SMTP over TLS
Sendmail version 8.11 introduces support for secure SMTP over TLS (STARTTLS) per RFC2487. The term STARTTLS simply refers to the new SMTP command that is used to initiate the TLS-enabled mail transport session. This extension allows you to set up a secure bridge from two SMTP (Sendmail) servers that can communicate using TLS (also known as Secure Sockets Layer, or SSL). This ensures the privacy and integrity of the exchange and strongly authenticates the identity of the two communicating peers. To add STARTTLS support to a stock installation of Sendmail, start by ensuring that you have installed both Sendmail 8.11 or above and OpenSSL using the following command:
[ramon]$ rpm -q sendmail openssl sendmail-8.11.0-8 openss1-0.9.5a-14
NOTE Chapter 7, "HTTP Services," explains in more detail the nature and purpose of the SSL protocol.
Next, you need to create your own certificate authority (CA) using OpenSSL0 so that you can sign (and verify) the X.509 digital certificates of your remote peers. Listing 6.2 shows the commands needed to create the CA.
Listing 6.2 Creating a certificate authority for Sendmail STARTTLS
[ramon]$ sudo mkdir /etc/mail/CA
[ramon]$ sudo mkdir certs crl newcerts private
[ramon]$ cp /dev/null index.txt
[ramon]$ cp /usr/share/ssl/openssl.cnf openssl.cnf
[ramon]$ sudo openssl req -new -x509 -keyout private/cakey.pem -out^ cacert.pem -days 365 -config openssl.cnf
The commands in Listing 6.2 perform the following tasks:
1. Create a directory (/etc/mail/CA) where you will be storing your Sendmail Certificate Authority information.
2. Create four subdirectories where you will store the CA certificates (certs), the certificate revocation lists (crl ), new certificates signed by the CA (newcerts), and the CA's private key (private).
3. Initialize two housekeeping files (serial and index.txt) and copy the standard configuration file (/usr/share/ssl/openssl.cnf) into the current CA directory.
4. Use the openssl command to create a new CA private key (private/cakey.pem) and a new CA certificate (cacert.pem) that is valid for the next 365 days.
Next, you need to create a certificate for the Sendmail server using the following command:
[ramon]$ sudo openssl req -nodes -new -x509 -keyout newreq.pem -out^ newreq.pem -days 365 -config openssl.cnf
And finally, you need to sign the new certificate (newreq.pem) with the CA's private key, as follows:
[ramon]$ sudo openssl x509 -x509toreq -in newreq.pem -signkey^ newreq.pem -out tmp.pem
Getting request Private Key
Generating certificate request
[ramon]$ sudo openssl ca -config openssl.cnf -policy policy_anything^ -out newcert.pem -infiles tmp.pem
Getting request Private Key
Generating certificate request
[ramon]$ sudo openssl ca -config openssl.cnf -policy policy_anything^ -out newcert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature Signature ok
The Subjects Distinguished Name is as follows countryName stateOrProvinceName localityName organizationName organizationalUnitName commonName emailAddress
PRINTABLE PRINTABLE PRINTABLE PRINTABLE PRINTABLE PRINTABLE IA5STRING
'Virginia' 'Ashburn'
'Ramon J. Hontanon' 'Ramons Pile O Bits' 'redhat.example.com' '[email protected]'
PART 3
Certificate is to be certified until Nov 27 01:03:45 2001 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
As you can see, the signing operation actually takes three separate commands, with an extra one to clean up the temporary file (tmp.pem) used by the first three commands. The result is an X.509 certificate, written to the file newcert.pem, which is in Privacy Enhanced Mail (PEM) format.
NOTE The X.509 standard defines the format of digital certificates and certificate revocation lists. Aside from the digital signature, an X.509 certificate includes fields for its version, the serial number, the issuer's (CA) name, the validity period, and the subject (owner) name. Another IETF standard, the PEM definition is often used to exchange X.509 certificates inside files as PEM-encoded text messages.
Next, you need to modify sendmail.mc to add CA support to your Sendmail installation. Listing 6.3 contains the exact commands that you need to add to the sendmail.mc file.
Listing 6.3 Adding certificate support to sendmail.mc defineCCERT_DIR', ~MAIL_SETTINGS_DIR~'CA')dn1 defineCconfCACERT_PATH', ~CERT_DIR')dn1 defineCconfCACERT', "CERT_DIR/cacert.pem')dn1 define(~confSERVER_CERT', "CERT_DIR/newcert.pem')dn1 define(~confSERVER_KEY', "CERT_DIR/private/cakey.pem')dn1
The commands in Listing 6.3 are pointing Sendmail to the appropriate files in the CA that you built back in Listing 6.2:
■ CERT_DIR (and CERT_PATH): The directory where the CA is located (/etc/mail/CA)
■ CACERT: The root CA certificate (cacert.pem)
■ SERVER_CERT: The certificate for the Sendmail server (newcert.pem)
■ SERVER_KEY: The private key for the Sendmail server (private/cakey.pem)
If your version of Sendmail has STARTTLS support configured, it should appear as 250-STARTTLS when you execute the following command (note the third line from the bottom):
[ramon]$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost Escape character is ,A]'.
220 redhat.example.com ESMTP Sendmail 8.11.0/8.11.0; Sun, 26 Nov 2000 21:04:55 -0500
ehlo localhost
250-1oca1.sendmai1.C0M Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSC0DES 250-DSN 250-STARTTLS 250 HELP quit
Continue reading here: Apop
Was this article helpful?