Running Amazon Linux on EC2 instance with sendmail
. I have an email account with Network Solutions, and use that account as a SMART_HOST
relay in my sendmail
configuration. It works well except for one little detail.
In my maillog
file I see entries like this:
sendmail[28450]: STARTTLS=client, relay=mail.example.com.netsolmail.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
After a little research, I've come to the conclusion that the verify=FAIL
is essentially harmless: the connection actually was encrypted, it's just that the host's certificate could not be verified.
Since nobody but me reads the log file, I wouldn't care. But when the message arrives, the Received
header shows
Received: from unknown (HELO example.com) (info@example.com@12.34.56.78)
by 0 with ESMTPA; 15 Aug 2016 07:10:15 -0000
I was hoping to see with ESMPTSA
but I would guess that the certificate verification failure caused the 'S' to be surpressed.
How can I get more detail on what was wrong with the certificate, and how can avoid the verification failure? My guess is that the multiple subdomains of mail.example.com.netsolmail.net
don't match closely enough with the name on the certificate. But how can I verify that, and how can I avoid the complaint - or more exactly how can I get the Received
header to acknowledge the secure connection with ESMTPSA
.
EDIT: I edited sendmail.mc
to add
define(`confLOG_LEVEL', `15')dnl
Now maillog gives more details. Right after the verify=FAIL
line I now see:
sendmail[30706]: STARTTLS=client, cert-subject=/OU=GT39680792/OU=See+20www.rapidssl.com/resources/cps+20+28c+2915/OU=Domain+20Control+20Validated+20-+20RapidSSL+28R+29/CN=*.hostingplatform.com, cert-issuer=/C=US/O=GeoTrust+20Inc./CN=RapidSSL+20SHA256+20CA+20-+20G3, verifymsg=unable to get local issuer certificate
I take this to mean that at least one cause of the verification failure is that sendmail can't find a certificate for the local machine it's running on? Since I'm only relaying outgoing mail to a netsol server, never accepting incoming mail from the internet, I didn't think I'd need to have a certificate for this server. If I need one, where/how do I install it? And can it be the same certificate I use for my webserver, or do I need a different one? Would use of a self-signed certificate be good enough to get the Received
header to say with ESMTPSA
, or would it need to be a commercial certificate from a CA?
EDIT #2:
I'm accepting the answer by @MadHatter. The key was getting confCACERT
defined. I'm embarrassed, my only excuse is old senile brain not grocking m4 source. The default sendmail.mc file on Amazon Linux already had
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
in it, and I had verified that the file existed. But I failed to notice the sneaky little dnl
that was actually at the beginning of those lines! I know what it means, but since I very rarely look at m4 source, and it was right after some other dnl
-ed lines that were marked as comments with #
, my brain registered them as not being commented out!
I actually went through a bunch of gyrations downloading certs from Firefox and pointing sendmail at the Digicert certificate that I use for our website, but since this host only ever sends, never receives, email, nothing else was necessary. I put back the dnl
on the defines for confSERVER_CERT
and confSERVER_KEY
, and all was well, with maillog
showing verify=OK
and verifymsg=ok
on the appropriate STARTTLS=client
lines.
But even though there were no diagnostics about TLS, the Received
header for the connection to netsol still shows with ESMTPA
and not with ESMTPSA
. Oh well, @MadHatter had the dope on that one, too. Sorry this was so long and sort of a wild goose chase. But I learned a lot, and I did improve my configuration (in a non-vital way). I hope someone desperate enough to wade through this might learn something, too.