Secure Sendmail using Letsencrypt

Assuming you have got your certificates from 'certbot' successfully:

Edit /etc/mail/tls/starttls.m4

Add/Edit:

define(`CERT_DIR', `/etc/letsencrypt/live/examplesubdomain.example.com')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT',`CERT_DIR/fullchain.pem')dnl
define(`confSERVER_CERT',`CERT_DIR/cert.pem')
define(`confSERVER_KEY',`CERT_DIR/privkey.pem')
define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
define(`confCLIENT_KEY',`CERT_DIR/privkey.pem')

That seems to be all I needed to do. Beware of using CNAMEs as your email server hostname. Sending mail from a cname host makes mail appear to be from the CNAME target. I replaced the CNAMEs with correct A/AAAA records.

I also use opendkim for signing so I added this sendmail.mc:

INPUT_MAIL_FILTER(`opendkim', `S=local:/run/opendkim/opendkim.sock')dnl

I make opendkim use a sock so, opendkim.conf:

Socket                  local:/run/opendkim/opendkim.sock

There we go. Gmail is happy to receive now. (Best to get your DMARC and SPF sorted though perhaps.)