Date: Sat, 10 Nov 2007 16:22:10 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Jonathan Horne <freebsd@dfwlp.com> Cc: freebsd-questions@freebsd.org Subject: Re: freebsd using sendmail with tls Message-ID: <4735DAB2.1050407@infracaninophile.co.uk> In-Reply-To: <200711100917.02807.freebsd@dfwlp.com> References: <200711100917.02807.freebsd@dfwlp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jonathan Horne wrote:
> i know, slightly off topic, but is *on* a freebsd server... right?
>
> my smtp is the only remaining part of my email system, that has no encryption
> options, and i think i would like to add tls (even tho i rarely send smtp
> mail from outside my lan). my setup is right now, fairly basic (only
> includes spamassassin, sasl2, and procmail). even tho i dont much about it,
> i say tls instead of ssl, as i have a few outlook clients, that would surely
> annoy me 'do you really want to use this certificate', and it would surely be
> each time i sent a mail. im also assuming that hopefully tls might not do
> this.
Adding TLS / SSL capability to the stock FreeBSD sendmail is easy.
You need something like the following in your /etc/mail/$(hostname).cf:
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl
This defines two keys and certs for sendmail to use -- one set for
where sendmail is the server and the other for where it is the client.
As shown, you can use the same key and cert for either role, and it
will work pretty well all the time. Occasionally however you may run
into systems that get snotty about the distinction between client and
server certs -- in that case, the STARTTLS negociation would fail
and you'ld probably end up sending the message in plain text. That's
not a huge disadvantage given that the majority of mail systems on the
net don't offer the possibility of TLS in any case.
Unlike eg. HTTPS, there's no big thing about buying a server cert signed
by one of the well known CAs -- TLS is more about anti-snooping than
assurance of the other parties identity. While you can get e-mail certs
from, eg. Thawte for free, they are generally aimed at use in e-mail
client applications. E-mail servers almost exclusively use self-signed certificates. To generate a self-signed cert, you can follow the
instructions here:
http://www.sendmail.org/~ca/email/other/cagreg.html
That's a very basic set of instructions. There are some more expansive
general instructions on setting up TLS at:
http://aput.net/~jheiss/sendmail/tlsandrelay.shtml
You don't need to worry about the section of the instructions about
compiling sendmail with SSL support -- that's all already enabled in the
system sendmail.
> before i spend hours and hours googling out my instructions on how to so do,
> does the tls session operate over the standard port 25, or is this what is
> referred to as the smtps port? and if so, can the server accept either
> version over the same port?
E-mails generally use the 'STARTTLS' approach -- that is, you make
an initial unencrypted connection on the usual port 25 and then turn
that into an encrypted connection over the same port numbers.
There is an alternative approach using port 465, where encryption
is assumed from the very beginning (much more like how HTTPS works)
This is not used by the majority of MTAs out there on the 'net -- I
believe it exists to support certain client software that can't do
STARTTLS when submitting new messages.
If you're using eg. Thunderbird, then it supports STARTTLS perfectly
well and you only need port 25 -- possibly port 587 if you want to be
compliant with RFC 2476.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHNdqx8Mjk52CukIwRCLyZAJ9pDb0/8y7txGPniAdRdvQrRS7rogCdHXth
ri700SbDqcCw0lOL9KDggd8=
=sozL
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4735DAB2.1050407>