Sendmail [was OpenSSL]

James Kosin jkosin at beta.intcomgrp.com
Thu Jul 15 19:10:42 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Alexander Dalloz wrote:

<<--snip-->>

| Hi James!
|
| It does not matter, as long as you don't use certificates for
| authentication. From what I understand by your efforts you just want to
| activate TLS, both for Sendmail as for POP3 (where it is called POP3s
| then). In this case the certificate is only used for handshaking and
| building an encrypted connection. The only important thing you must take
| care for is to use as CN the real resolvable FQDN when creating the
| certificate. Else some clients complain at every connection or they even
| reject to connect due to a claimed insecure connection / mismatching
| certificate detected. I myself simply name my mail server
| mail.mydomain.tld and use that name for my users / customers for SMTP
| (Sendmail) and IMAPs and POP3s.
|
| Alexander
|
|
|

Thanks for your help in this...  I know you have been very patient with
me.  This is only the first time I've tried a secure email server.
Pop3s was easy enough to setup.  When I setup (or tried to) TLS things
didn't work so easily.

Changes:
- - ---------
a)  /usr/lib/sasl2/Sendmail.conf
~    had pwcheck_method set to pam....  I'm not sure if this is the
default or not...  I changed this to shadow like you have suggested is
the default.
~    I also renamed another file there called smtpd.conf to
smtpd.conf.old just in case there was a conflict there.

b)  To help later to simplify configuring the secure clients, I took a
page from one of the links you sent me (or maybe I found).  Anyway, I
created a directory called /etc/mail/ssl to store the ssl information.
~    I ran '/usr/share/ssl/misc/CA.pl -newca' which creates a ./demoCA
directory with all the important information.  I then moved the files in
./demoCA to the /etc/mail/ssl...  I did this to help later with using
and creating certificates later if need be.

c)  I had to copy /usr/share/ssl/certs/ipop3d.pem to
/etc/mail/ssl/cacert.pem and /etc/mail/ssl/private/cakey.pem to fix an
issue of both certificates having the same serial number.  My email
client kept complaining about both certificates having the same serial
number and asking the administrator to fix the issue.  It just may be my
email client and not all.  Of course, I still had to edit both of them,
deleting the cert information form the cakey.pem file and the rsa
information from the cacert.pem file.  I'm guessing this was because
both certs contained the exact same information; but, different keys
where used to sign the key.

d)  I had to use the trick of using 'cp /etc/mail/ssl/cacert.pem
/etc/mail/ssl/certs/`openssl x509 -noout -hash <
/etc/mail/ssl/cacert.pem`.0'.  This creates the hash (link) file needed
by STARTTLS to not complain about the key not existing.

e)  I had to modify sendmail.mc to point to the new directories for the
certs and keys...

Everything seems to be working well now.

Oh, I did change the password for the user!!!!

Thanks,
James Kosin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA9taxc7lFLjBWKW0RAlDFAJ4ppfPr52D37sZ/54PkKOsdn1CeZwCfYHA4
mN5JaxWriA/xWm1DfrJ/XfQ=
=4B6q
-----END PGP SIGNATURE-----





More information about the users mailing list