Re: [Cialug] sendmail/SSL

[david l goodrich <dlg@xxxxxxxxxxxxx>]

how would you create the certificates if you didn't have "make 
sendmail.pem" to do the dirty work for you?  i gave up and ran stunnel. 
 my conf for stunnel looks like this, if anyone's curious...
$ cat /etc/stunnel/stunnel.conf
client = no
[25]
accept = 465
connect = 25
$
preeetty basic.  465 is the ssmtp port, if you were wondering.
  --waldo


On Tuesday, June 3, 2003, at 07:03  pm, Richard Harms wrote:

> Basic quick and dirty setup on Red Hat 8.0 or 9 using a self-signed 
> certificate:
>
> Make sure you have the "sendmail-cf" RPM installed, then go to 
> /etc/mail. Bring up sendmail.mc in an editor and remove the comments 
> from the following lines:
>
> dnl #
> dnl # Rudimentary information on creating certificates for sendmail 
> TLS:
> dnl #     make -C /usr/share/ssl/certs usage
> dnl #
> define(`confCACERT_PATH',`/usr/share/ssl/certs')
> define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
> define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
>
> Optionally, uncomment this line:
>
> dnl #
> dnl # The following allows relaying if the user authenticates, and 
> disallows
> dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
> dnl #
> define(`confAUTH_OPTIONS', `A p')dnl
>
> And optionally uncomment this line:
>
> dnl #
> dnl # The following causes sendmail to additionally listen to port 
> 465, but
> dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 
> followed
> dnl # by STARTTLS is preferred, but roaming clients using Outlook 
> Express can't
> dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use 
> STARTTLS
> dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses 
> smtps
> dnl # when SSL is enabled-- STARTTLS support is available in version 
> 1.1.1.
> dnl #
> dnl # For this to work your OpenSSL certificates must be configured.
> dnl #
> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>
> Save the file, and type "make" - this recreates sendmail.cf taking 
> into account the changes you just made.
>
> To create your self-signed certificate, change to the directory 
> /usr/share/ssl/certs, and type "make sendmail.pem." When prompted for 
> the common name, just use the name of your server - for example, 
> "dr0.darkrealms.com."
>
> Restart sendmail by doing a "service sendmail restart" and that should 
> be it.
>
> You can verify its working by checking the headers of an e-mail 
> message that would've been received using SSL, it'll look something 
> like:
>
> Received: from sc8-sf-list2.sourceforge.net (lists.sourceforge.net 
> [66.35.250.206]) by dr0.darkrealms.com (8.12.8/8.12.8) with ESMTP id 
> h53M8QZ7020455 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA 
> bits=168 verify=NO) for <rh-xdoclet@xxxxxxxxxxxxxx>; Tue, 3 Jun 2003 
> 17:08:29 -0500
>
> (Surprisingly, sourceforge sends out all their mailing list traffic 
> using SSL.) It will also show up in your server's maillog:
>
> Jun  1 06:41:55 dr0 sendmail[17526]: STARTTLS=server, 
> relay=lists.sourceforge.net [66.35.250.206], version=TLSv1/SSLv3, 
> verify=NO, c
> ipher=EDH-RSA-DES-CBC3-SHA, bits=168/168
>
> You can also verify it by doing a "telnet localhost 25" followed by a 
> "help" and see if the STARTTLS command is shown.
>
> Hopefully I didn't miss anything - make sure you test sending and 
> receiving mail thoroughly.
>
> -rh
>
> On Tuesday, June 3, 2003, at 12:58  PM, Tony Bibbs wrote:
>
> > If I want to configure sendmail to use SSL is stunnel the best way to 
> > do this?
> >
> > --Tony
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug@xxxxxxxxxx
> > http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug@xxxxxxxxxx
> http://cialug.org/mailman/listinfo/cialug

Attachment: PGP.sig
Description: PGP signature