Hello, my reading is that you want to force sendmail to issue STARTTLS, when connecting to the remove LMTP mailer. In the documentation for M(ailer) I cound not find how to do this. The third parameter to your A= is the port to connect to. You can try to use the access database and put there Try_TLS:<hostname><TAB>OK. Don’t ask for details, I touch sendmail very rarely and each time I do so I have to rediscover how things work. The problem might be, that sendmail (acting as client) does not recognize the certificate of the LMTP server. Your sendmail might be compiled without STARTTLS support. You can try to start sendmail under strace and see what exactly does it send to the LMTP client. You could also run stunnel on both sides - one accepts plain text connection, encrypts it using TLS, the other stunnel receives that TLS traffic and forwards it as plain text to the local system. Not efficient, but effective. Greetings Дилян -----Original Message----- From: rvandam@xxxxxxxxxxxxxxx Reply-To: Info <info@xxxxxxxxxxxxxxxxxx> To: Info <info@xxxxxxxxxxxxxxxxxx> Subject: cyrusv2 (lmtp) broken with tls enabled? Date: 19/07/24 19:36:17 Hi, I cannot get sendmail with the cyrusv2 mailer to send messages over lmtp with tls enabled on the cyrus imap server. I have a public smtp server running sendmail that is configured to forward received items to a second server running cyrus imapd version 3.4.3. if I disable tls on the second server the items are received with no issues, even if I am using mech: DIGEST-MD5 for authentication. I think the issue is that the public server with cyrusv2 mailer is not using starttls: :inittls: Loading hard-coded DH parameters : Set client CA list: Client cert requested, not required : SSL_accept() incomplete -> wait : SSL_accept() incomplete -> wait : Doing a peer verify : verify error:num=30:authority and subject key identifier mismatch : certificate verify failed in SSL_accept() -> fail I believe the "verify error:num=30:authority and subject key identifier mismatch" is caused when a non ssl connection is trying to connect to an port that has ssl enabled. if I run lmtptest from the public server it connects with out issue: lmtptest -t "" -p 24 -m DIGEST-MD5 -a cyrus@xxxxxxxxxxx -w mypassword imap.example.com : inittls: Loading hard-coded DH parameters : Set client CA list: Client cert requested, not required : SSL_accept() incomplete -> wait : SSL_accept() incomplete -> wait : SSL_accept() succeeded -> done : starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication : login: imap.example.com [x.x.x.x] cyrus@xxxxxxxxxxx DIGEST-MD5+TLS User logged in Here is my Mailer config in the sendmail.cf file: Mcyrusv2, P=[IPC], F=lsDFMnqXzA@/:|m, S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n, T=DNS/RFC822/SMTP, A=TCP imap.example.com lmtps I also tried: A=TCP imap.example.com lmtp lmtp\lmtps is configured to use port 24 in /etc/services Is there a option needed to tell the cyrusv2 mailer to use starttls for lmtp connections? The public server with cyrusv2 is cyrus-imapd 3.6.0-1. Both servers are using openssl 3.0 Disabling tls from imapd.conf on the imap (second) server does allow the items to be received. but I would prefer to have tls running. Thank You Cyrus / Info / seediscussions +participants +delivery options Permalink ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T9a5d608c085d377d-M8ec6e4ed078bcda5c0c07b38 Delivery options: https://cyrus.topicbox.com/groups/info/subscription
