goldfisch knowledgebase : using STARTTLS with sendmail

goldfisch.at-knowledgebase (by peter pilsl)


	using STARTTLS with sendmail keywords : sendmail ssl openssl starttls cert auth verify To allow ssl-encryption with sendmail (for relaying) you need to add the following lines to site.config.m4 before building sendmail: APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') Details of building sendmail with SASL/SMTP-Auth are covered in KB-208. One then need to create a certificate (which is described in detail in KB-142. Its exactely the same process than you do for apache) and specify this certificate in your sendmail.mc: define(`confCACERT_PATH', `/data/ssl/peter') define(`confCACERT', `/data/ssl/peter/ca.crt') define(`confSERVER_CERT', `/data/ssl/peter/smtp.goldfisch.at.crt') define(`confSERVER_KEY', `/data/ssl/peter/smtp.goldfisch.at.key') As always the key-files must not be readable by anyone else than root !! Note that if you want your clients not only be able to use TLS (port 25) but also SSL over smtps (port 465) you need to make sendmail listen SSL on port 465 (see KB-386 for this) Note that sendmail is also capable of client-auth (so clients dont auth via smtp-auth but with client-certs) but this is not covered here. If all is running fine, you should see the following things: # sendmail -d0.1 -bv Version 8.12.7 Compiled with: DNSMAP LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS USERDB XDEBUG note the STARTTLS-part # telnet localhost 25 ehlo localhost <skip> 250-STARTTLS <skip> and finally in the header of a mail that is relayed via TLS: Received: from goldfisch.at (localhost.localdomain [127.0.0.1]) by goldfisch.at (8.12.7/8.12.1) with ESMTP id h1IEoOOB003016 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <pilsl@ihf-hr.org>; Tue, 18 Feb 2003 15:50:24 +0100 dont care about the 'VERIFY=NO' - part. This just means that the client didnt have a client-certificate and therefore could not be authenticated. verify can also have other values like described in op/op.me (try make op.txt inside op/ to get a textversion ...) ${verify} The result of the verification of the presented cert; only defined after STARTTLS has been used. Possible values are: OK verification succeeded. NO no cert presented. NOT no cert requested. FAIL cert presented but could not be verified, e.g., the signing CA is missing. NONE STARTTLS has not been performed. TEMP temporary error occurred. PROTOCOL some protocol error occurred. SOFTWARE STARTTLS handshake failed, which is a fatal error for this session, the e-mail will be queued. peter at (updated 2008-11-12) serial : 211 *If you found any nonsense in this entry or want to see important improvements, I would appreatiate to receive your comments at knowledge@goldfisch.at* disclaimer : all these entries are part of my very private knowledgebase that I created while solving problems. Many solutions are taken from other webpages or from usenet. There is no warranty for this entries of course. Some of the articles are even stupid and one day you might even find the name of my prefered pizza-service in here, cause I always forget about it. Remember : This is my knowledgebase. If you need professional support and are willing to pay for it just email me at pilsl@goldfisch.at For enlightment take a look at http://leblogsportif.sportnation.at

using STARTTLS with sendmail

keywords : sendmail ssl openssl starttls cert auth verify

To allow ssl-encryption with sendmail (for relaying) you need to add the following lines to site.config.m4 *before* building sendmail:

APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')

Details of building sendmail with SASL/SMTP-Auth are covered in KB-208.

One then need to create a certificate (which is described in detail in KB-142. Its exactely the same process than you do for apache) and specify this certificate in your sendmail.mc:

define(`confCACERT_PATH', `/data/ssl/peter')
define(`confCACERT', `/data/ssl/peter/ca.crt')
define(`confSERVER_CERT', `/data/ssl/peter/smtp.goldfisch.at.crt')
define(`confSERVER_KEY', `/data/ssl/peter/smtp.goldfisch.at.key')

As always the key-files must not be readable by anyone else than root !!

Note that if you want your clients not only be able to use TLS (port 25) but also SSL over smtps (port 465) you need to make sendmail listen SSL on port 465 (see KB-386 for this)

Note that sendmail is also capable of client-auth (so clients dont auth via smtp-auth but with client-certs) but this is not covered here.

If all is running fine, you should see the following things:

# sendmail -d0.1 -bv
Version 8.12.7
Compiled with: DNSMAP LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND
NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS USERDB
XDEBUG

note the STARTTLS-part

# telnet localhost 25
ehlo localhost
<skip>
250-STARTTLS
<skip>

and finally in the header of a mail that is relayed via TLS:
Received: from goldfisch.at (localhost.localdomain [127.0.0.1])
by goldfisch.at (8.12.7/8.12.1) with ESMTP id h1IEoOOB003016
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
for <pilsl@ihf-hr.org>; Tue, 18 Feb 2003 15:50:24 +0100

dont care about the 'VERIFY=NO' - part. This just means that the client didnt have a client-certificate and therefore could not be authenticated. verify can also have other values like described in op/op.me (try make op.txt inside op/ to get a textversion ...)

${verify}
The result of the verification of the presented
cert; only defined after STARTTLS has been used.
Possible values are:

OK verification succeeded.
NO no cert presented.
NOT no cert requested.
FAIL cert presented but could not be verified,
e.g., the signing CA is missing.
NONE STARTTLS has not been performed.
TEMP temporary error occurred.
PROTOCOL some protocol error occurred.
SOFTWARE STARTTLS handshake failed,
which is a fatal error for this session,
the e-mail will be queued.

peter at (updated 2008-11-12)

serial : 211

If you found any nonsense in this entry or want to see important improvements, I would appreatiate to receive your comments at knowledge@goldfisch.at

disclaimer : all these entries are part of my very private knowledgebase that I created while solving problems. Many solutions are taken from other webpages or from usenet. There is no warranty for this entries of course. Some of the articles are even stupid and one day you might even find the name of my prefered pizza-service in here, cause I always forget about it. Remember : This is my knowledgebase. If you need professional support and are willing to pay for it just email me at pilsl@goldfisch.at
For enlightment take a look at http://leblogsportif.sportnation.at