Re: freebsd using sendmail with tls



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jonathan Horne wrote:
i know, slightly off topic, but is *on* a freebsd server... right?

my smtp is the only remaining part of my email system, that has no encryption
options, and i think i would like to add tls (even tho i rarely send smtp
mail from outside my lan). my setup is right now, fairly basic (only
includes spamassassin, sasl2, and procmail). even tho i dont much about it,
i say tls instead of ssl, as i have a few outlook clients, that would surely
annoy me 'do you really want to use this certificate', and it would surely be
each time i sent a mail. im also assuming that hopefully tls might not do
this.

Adding TLS / SSL capability to the stock FreeBSD sendmail is easy.
You need something like the following in your /etc/mail/$(hostname).cf:

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

This defines two keys and certs for sendmail to use -- one set for
where sendmail is the server and the other for where it is the client.
As shown, you can use the same key and cert for either role, and it
will work pretty well all the time. Occasionally however you may run
into systems that get snotty about the distinction between client and
server certs -- in that case, the STARTTLS negociation would fail
and you'ld probably end up sending the message in plain text. That's
not a huge disadvantage given that the majority of mail systems on the
net don't offer the possibility of TLS in any case.

Unlike eg. HTTPS, there's no big thing about buying a server cert signed
by one of the well known CAs -- TLS is more about anti-snooping than
assurance of the other parties identity. While you can get e-mail certs
from, eg. Thawte for free, they are generally aimed at use in e-mail
client applications. E-mail servers almost exclusively use self-signed certificates. To generate a self-signed cert, you can follow the
instructions here:

http://www.sendmail.org/~ca/email/other/cagreg.html

That's a very basic set of instructions. There are some more expansive
general instructions on setting up TLS at:

http://aput.net/~jheiss/sendmail/tlsandrelay.shtml

You don't need to worry about the section of the instructions about
compiling sendmail with SSL support -- that's all already enabled in the
system sendmail.

before i spend hours and hours googling out my instructions on how to so do,
does the tls session operate over the standard port 25, or is this what is
referred to as the smtps port? and if so, can the server accept either
version over the same port?

E-mails generally use the 'STARTTLS' approach -- that is, you make
an initial unencrypted connection on the usual port 25 and then turn
that into an encrypted connection over the same port numbers.

There is an alternative approach using port 465, where encryption
is assumed from the very beginning (much more like how HTTPS works)
This is not used by the majority of MTAs out there on the 'net -- I
believe it exists to support certain client software that can't do
STARTTLS when submitting new messages.

If you're using eg. Thunderbird, then it supports STARTTLS perfectly
well and you only need port 25 -- possibly port 587 if you want to be
compliant with RFC 2476.

Cheers,

Matthew

- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHNdqx8Mjk52CukIwRCLyZAJ9pDb0/8y7txGPniAdRdvQrRS7rogCdHXth
ri700SbDqcCw0lOL9KDggd8=
=sozL
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • SBS2000: zweiter virtueller SMTP-Server möglich?
    ... Ich habe meinen Server wie üblich gegen Relaying geschützt. ... dass einige ISPs den Port 25 überwachen. ... Ich möchte deshalb aber TLS nicht abschalten, ... da Stunnel für den virtuellen Server transparent arbeitet. ...
    (microsoft.public.de.german.exchange2000.general)
  • Re: [opensuse] Im stuck - SSL Certs / email server
    ... Port 25 is for non SSL SMTP traffic. ... client sends the EHLO command instead of the HELO, then the server can offer ... Running SSL or TLS only on port 25 is likely to ...
    (SuSE)
  • Re: Finding a replacement for my ISPs smtp server
    ... it clear in that they do not require or use TLS. ... If you send mail through the same server when you are on another network ... this circumstance) might want authentication over TLS. ... installed the appropriate certs to function with TLS. ...
    (Debian-User)
  • Re: [OT] [opensuse] Im stuck - SSL Certs / email server
    ... Enforcing SSL or TLS on port 25 so that encryption is made to be the mandatory default is likely to cause the server to loose mail. ...
    (SuSE)
  • Re: sendmail with ssl (port 465)
    ... users can send with TLS port 25 from almost anywhere. ... It is my understanding that SMTPS is considered a read headed step ... I was thinking of brute forcing it by have one server for sending ...
    (comp.mail.sendmail)