How do I activate TLS on sendmail?
Hi all, I'm configuring a Suse 9.1 as a mail server using sendmail. I would like to use the Suse configuration as much as possible because I would like to be able to update sendmail through Suse online update. I would like to have everybody to be able to post mail who is either * coming from localhost, or who * knows a username/passwd of a user of the machine The latter authentification should be encrypted to avoid password sniffing. The users should be able to send mail from anywhere in the internet using mozilla or outlook. Is TLS the right thing for what I want? I modified the file /etc/sysconfig/sendmail and ran SuSEconfig afterwards. I set SMTP_AUTH_* to "all" and installed almost all cyrus-sasl-* packages except the one for one-time passwords. I set STARTTLS to "both". Is this correct so far? Do I need any certificates? I did not find any instructions to generate them. If so, what is the command line to generate these certificates? (Self-certified, with correct host name, and with 10 years expiration). Am I missing anything else? Thanks a lot for your help in advance. Best Regards, Gordon.
On Thursday 06 May 2004 21:41, Gordon Cichon wrote:
Hi all,
I'm configuring a Suse 9.1 as a mail server using sendmail. I would like to use the Suse configuration as much as possible because I would like to be able to update sendmail through Suse online update.
I would like to have everybody to be able to post mail who is either
* coming from localhost, or who * knows a username/passwd of a user of the machine
The latter authentification should be encrypted to avoid password sniffing. The users should be able to send mail from anywhere in the internet using mozilla or outlook.
Is TLS the right thing for what I want?
I modified the file /etc/sysconfig/sendmail and ran SuSEconfig afterwards. I set SMTP_AUTH_* to "all" and installed almost all cyrus-sasl-* packages except the one for one-time passwords. I set STARTTLS to "both". Is this correct so far?
You don't need both. Both means you are not only useing starttls for users connecting to post mail thru your smtp server, but also you are going to use it when your smtp server connects to some other host to transfer the mail. This would typically be used with what sendmail calls a smarthost, one to which you always transfer outgoing mail regardless of destination.
Do I need any certificates? I did not find any instructions to generate them. If so, what is the command line to generate these certificates? (Self-certified, with correct host name, and with 10 years expiration).
You probably do want to generate certificates. "man openssl" for some clues. openssl is a little better documented than saslauthd, but still tricky. It requires two directories in /etc/mail certs auth First do this: openssl genrsa -des3 -rand /etc/hosts -out MYServer.key.pem.encrypted 1024 passphrase (some phrase you can remember typed here) chmod 600 MYServer.key.pem.encrypted openssl req -new -key MYServer.key.pem.encrypted -out MYServer.cert.req It will ask for (Each separately( Country,State,City,Company,Username,useremail@machinename.dom openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out CA.cert.pem -days 3650 (it will ask for your pass phrase here.....) openssl rsa -in MYServer.key.pem.encrypted -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted MYServer.key.pem chmod 600 * openssl x509 -req -days 3650 -in MYServer.cert.req -signkey MYServer.key.pem.encrypted -out MYServer.cert.pem -- _____________________________________ John Andersen
Hi John, thanks for your help. I created the certificates the way you explained it. Now, I tried to send email with it. I started saslauthd, and when I try to send mail, I get the following error:
May 7 16:10:32 parsley sendmail[25145]: no secret in database May 7 16:10:32 parsley sendmail[25145]: unable to open Berkeley db /etc/sasldb2: No such file or directory
What does that mean? I also tried to switch the authentification method in /etc/sysconfig/saslauthd from "pam" to "shadow". After SuSEconfig and restarting all demons, I still get the same error. What can I do? Thanks a lot once more. Best Regards, Gordon.
On Friday 07 May 2004 06:22, Gordon Cichon wrote:
Hi John,
thanks for your help. I created the certificates the way you explained it. Now, I tried to send email with it. I started saslauthd, and when I
try to send mail, I get the following error:
May 7 16:10:32 parsley sendmail[25145]: no secret in database May 7 16:10:32 parsley sendmail[25145]: unable to open Berkeley db /etc/sasldb2: No such file or directory
What does that mean?
You did add the users into the database right? saslpasswd2 is the command you use for that.
I also tried to switch the authentification method in /etc/sysconfig/saslauthd from "pam" to "shadow". After SuSEconfig and restarting all demons, I still get the same error.
What can I do?
I've never gotten anything but sasl to work, I'm going to send you some notes off-list that I compiled while getting this to work. There was a lot of dinking around to finally get it up and running because the sasl bits are not well documented and some authentication methods don't work (at least not for me). I was able to get this to work with Suse 8.1 and 8.2 even though one uses sasl and the other sasl2. I'll send my notes by separate mail. -- _____________________________________ John Andersen
participants (2)
-
Gordon Cichon -
John Andersen