Richard Harms on Tue, 03 Jun 2003 19:04:18 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [Cialug] sendmail/SSL

Basic quick and dirty setup on Red Hat 8.0 or 9 using a self-signed certificate:

Make sure you have the "sendmail-cf" RPM installed, then go to /etc/mail. Bring up sendmail.mc in an editor and remove the comments from the following lines:

dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')

Optionally, uncomment this line:

dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS', `A p')dnl

And optionally uncomment this line:

dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

Save the file, and type "make" - this recreates sendmail.cf taking into account the changes you just made.

To create your self-signed certificate, change to the directory /usr/share/ssl/certs, and type "make sendmail.pem." When prompted for the common name, just use the name of your server - for example, "dr0.darkrealms.com."

Restart sendmail by doing a "service sendmail restart" and that should be it.

You can verify its working by checking the headers of an e-mail message that would've been received using SSL, it'll look something like:

Received: from sc8-sf-list2.sourceforge.net (lists.sourceforge.net [66.35.250.206]) by dr0.darkrealms.com (8.12.8/8.12.8) with ESMTP id h53M8QZ7020455 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <rh-xdoclet@xxxxxxxxxxxxxx>; Tue, 3 Jun 2003 17:08:29 -0500

(Surprisingly, sourceforge sends out all their mailing list traffic using SSL.) It will also show up in your server's maillog:

Jun 1 06:41:55 dr0 sendmail[17526]: STARTTLS=server, relay=lists.sourceforge.net [66.35.250.206], version=TLSv1/SSLv3, verify=NO, c
ipher=EDH-RSA-DES-CBC3-SHA, bits=168/168

You can also verify it by doing a "telnet localhost 25" followed by a "help" and see if the STARTTLS command is shown.

Hopefully I didn't miss anything - make sure you test sending and receiving mail thoroughly.

-rh

On Tuesday, June 3, 2003, at 12:58 PM, Tony Bibbs wrote:

If I want to configure sendmail to use SSL is stunnel the best way to do this?

--Tony

_______________________________________________
Cialug mailing list
Cialug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/cialug


_______________________________________________
Cialug mailing list
Cialug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/cialug