvy5muBQ44=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.11.0
Content-Language: en-US-large
In-Reply-To: <tcgart$2q1t9$1@dont-email.me>
 by: J.O. Aho - Fri, 5 Aug 2022 08:03 UTC

On 04/08/2022 13.34, Ralph Spitzner wrote:
> Claus Aßmann wrote on 8/2/22 6:26 PM:
>> Ralph Spitzner  wrote:
>>
>>> 454 4.3.3 TLS not available after start sendmail
>>
>> What's in the log file? If there is no warning/error,
>
> copied the key to a tesfile, removed the EC PARAM stuff, recompiled m4
> to cf.
> now it works, just wondering if letsenc will change the key on the next
> update....

There are a number of people using sendmail with letsencrypt and devised
a solution
https://www.autonarcosis.com/2019/12/05/sendmail-letsencrypt-and-verifyok/

--
//Aho

Re: sendmail starttls certificates

<tcivo9$34q20$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=533&group=comp.mail.sendmail#533

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: ras...@spitzner.org (Ralph Spitzner)
Newsgroups: comp.mail.sendmail
Subject: Re: sendmail starttls certificates
Date: Fri, 5 Aug 2022 13:43:09 +0200
Organization: A noiseless patient Spider
Lines: 12
Message-ID: <tcivo9$34q20$1@dont-email.me>
References: <tcbgdf$1iuc2$1@dont-email.me> <tcbj74$7m7$1@news.misty.com>
<tcgart$2q1t9$1@dont-email.me> <jl4174Fn3ogU1@mid.individual.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 5 Aug 2022 11:43:05 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="6606d9fd4c04040f5d0ef02ace94985f";
logging-data="3303488"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/m+XoxBvEPyd4qXrJPqGGmL0yZIwhFI2k="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0 SeaMonkey/2.53.13
Cancel-Lock: sha1:nW3fKG9UU9lew4HLIo8ZxCHTIqM=
In-Reply-To: <jl4174Fn3ogU1@mid.individual.net>
 by: Ralph Spitzner - Fri, 5 Aug 2022 11:43 UTC

J.O. Aho wrote on 8/5/22 10:03 AM:
> On 04/08/2022 13.34, Ralph Spitzner wrote:
[...]
> There are a number of people using sendmail with letsencrypt and devised a solution
> https://www.autonarcosis.com/2019/12/05/sendmail-letsencrypt-and-verifyok/
>

well it *is* working without the ec params in the key file.
I found an issue on github dehydrated, claiming the ec params output should be fixed,
however my dehydrated (latest version 0.7.0) still does write them....

-rasp

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor