Code:
FreeBSD kif 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
I decided to change my domain name (domain1.com to domain2.com). I revoked the certbot certs, deleted them. Changed over my /usr/local/etc/apache24/extra/httpd-vhosts.conf to reflect the name change. Turned off the "redirect" line that shuffles people from port 80 to port 443, and used certbot to grab a new certificate for domain2.com, www.domain2.com, and mail.domain2.com. Worked like a charm. I then turned the redirect line to ensure that the certificate was working, and all was fine.
The problem came about when I tried to change over my sendmail. I made all the certificate changes in the ServerName.MC file, changed over the local-host-names file, the access file, etc.... Issued a "make all install restart", and it all came up just fine. However, when I telnet over to the machine on port 25 there is no TLS listed. I decided to go back and check my configurations but I cannot find anything wrong in them. Perhaps a fresh set up eyes!
I know the certs are good, but cannot find anything else. Admittedly, I am a novice with this stuff.
Code:
root@kif:/etc/mail # service saslauthd status
saslauthd is running as pid 47455.
root@kif:/etc/mail #
Code:
root@kif:/etc/mail # cat kif.mc
divert(-1)
divert(0)
VERSIONID($FreeBSD: releng/11.1/etc/sendmail/freebsd.mc 285230 2015-07-07 03:00:57Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)
FEATURE(access_db, hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, hash -o /etc/mail/mailertable')
FEATURE(virtusertable, hash -o /etc/mail/virtusertable')
MASQUERADE_AS(domain2.com)dnl
MASQUERADE_DOMAIN(domain2.com)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
dnl Enable STARTTLS for receiving email.
define(CERT_DIR', /usr/local/etc/letsencrypt/live/domain2.com')dnl
define(confSERVER_CERT', CERT_DIR/cert.pem')dnl
define(confSERVER_KEY', CERT_DIR/privkey.pem')dnl
define(confCLIENT_CERT', CERT_DIR/cert.pem')dnl
define(confCLIENT_KEY', CERT_DIR/privkey.pem')dnl
define(confCACERT', CERT_DIR/fullchain.pem')dnl
define(confCACERT_PATH', CERT_DIR')dnl
dnl define(confDH_PARAMETERS', CERT_DIR/dh.param')dnl
dnl set SASL options
TRUST_AUTH_MECH(GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(confAUTH_MECHANISMS', GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(confAUTH_OPTIONS',p,y')
define(confCW_FILE', -o /etc/mail/local-host-names')
dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(Name=IPv4, Family=inet', Name=MTA-v4, Port=25, Modifiers=a)
dnl DAEMON_OPTIONS(Name=IPv6, Family=inet6, Modifiers=O')
define(confBIND_OPTS', WorkAroundBrokenAAAA')
define(confNO_RCPT_ACTION', add-to-undisclosed')
define(confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
root@kif:/etc/mail #
Code:
root@kif:/etc/mail # ls -la /usr/local/etc/letsencrypt/live/domain2.com/
total 12
drwxr-xr-x 2 root wheel 512 Feb 28 22:17 .
drwx------ 4 root wheel 512 Feb 28 23:42 ..
-rw-r--r-- 1 root wheel 543 Feb 28 22:17 README
lrwxr-xr-x 1 root wheel 38 Feb 28 22:17 cert.pem -> ../../archive/domain2.com/cert1.pem
lrwxr-xr-x 1 root wheel 39 Feb 28 22:17 chain.pem -> ../../archive/domain2.com/chain1.pem
lrwxr-xr-x 1 root wheel 43 Feb 28 22:17 fullchain.pem -> ../../archive/domain2.com/fullchain1.pem
lrwxr-xr-x 1 root wheel 41 Feb 28 22:17 privkey.pem -> ../../archive/domain2.com/privkey1.pem
root@kif:/etc/mail #
Code:
root@kif:/usr/local/etc/letsencrypt/archive/domain2.com # ls -la
total 24
drwxr-xr-x 2 root wheel 512 Feb 28 22:17 .
drwx------ 7 root wheel 512 Feb 28 23:42 ..
-rw-r--r-- 1 root wheel 1964 Feb 28 22:17 cert1.pem
-rw-r--r-- 1 root wheel 1647 Feb 28 22:17 chain1.pem
-rw-r--r-- 1 root wheel 3611 Feb 28 22:17 fullchain1.pem
-rw-r----- 1 root wheel 1704 Feb 28 22:17 privkey1.pem
root@kif:/usr/local/etc/letsencrypt/archive/domain2.com #
Code:
root@kif:/etc/mail # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 kif ESMTP Sendmail 8.15.2/8.15.2; Fri, 1 Mar 2019 01:12:51 -0500 (EST)
ehlo localhost
250-kif Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
quit
221 2.0.0 kif closing connection
Connection closed by foreign host.
root@kif:/etc/mail #
I used the following to help set this up...
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/SMTP-Auth.html
https://evermeet.cx/wiki/Let's_Encrypt_with_Apache,_dovecot,_and_sendmail#sendmail_.28sendmail.mc.29