What error are you getting now????

Did you try re-compiling Sendmail with SSL support????

Fine but have you tried getting a source code version of Sendmail (not SSL) and tried compiling it yourself with SSL support?????

nope...

Still trying to get the certificate 100% right and am stuck there now...

additionally... I have never compiled anything myself... I have always used the Redhat RPM utilities...

I dont think theres anything wrong with the certificate. The problem lies with the fact that Sendmail hasnt been compiled with SSL support. So to fix it you need to : -

a) get a copy of Sendmail in RPM format that has compiled in support for SSL

b)Get a source code copy of Sendmail and configure and make it to support SSL. its very simple: -

1. Tar zxvf Sendmail.TGZ
2. cd ./Sendmailsorcedirectory
3. ./configure --help (the help switch will assist you in identifying the Switch needed to conpile SSL support)
4. ./configure --WithSSL (or however its shown in help in step 3)
5. make
6. make install

Now all you got to do is start the Sendmail server (may have to expilicitly do this with SSL support via a switch)

I have seen several articles on making changes to your site.config.m4 files and then using the make program to recompile. I am having trouble finding that... the big problem is that I have a downtime window of about 1 minute so I have to be able to get the old set up back instantly... which leaves me leary about walking down an unknown path. I am going to keep at it in my sort of slow sadistic way and will keep you updated on new changes.

As of now I do not get SSL not supported. I now get Error Reading From Network. Connection closed at host.

Have you got a spare mahine or something that you could test on???

If so try it out on that then if you know it works youve found your problem and can add ssl support to the system when down time wont be so problematic.

good luck any way, let me know how it goes

Dai

ok... all the directions say to telnet to port 25 and say ehlo... well we do not allow telnet... actually I don't think it was installed. we use ssh... and I have not been able to ssh to port 25.

I ran a netstat -l and got

tcp 0 0 *op3s :*: LISTEN

I didn't find anthing about smtps if that matters?

so I should be good on the TLS right? Anything else I can try to see what options sendmail has available other than telnet to port 25?

No back up server right now and the word from the boss is... no joy on the rebuild..

well this is great... I have it almost working.

Now it is telling me that the hostname does not match. But when I look at the details about it it tells me some host and some domain

It doesn't have any of the details of that actual certificate.

This is all so very confusing.

Ok some more details

This is what I get when trying to send...

Negotiation Rejected

You have configured this personality/protocol to reject any exchange key lengths below 0.
, But the negotiated exchange key length is -1
Hence this established secure channel is unacceptable. Connection will be dropped.

In the Security parameters in Cipher Suite Information it has null for the key exchange algorithm, encryption algorithm and Integrity check algorithm.


When I try to check mail I get...
Negotiation Failed
The security Parameters all look ok

The message is...
Certificate bad: Destination Host name does not match host name in certificate

Server Certificate : Verified OK

I currently have the host in the certificate set to
host.domain.com and my certificate information manager in Eudora says the server name is mail.domain.com so I am going to generate a new set of certificates with the host as mail.domain.com

Anything else????

when you setup the certificate you needed to specify the domain-name as the CN.

OK... so you are saying that for the CN I should have mydomain.com?

I guess I can give that a try but that still doesn't explain why when I look at the certificate details it says:

E = root@localhost.localdomain
CN = localhost.localdomain
OU = SomeOrganizationalUnit
O = SomeOrganization
L = SomeCity
S = SomeState
C = --

Instead of the information I can view in the certificate...

I am finding this extremely frustrating. I have been at this for nearly a week. No wonder why so many people give up and go to Microsux products... never the less I will keep going until I figure out how to make this work...

Everything in the certificate appears as set-up.

Or defaults to a pre-defined value unless you put a . in the field which forces it to be blank.

the CN must read www.yourdomain.com

well let's see.

I have tried the following for the CN

www.mydomain.com
mydomain.com
computername.mydomain.com
computername
mail.mydomain.com

where mydomain = the real domain name and computername = the actual host name of the computer.

I am still getting SSL Negotiation Failed: Certificate bad: Destination Host name does not match host name in Certificat Cause: (-6984)

My big question here is .... which Certificate is it talking about? The server certificate or the CA?

How can I find out what it wants the host name to be? as in what does it think the destination host name is? I have my Eudora set to check mail from mail.mydomain.com

Well I think I am just about to scrap this whole Idea and just set up outlook with exchange.

Everyone is always talking about making the internet more secure... yet you have to have a PHD in computer wizardry in order to get something as simple as STARTTLS to work... Unreal... no wonder why the world is so insecure...

(Sorry had to vent my frustrations somewhere.)

Silly question, but you actually have a space between the variable and location, correct? Example - above, shouldn't

define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')

Also: shouldn't

define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')


be

define(`confSERVER_KEY', `/usr/share/ssl/mycert/mycert.key')

(that's an extra space after the comma)


Also found this -
"On systems which do not have the compile flag HASURANDOM set (see sendmail/README) you also must set confRAND_FILE"

Yes I have the extra spaces. Actually those lines were already in my sendmail.mc file. All I had to do was mod them and uncomment them.

I do not see the confRAND_FILE in my sendmail.mc file nor do I see HASURANDOM so how can I tell if sendmail was compiled with HASURANDOM support?

By the way... yeah I have been scanning through the sendmail/readme file all day... actually printed it...