RPM's for creating/enabling TLS/SSL certificates and enabling sendmail milters

Alexander Dalloz ad+lists at uni-x.org
Tue Jan 3 19:28:07 UTC 2006

Am Di, den 03.01.2006 schrieb Philip Prindeville um 9:02:

> I was wondering if there would be any point to doing some .noarch
> that could be installed individually to enable additional
functionality that
> isn't turned on out-of-the-box.

Typically such setup tasks are custom and from my point of view it does
not make much sense to cover them in an RPM.

> For instance, I wanted to use IMAP and SMTP with SSL (so that I can
> connect to my mail server on the road, but not have to worry about
> it open to spam relaying)... And turn on milters as well (there are

You want to authenticate using a certificate or instead just protect the
communication between the client and the server to not transmit the
authentication data in plain text over a non secure line? I guess you
have last in mind.
Yes, I recommend to do either. Of course, if you just offer and use
CRAM-MD5 or DIGEST-MD5 auth mechs, you then would not really need the
TLS encryption for protecting the auth data.

If you are after a GUI tool to manage SSL certificates (CA creation,
server/client certificate creation, certificate revokation and
requests), you may have a look at tinyCA2:  http://tinyca.sm-zone.net/.
may provide it as an RPM if you like.

> checks that sendmail doesn't do on it's own, but I'd like to add...
> through hacking the sources, or via milters).

Be careful with HELO/EHLO checks. Of course a clever milter can do
things very selective and in a way to not break RFCs and not causing
false positives.

The automatic enabling of a milter configuration within the Sendmail
configuration is limited. While you can ship with milter as an RPM with
some default values (like the clamav-milter from Fedora Extras), mail
environments and thus mail systems differ.

Generally speaking: there is no way around reading the documentation of
the software you use, especially if it is software for server tasks;
weather you 'click&run' or edit configuration files with a text editor.

> I, like a lot of people, haven't ever enabled or configured either of
> but I figure it shouldn't be too hard to capture the steps and then
> them in RPM's.

Rather than building an RPM or several of them which would have to do
some black magic the users never ever would take deeper notice of, I
recommend to study the available documentation. If you then managed to
understand and realize what you did, to help others you should write a
good howto / tutorial explaining the steps in detail and in words you
think others will understand it much better than from documentation
available so far.
If you google you will quickly find out that there are masses of
documents about creating and handling SSL certificates. Even
www.openssl.org itself has some papers. And the milter interface is
explained within the Sendmail docs. Typically the milters itself have
too documentation/readmes. A nice collection of information about
Sendmail + a milter (clamav-milter) is for instance
http://fedoranews.org/contributors/ron_goulard/clamav/ (of course it
does not cover all aspects).

> Alexander: can you work with me on this?  I.e. provide some guidance
> reality checks?

Not just only me, I am sure others as well will help you if you have
specific questions you couldn't answer yourself after consulting the

> -Philip


Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 20:25:59 up 30 days, 1:03, load average: 0.25, 0.26, 0.18 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20060103/e90af7df/attachment-0002.bin 

More information about the users mailing list