 |
» |
|
|
|
|  | |
This section describes how to configure SMTP over
TLS, as defined in RFC 2487. It also describes how to verify the TLS/SSL
configuration. This section addresses the following topics: Prerequisites | |
Following are the prerequisites for configuring the TLS/SSL
security feature: The latest version of the Sendmail 8.13.3 web upgrade.
Generating Certificates and Keys | |
The OpenSSL script, /opt/openssl/misc/CA.pl, can be used to generate the certificates and keys. By default,
the certificates are encrypted using the DES encryption. You must
log in as a superuser and modify the CA.pl script
to prevent the certificates from being DES encrypted. Follow this procedure to generate certificates and keys: To change the directory to /opt/openssl/misc, enter the following command: cd /opt/openssl/misc To copy the CA.pl script to the CA.pl.ORIGINAL script, enter the following command: cp CA.pl CA.pl.ORIGINAL Replace the entries marked with numbers in the following CA.pl script: exit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"
);1
$RET=$?;
print "Certificate is in newcert.pem, private key is in newkey.pem\n"
} elsif (/^-newreq$/) {
system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");2
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newreq-nodes$/)
|
| 1 | Replace this line with the following: system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS"); |
| | 2 | Replace this line with the following: system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); |
|
The only change is the addition of the -nodes option while generating certificates. If you do not include this
option, Sendmail 8.13.3 cannot load the encrypted key during startup.
As a result, it logs the following error message in the /var/adm/syslog/mail.log file: “May 4 11:55:20 XXXXX sm-mta[23544]: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/certs/servername-key.pem) failed” |
| | | |  | NOTE: You must modify the first line in the CA.pl script to the location of the perl interpreter on your system. Otherwise,
the following error message is logged in the /var/adm/syslog/syslog.log file:interpreter “/opt/perl/bin/perl” not found |
| | | | |
Follow this procedure to create your own CA, and to
create certificates and keys for your Sendmail 8.13.3 server: To create a CA, enter the following
command: The following message displays: CA certificate filename (or enter to create)
|
Enter the file name or press Enter. The following message displays: Making CA certificate...
Generating a 1024 bit RSA private key
.................++++++....++++++
writing new private key to
'./demoCA/private/cakey.pem'
Enter PEM pass phrase:
|
Enter the passphrase. | | | | | NOTE: Select a unique passphrase so that no one can abuse your CA
and sign a certificate. | | | | |
The following message displays: Verifying - Enter PEM pass phrase: |
Enter the passphrase again. The following message displays: You are about to be asked to enter information
that will be incorporated into your certificate request. |
Enter the organization name, location, and your name. After you answer the questions prompted by the ./CA.pl
–newca command, the following files are created: The ./demoCA/cacert.pem file.
This is the CA certificate file that you can exchange with communication
partners for TLS authentication or verification.
To generate the certificate and the key pair for the
Sendmail 8.13.3 server, enter the following command: The following output displays: Generating a 1024 bit RSA private key...
+++++..........................++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will
be incorporatedinto your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave
some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
|
Enter the your organization name, location, and name. The ./CA.pl –newreq command creates
the following files: The private key of the Sendmail 8.13.3 server (./newkey.pem) The original (unsigned) certificate request (./newreq.pem)
To sign the certificate using the CA created in Step a, enter the following command: A signed public certificate, ./newcert.pem (with its public key), is created for the Sendmail 8.13.3 server.
To create a subdirectory certs under the /etc/mail directory, enter the following
command: To set the appropriate permissions to the certs subdirectory, enter the following command: chmod 755 certs To change the directory location to certs, enter the following command: To copy the previously created CA certificate, the
Sendmail 8.13.3 server certificate, and the key from the /opt/openssl/misc/ directory to the /etc/mail/certs directory, enter the following commands: cp /opt/openssl/misc/demoCA/cacert.pem /etc/mail/certs/cacert.pem cp /opt/openssl/misc/newkey.pem /etc/mail/certs/servername-key.pem cp /opt/openssl/misc/newcert.pem /etc/mail/certs/servername-cert.pem To create a hashed symbolic link to the CA certificate,
enter the following command: ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0 This command reads the cacert.pem file and creates an 8-character cryptographic hash, which is used
as the filename (with '.0' appended) that links to the CA certificate.
During a certificate exchange in an SSL handshake, Sendmail 8.13.3
computes the hash of the received public key of the CA certificate,
appends '.0' to the hash, and compares the computed hash with its
own copy of the public key of the CA certificate. To verify whether the symbolic link to the CA certificate
is created properly, enter the following command: Ensure that you obtain an output similar to the following: 2197 lrwxrwxrwx 1 root sys 10 Jul 9 09:44 fea4e1bb.0 -> cacert.
pem |
| | | | | NOTE: The link name fea4e1bb.0 is only an example.
The link name must be of the format <characters>.0. | | | | |
The Sendmail 8.13.3 server is now ready with the signed public
certificate and the private key pair. If you have multiple Sendmail
8.13.3 servers (for example, relay and forwarders), you can either
create an individual key pairs and a signed certificate for each Sendmail
8.13.3 server and get it signed by the CA, or use the cryptographic
keys to be distributed across the Sendmail 8.13.3 servers in your
environment. The previously mentioned Sendmail 8.13.3 configuration option
considers that you are using the same certificate and key, irrespective
of whether Sendmail 8.13.3 acts in a client mode or a server mode.
If you need different pairs of certificate and keys for these two
operational modes, you must create them using the procedure described
in the “Generating Certificates and Keys” and
rename them appropriately (such as clientname-cert.pem andclientname-key.pem). You must also configure
the file names against ClientKeyFile and ClientCertFile options in the Sendmail 8.13.3 configuration
file, as described in “Configuring Sendmail 8.13.3 with TLS and SSL”. Do not store the private key of the CA (/opt/openssl/misc/demoCA/private/cakey.pem) in the Sendmail 8.13.3 servers. Configuring the Sendmail 8.13.3 Server with TLS/SSL | |
To configure the Sendmail 8.13.3 server with TLS/SSL,
you must create a new Sendmail 8.13.3 configuration file with STARTTLS feature enabled using the HP-UX gen_cf utility. Follow this procedure to configure the Sendmail 8.13.3 server
with TLS/SSL: To back up the existing Sendmail 8.13.3 configuration
file, enter the following command: cp –p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.BACKUP To change the directory to the /usr/newconfig/etc/mail/cf/cf directory, enter the following command: cd /usr/newconfig/etc/mail/cf/cf To run the gen_cf utility, enter
the following command: Select the 2: STARTTLS option under
the 4: Security Options option in the main menu. Select the 5: Generate sendmail.cf option and press Enter to generate the Sendmail
8.13.3 configuration file (sendmail.cf.gen) with
the STARTTLS feature enabled. Repeat Steps 1–4. Select the 6: Generate submit.cf option
and press Enter to generate the configuration file
of the Sendmail 8.13.3 client queue runner (submit.cf.gen) with the STARTTLS feature enabled. Copy the previously created sendmail.cf.gen file and the submit.cf.gen file to the /etc/mail/sendmail.cf file and the /etc/mail/submit.cf file, respectively. Open the Sendmail 8.13.3 configuration files (/etc/mail/sendmail.cfand /etc/mail/submit.cf) and edit the UseTLS, CACertPath, CACertFile, ServerCertFile, ServerKeyFile, ClientCertFile, ClientKeyFile, and RandFile options, as follows: # If set, Sendmail enables the TLS feature
UseTLS=True
# CA directory
CACertPath=/etc/mail/certs
# CA file
CACertFile=/etc/mail/certs/cacert.pem
# Server Cert
ServerCertFile=/etc/mail/certs/servername-cert.pem
# Server private key
ServerKeyFile=/etc/mail/certs/servername-key.pem
# Client Cert
ClientCertFile=/etc/mail/certs/servername-cert.pem
# Client private key
ClientKeyFile=/etc/mail/certs/servername-key.pem
# Random data source (required for systems without /dev/urandom under OpenSSL)
RandFile=egd:/dev/random |
Follow this procedure if Mail Submission Program (MSP)
is enabled for Sendmail 8.13.3: To change the directory to /etc/mail/certs, enter the following command: To change the mode to 640 for all
the private keys, enter the following command: To change the group for all the private keys, enter
the following command: chgrp smmsp *.pem To update the configuration file of the Sendmail 8.13.3
MTA (/etc/mail/sendmail.cf) and the configuration
file of the MSP (/etc/mail/submit.cf), use the
following option in the Sendmail 8.13.3 configuration file: DontBlameSendmail=GroupReadableKeyFile
Follow this procedure if MSP is disabled in Sendmail
8.13.3: To change the directory to /etc/mail/certs, enter the following command: / cd /etc/mail/certs To change the mode for all the private keys, enter
the following command: chmod 600 *.pem To change the group for all the private keys, enter
the following command: chgrp root *.pem To restart the Sendmail 8.13.3 daemons, enter the
following commands: /sbin/init.d/sendmail stop /sbin/init.d/sendmail start
Verifying the TLS/SSL Configuration | |
Follow this procedure to verify the TLS/SSL configuration: Examine the output of the mtail command to ensure that Sendmail 8.13.3 does not contain any error
or warning after configuring TLS/SSL. Send a test mail using Sendmail 8.13.3 and verify
if the mail is delivered to the destination address. Ensure that you notice STARTTLS in certain Sendmail
8.13.3 log entries to ascertain the proper configuration of STARTTLS. Establish a Telnet session to port 25 or *587 of the server configured recently, to
ensure that it offers the STARTTLS support in response
to the EHLO command. The *587 port is used if MSP is enabled for Sendmail 8.13.3. Following is a sample Telnet session, which ascertains the STARTTLS
support: $ telnet localhost 25
Trying...
Connected to localhost.<domain_name>
Escape character is '^]'.
220 <hostname>.<domain-name> ESMTP Sendmail @(#)Sendmail
version 8.13.3 - Revision
2.005 - 12 January 2007/8.13.3; Fri, 4 May 2007 18:00:30 +
0530 (IST)
|
where: - <hostname>
Specifies the host name. - <domainname>
Specifies the domain name.
Enter the EHLO command, as follows: The following output displays: 250-<hostname><domain-name> Hello localhost [127.0.0.1],
pleased to meet you
250-ENH ANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
|
You must ensure that you obtain a response similar to 250-STARTTLS from the Sendmail 8.13.3 server. Additionally,
ensure that you get the 250-STARTTLS line in response to the SMTP EHLO command. This
indicates that STARTTLS is configured correctly. Enter the following to indicate that you want to quit the Telnet
session: The following output displays: 221 2.0.0 <hostname>.<domain-name> closing connection
Connection closed by foreign host. |
Send a mail using the STARTTLS configured
Sendmail 8.13.3 server and ensure that you get the (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) line in the following message header: From root @<sender_name>.<domain_name> Thu Jul 5 19:19:30
IST 2007
Received: from <sender_name>.<domain_name> by <hostname>.
<domain_name>
(@(#)Sendmail version 8.13.3 - Revision 2.005 - 12 January
2007/8.13.3) with ESMTP id l65DnTLe028546
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=OK)
for <hostname>.<domain_name>; Thu, 5 Jul 2007 19:19:30
+0530 (IST)
Received: (from root@localhost) by <sender_name>.<domain_name>
((@(#)Sendmail
version 8.13.3 - Revision 1.000 - 1st August,2006/8.13.3)id
l65Dbpdc008315
for root@<hostname> Thu, 5 Jul 2007 19:07:51 +0530 (IST)
Date: Thu, 5 Jul 2007 19:07:51 +0530 (IST)
From: <server_name>.<domain_name> |
The verify macro in the message header in
the mtail command output contain the result of
the verification of the presented certificate. The verify macro can contain the following
values: - OK
Verification succeeded. - NO
No certificate presented. - FAIL
Certificate presented, but is not be verified. For
example, CA is missing. - NONE
STARTTLS was not performed. - TEMP
Temporary error has occurred. For example, Sendmail
8.13.3 has received a 454 message from its peer. - PROTOCOL
Protocol error occurred. - SOFTWARE
Problems incurred during the handshake at the TLS
level. In this case, the connection is dropped.
|
