The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Scripts / handy tips
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 Sendmail TLS
Author: el_kab0ng 
Date:   07-11-05 20:03

Not exactly FreeBSD, but since Sendmail comes standard with FreeBSD and TLS is the "way of the future", I've written a quick and dirty guide to setting up sendmail with TLS:

Quick and Dirty Guide to Sendmail TLS

Developed Using: FreeBSD 5.4 and Red Hat Linux ES 4.0

Certificate: We used CACert.org as a free SSL Certificate
provider, as well as a commercial one from Entrust.

=========================================================

1. Set up your Certificate Signing Request

a. cd /etc/ssl (FreeBSD)
b. mkdir CA
c. cd CA
d. mkdir certs crl newcerts private
e. cd private
f. openssl genrsa 1024 > servername.key
g. openssl req -new -key servername.key > servername.csr
h. Submit the contents of your csr to CACert.org for signing.
j. Save the results of the signed certificate as servername-cert.pem
k. If you used a non-standard CA to sign your certificate such as CACert.org,
you will need to download their Root Certificate and save it as cacert.pem.

2. Configure Sendmail (By default 8.13 now includes STARTTLS support, if your
version is older, upgrade!)

a. Add the following lines to your sendmail.mc file and rebuild:

define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT_PATH', `/etc/mail/certs/CA')
define(`confCACERT', `CERT_DIR/cacert.pem')
define(`confSERVER_CERT', `CERT_DIR/servername-cert.pem')
define(`confSERVER_KEY', `CERT_DIR/servername-key.pem')
define(`confCLIENT_CERT', `CERT_DIR/servername-cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/servername-key.pem')

3. Copy the certificates in /etc/ssl/CA to /etc/mail/certs

a. cp /etc/ssl/CA/servername.key /etc/mail/certs/servername-key.pem
b. cp /etc/ssl/CA/servername-cert.pem /etc/mail/certs/servername-cert.pem
c. cp /etc/ssl/CA/cacert.pem /etc/mail/certs/cacert.pem

4. Set up appropriate permissions:

a. cd /etc/mail/certs
b. chown root *
c. chmod 0400 *

5. Create the needed has for the cacert.pem file.

a. cd /etc/mail/certs
b. ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0

6. Create a certificate list and subsequent hashes for all known root CAs.

a. cp /etc/mail/certs/cacert.pem /etc/mail/certs/CA/CACert.cert
b. Confirm the contents of the CACert.cert (openssl x509 -noout -text -in cacert.pem)
c. cd /etc/mail/certs/CA
d. cp /usr/ports/security/ca-roots/files/ca-root.crt (FreeBSD) ca-root.crt
e. Use the included Makefile, extract script and ca-root.crt files to extract the certs
from the crt file to .cert files. Then create the hashes and links.
1. make ca-root file=ca-root.crt
2. make links

7. Test your configuration


echo "test monkies!" | mail user@some.other.host

Sep 15 14:19:21 some sm-mta[2380]: NOQUEUE: connect from some.mail.host [10.10.10.22]
Sep 15 14:19:21 some sm-mta[2380]: j8FJJLVk002380: Milter (clmilter): init success to negotiate
Sep 15 14:19:21 some sm-mta[2380]: j8FJJLVk002380: Milter (greylist): init success to negotiate
Sep 15 14:19:21 some sm-mta[2380]: j8FJJLVk002380: Milter: connect to filters
Sep 15 14:19:28 some sm-mta[2380]: STARTTLS=server, relay=some.mail.host [10.10.10.22], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 15 14:19:34 some milter-greylist: STARTTLS succeeded for DN="/CN=some.mail.host", bypassing greylisting
Sep 15 14:19:34 some sm-mta[2380]: j8FJJLVl002380: from=<user@host.com>, size=725, class=0, nrcpts=1, msgid=<200509151917.j8FJHZGK019051@some.mail.host>, proto=ESMTP, daemon=IPv4, relay=some.mail.host [10.10.10.22]
Sep 15 14:19:34 some sm-mta[2380]: j8FJJLVl002380: Milter add: header: X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on some.other.host
Sep 15 14:19:34 some sm-mta[2380]: j8FJJLVl002380: Milter add: header: X-Virus-Status: Clean
Sep 15 14:19:34 some sm-mta[2380]: j8FJJLVl002380: Milter add: header: X-Greylist: Sender succeeded STARTTLS authentication, not delayed by milter-greylist-2.0 (some.other.host [192.168.1.15]); Thu, 15 Sep 2005 14:19:34 -0500 (CDT)
Sep 15 14:19:34 some sm-mta[2380]: j8FJJLVl002380: Milter accept: message
Sep 15 14:19:34 some sm-mta[2381]: j8FJJLVl002380: to=<user@some.other.host>, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31417, relay=local, dsn=2.0.0, stat=Sent
Sep 15 14:19:34 some sm-mta[2381]: j8FJJLVl002380: done; delay=00:00:00, ntries=1


8. Resources:
http://sial.org/howto/sendmail/tls-relay/
http://www.thawte.com Solution ID: vs27664
http://www.technoids.org/starttlstut.html

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 Sendmail TLS   new
el_kab0ng 07-11-05 20:03 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org