[linux-elitists] Casual Encryption

Aaron Sherman ajs@ajs.com
Fri Mar 21 08:50:42 PST 2003


On Sat, 2002-07-27 at 14:49, Kevin D. McAllister wrote:
> * Aaron Sherman <ajs@ajs.com> [Fri, Jul 12, 2002 at 10:25:11AM -0400]:
> > 
> > Ok, I'm running Red Hat 7.1 with the stock (after updates) sendmail.
> > Looks like they don't turn on TLSSTART in that version, so I'm going to
> > recompile from SRPM. I'll try to summarize exactly what I go through so
> > that there's a document that others can follow without having to
> > understand the vagaries of sendmail/RedHat/TLS/certification/etc. I will
> > also be loading Limbo on a desktop box of mine, and I'll see if the
> > sendmail comes pre-configured to do this. 'Twould be nice.

> have you been successful in this endeavor?  If so have generated the
> above mentioned documentation?  If not, maybe I will go through the
> steps and send the document out to linux-elitits.

I know you sent this to me a LONG time ago, but I just got everything
working after putting it off for over 6 months. Here's what I did:

        note, I'm running Red hat 7.3 now, if you're running 8.0 you can
        skip forward to step 9; if you're running 7.<3, you should be
        ok; if you're running <7, upgrade; if you're not running Red
        Hat, then most of the latter parts will still be useful as long
        as you upgrade to 8.12.8

0. Use apt for rpm from freshrpms to make sure I was up to date
1. Grabbed Red Hat 8.0 updates SRPM for sendmail 8.12.8
2. $ rpm -ivh sendmail*8.12.8*.src.rpm
3. $ vi /usr/src/redhat/SPECS/sendmail.spec
4. Change "errata 80" to "errata 73" (thanks, RH from us 7.xers!!!)
5. $ vi /usr/src/redhat/SOURCES/sendmail*redhat*patch
6. Change "-ldb-4.0" to "-ldb" (make sure you have db3-devel installed)
7. $ rpm --bb /usr/src/redhat/SPECS/sendmail.spec
7.5. resolve any dependencies via "apt-get install" or "up2date"
8. $ rpm -Uvh /usr/src/redhat/RPMS/i386/sendmail*.rpm
[NOTE: if you have 8.0 to start, then begin here by apply the updates]
9. $ vi /etc/mail/sendmail.mc
10. Set options you need as appropriate
11. Add/uncomment the following:

        TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
        define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
        define(`confAUTH_OPTIONS', `p,y')dnl
        define(`confCACERT_PATH',`/usr/share/ssl/certs')
        define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
        define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
        define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
        DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
        DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
        
11.5 Make sure you have openssl-0.9.6b-30.7 or higher installed
12. $ make -C /usr/share/ssl/certs sendmail.pem
13. $ make -C /etc/mail
14. any local changes you need, especially to:
        /etc/mail/local-host-names
        /etc/mail/access
        /etc/aliases
        /etc/sysconfig/sendmail
15. $ /sbin/service sendmail restart

That should do it. You now have a private SSL cert (so no CA
verification possible, buy a cert or get one from a free CA if you want
validation) which will be used for all outgoing and incoming mail
encryption, where possible and/or requested via STARTTLS.

I included "Port=smtps, Name=TLSMTA" above. If you don't want to listen
on port smtps, you don't have to, STARTTLS still works on the smtp port.
I like having it, so that I can be sure I'm forcing my remote client to
encrypt by only telling it about that port.





More information about the linux-elitists mailing list