[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] How do I activate TLS on sendmail?

On Thursday 06 May 2004 21:41, Gordon Cichon wrote:
> Hi all,
> I'm configuring a Suse 9.1 as a mail server using sendmail. I would like
> to use the Suse configuration as much as possible because I would like
> to be able to update sendmail through Suse online update.
> I would like to have everybody to be able to post mail who is either
>     * coming from localhost, or who
>     * knows a username/passwd of a user of the machine
> The latter authentification should be encrypted to avoid password
> sniffing. The users should be able to send mail from anywhere in the
> internet using mozilla or outlook.
> Is TLS the right thing for what I want?
> I modified the file /etc/sysconfig/sendmail and ran SuSEconfig
> afterwards. I set SMTP_AUTH_* to "all" and installed almost all
> cyrus-sasl-* packages except the one for one-time passwords. I set
> STARTTLS to "both". Is this correct so far?

You don't need both.  Both means you are not only useing starttls for users
connecting to post mail thru your smtp server, but also you are going to
use it when your smtp server connects to some other host to transfer
the mail.  This would typically be used with what sendmail calls a smarthost,
one to which you always transfer outgoing mail regardless of destination.

> Do I need any certificates? I did not find any instructions to generate
> them. If so, what is the command line to generate these certificates?
> (Self-certified, with correct host name, and with 10 years expiration).

You probably do want to generate certificates.
"man openssl"  for some clues.

openssl is a little better documented than saslauthd,  but still tricky.

It requires two directories in /etc/mail

First do this:

openssl genrsa -des3 -rand /etc/hosts -out MYServer.key.pem.encrypted 1024

  passphrase (some phrase you can remember typed here)
chmod 600 MYServer.key.pem.encrypted
openssl req -new -key MYServer.key.pem.encrypted -out MYServer.cert.req
  It will ask for (Each separately(

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out CA.cert.pem 
-days 3650
   (it will ask for your pass phrase here.....)

openssl rsa -in MYServer.key.pem.encrypted -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted MYServer.key.pem
chmod 600 *
openssl x509 -req -days 3650 -in MYServer.cert.req  -signkey 
MYServer.key.pem.encrypted -out MYServer.cert.pem

John Andersen

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here