Sendmail and STARTTLS with AUTH

qsecofr

qsecofr

Hi, I've followed handbook instructions in chapter 28.9 to enable authentication - and it works as expected. Using examples found with Google, I've tried enabling STARTTLS. But I've obviously missed a configuration step somewhere.

Code: 
1061 root@myhost:/etc/mail # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myhost.my.net ESMTP Sendmail 8.14.7/8.14.5; Tue, 21 Jul 2015 14:58:09 -0700 (PDT)
EHLO localhost
250-myhost.my.net Hello root@localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

Code: 
# tail -13 myhost.mc
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl TLS options
define('CERT_DIR', '/etc/mail/certs')dnl
define('confCACERT_PATH', 'CERT_DIR')dnl
define('confCACERT', 'CERT_DIR/cacert.pem')dnl
define('confSERVER_CERT', 'CERT_DIR/smtp_cert.pem')dnl
define('confSERVER_KEY', 'CERT_DIR/smtp_key.pem')dnl
define('confCLIENT_CERT', 'CERT_DIR/smtp_cert.pem')dnl
define('confCLIENT_KEY', 'CERT_DIR/smtp_key.pem')dnl

I expected
Code: 
 # cd /etc/mail; make install restart
would enable the options in the resulting *.cf file.

Code: 
# CA directory
#O CACertPath
# CA file
#O CACertFile
# Server Cert
#O ServerCertFile
# Server private key
#O ServerKeyFile
# Client Cert
#O ClientCertFile
# Client private key
#O ClientKeyFile
# File containing certificate revocation lists
#O CRLFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under OpenSSL)
#O RandFile

But, apparently it didn't. In /etc/mail/freebsd.cf the options are similarly commented out. Does /etc/mail/freebsd.mc require editing, or am I barking up the wrong tree?
 
The first time you run make it creates a file called hostname.mc. That is, the name of the host followed by .mc. Edit that, then build and run with make all install restart.
 
Update:
by increasing loglevel I found the following logged to /var/log/maillog
Code: 
sendmail[27562]: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/certs/smtp_key.pem) failed

Googling led me to a couple different sites that suggested sendmail could not open the private key file due it being passphrase protected. And ultimately I turned up the following URL that concisely listed the certificate & key generation, and sendmail config instructions.
https://lists.freebsd.org/pipermail/freebsd-questions/2012-August/244636.html

A subsequent re-install and restart later
Code: 
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myhost.my.net ESMTP Sendmail 8.14.7/8.14.5; Tue, 21 Jul 2015 23:54:16 -0700 (PDT)
EHLO localhost
250-muhost.my.net Hello root@localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

Next step: to test with an actual email client, and verify; and verify that password at authentication is in fact encrypted..
 
wblock@ said:
The first time you run make it creates a file called hostname.mc. That is, the name of the host followed by .mc. Edit that, then build and run with make all install restart.
Click to expand...
Yes, yes.. I did have an mc file for my specific host, in which I made all configuration edits. I think I barked up the wrong tree. I created the certificate & key differently than as noted in my update to post. The significance of the passphrase being present didn't occur to me at first.
 
You must log in or register to reply here.
Back
Top