Enabling STARTTLS and certificate verification in Sendmail
 |
For best results, use Sendmail 8.12, as support for STARTTLS is shoddy in earlier versions. |
- Obtain a certificate, using the server name for the Common Name (CN).
Upon completion you will have a private-key file (host.key) and public-key (certificate) file (host.cert). Rename the files as needed, or adjust the values in the next step.
- Edit your sendmail.mc file, adding these lines
define(`CERT_DIR', `/etc/mail/certs') define(`confSERVER_CERT', `CERT_DIR/host.cert') define(`confSERVER_KEY', `CERT_DIR/host.key') define(`confCLIENT_CERT', `CERT_DIR/host.cert') define(`confCLIENT_KEY', `CERT_DIR/host.key') define(`confCACERT', `CERT_DIR/cacert.pem') define(`confCACERT_PATH', `CERT_DIR/CA') - Rebuild your .cf file, usually like so
m4 sendmail.mc > sendmail.cf - Create your /etc/mail/certs folder and put the files in there.
mkdir /etc/mail/certs cp host.key host.cert /etc/mail/certs/ - You'll also want a CA certificate for verifying your MTA peers. You may download the Credentia CA certificate from here. Other CA certificates (VeriSign, Thawte, Geotrust etc) can simply be exported from Internet Explorer (Windows) or Netscape/Mozilla (Unix/Linux).
cp credentia1.cacert /etc/mail/certs/cacert.pem - Fix up the permissions. Sendmail is strict about this!
chown root /etc/mail/certs/* chmod 600 /etc/mail/certs/* - Now restart sendmail and you're done. Watch the maillog to see the STARTTLS in action.
See Also
SMTP STARTTLS in sendmail/Secure Switch
Weldon Whipple's experiences with STARTTLS and Sendmail
Relaying with TLS in Sendmail
STARTTLS Compilation and Configuration
RFC 3207 - SMTP Service Extension - Secure SMTP over TLS
©2003-2009 Credentia, All Rights Reserved