LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 05-05-2010, 05:18 AM   #1
snorket27
LQ Newbie
 
Registered: May 2010
Posts: 12

Rep: Reputation: 0
Need a little help configuring sendmail.cf for TLS


Hi. I'm running sendmail 8.13 on CentOS 4.3. I've found these instructions on a website to configure TLS:

6. Edit /etc/mail/sendmail.cf and add these lines. You should find commented-out versions of these settings in the file, maybe about a third of the way through it.

O CACertPath=/etc/mail/cert
O CACertFile=/etc/mail/cert/server.crt
O ServerCertFile=/etc/mail/cert/server.crt
O ServerKeyFile=/etc/mail/cert/server.key.open
O ClientKeyFile=/etc/mail/cert/server.crt


I followed a different guide to generate a cert request and what I've got are: mykey.pem (the private key),server.crt and ca.cer (both from geotrust)

So, should my config be:
CACertPath=/etc/mail/cert
CACertFile=/etc/mail/cert/ca.cer
ServerCertFile=/etc/mail/cert/server.crt
ServerKeyFile=/etc/mail/cert/mykey.pem
ClientKeyFile=/etc/mail/cert/server.crt


Is this right? Sorry, I'm from a windows background, so can't shake the idea that file extensions are important.

The CA cert is Base-64. Should I use the DER encoded instead?
 
Old 05-05-2010, 04:18 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
File extensions are meaningless (they are in windows too, they just set a default action typically.)

Optimally you're going to define cacert_path, cacert_file, server_cert, server_key, client_cert, client_key... extension doesn't matter (so long as things are cased right)
 
Old 05-05-2010, 09:37 PM   #3
snorket27
LQ Newbie
 
Registered: May 2010
Posts: 12

Original Poster
Rep: Reputation: 0
So, does that mean my (proposed) config is right? I just want to make sure, cos I've screwed up sendmail before and caused 2 hours of downtime! Hope you don't mind me being slightly paranoid.
 
Old 05-06-2010, 02:01 AM   #4
snorket27
LQ Newbie
 
Registered: May 2010
Posts: 12

Original Poster
Rep: Reputation: 0
OK, I think I got it working, but I'm getting these lines in maillog:

May 6 13:57:05 faplsgeg02 sendmail[20694]: STARTTLS=server, relay=e23smtp06.au.ibm.com [202.81.31.148], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 6 13:57:08 faplsgeg02 sendmail[20700]: STARTTLS=client, relay=smtp.hp.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 6 13:57:11 faplsgeg02 sendmail[20717]: STARTTLS=server, relay=fdtp1.mail.host [10.164.28.10], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 6 13:57:52 faplsgeg02 sendmail[20795]: STARTTLS=server, relay=sj-iport-4.cisco.com [171.68.10.86], version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128

What do these mean?
 
Old 05-06-2010, 05:36 PM   #5
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Those are ssl/tls connections, you can see if they succeeded or failed and what cipher and such is part of the connections.
 
Old 05-07-2010, 12:14 AM   #6
snorket27
LQ Newbie
 
Registered: May 2010
Posts: 12

Original Poster
Rep: Reputation: 0
Alright, I guess its working then. Thanks!
 
  


Reply

Tags
certificate, sendmail, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail TLS disable ? vaibhavs Linux - Software 1 07-03-2008 10:48 AM
sendmail TLS rejection tajamari Linux - General 1 11-11-2007 10:23 AM
Setting up Sendmail to use SASL and TLS rizhun Linux - Software 3 03-22-2006 02:35 PM
Sendmail (with TLS) relay denied freealx Linux - General 1 03-12-2005 05:10 PM
Sendmail TLS relay freealx Linux - Networking 1 03-12-2005 05:09 PM


All times are GMT -5. The time now is 05:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration