Sendmail [was OpenSSL]

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Jul 15 19:45:30 UTC 2004 

Am Do, den 15.07.2004 schrieb James Kosin um 21:10:

> Thanks for your help in this...  I know you have been very patient with
> me.  This is only the first time I've tried a secure email server.
> Pop3s was easy enough to setup.  When I setup (or tried to) TLS things
> didn't work so easily.
> 
> Changes:
> - - ---------
> a)  /usr/lib/sasl2/Sendmail.conf
> ~    had pwcheck_method set to pam....  I'm not sure if this is the
> default or not...  I changed this to shadow like you have suggested is
> the default.

Maybe a little misunderstanding: the default entry in Sendmail.conf is
"pwcheck_method:saslauthd". Then the saslauthd must be running (service
saslauthd status). The saslauthd is by default configured to auth
against the shadow file. If you want to change that you will have to
create a file /etc/sysconfig/saslauthd with content i.e. "MECH=pam",
this will override the setting in the init script.

> ~    I also renamed another file there called smtpd.conf to
> smtpd.conf.old just in case there was a conflict there.

Hm, that file certainly comes from a Postfix install in parallel.

> b)  To help later to simplify configuring the secure clients, I took a
> page from one of the links you sent me (or maybe I found).  Anyway, I
> created a directory called /etc/mail/ssl to store the ssl information.
> ~    I ran '/usr/share/ssl/misc/CA.pl -newca' which creates a ./demoCA
> directory with all the important information.  I then moved the files in
> ./demoCA to the /etc/mail/ssl...  I did this to help later with using
> and creating certificates later if need be.

Ok.

> c)  I had to copy /usr/share/ssl/certs/ipop3d.pem to
> /etc/mail/ssl/cacert.pem and /etc/mail/ssl/private/cakey.pem to fix an
> issue of both certificates having the same serial number.  My email

I don't know what you did, but it sounds not proper. The cacert is
something very different then the client certificates as ipop3d.pem.
Maybe should post you a brief description of the necessary steps.

> client kept complaining about both certificates having the same serial
> number and asking the administrator to fix the issue.  It just may be my
> email client and not all.  Of course, I still had to edit both of them,
> deleting the cert information form the cakey.pem file and the rsa
> information from the cacert.pem file.  I'm guessing this was because
> both certs contained the exact same information; but, different keys
> where used to sign the key.

I think the trouble came from the fact that your cacert.pem file is /
was not the one which is expected (see above). The removal of the RSA
host key part is necessary so that at every server start (Sendmail and
IMAP/POP3 server) you don't have to enter the passphrase of the key.

> d)  I had to use the trick of using 'cp /etc/mail/ssl/cacert.pem
> /etc/mail/ssl/certs/`openssl x509 -noout -hash <
> /etc/mail/ssl/cacert.pem`.0'.  This creates the hash (link) file needed
> by STARTTLS to not complain about the key not existing.

Yes, the hash link is necessary.

> e)  I had to modify sendmail.mc to point to the new directories for the
> certs and keys...

FC2's cert dir within sendmail.mc is by default /etc/mail/certs. So
adjustment is valid. One side note: take care for the permissions of the
cert files. The host key should be able to read by anyone than root.

> Everything seems to be working well now.

Glad to hear that.

> Oh, I did change the password for the user!!!!

Well done then :)

One last note: The default setting in sendmail.mc is not to force
STARTTLS being active for PLAIN and LOGIN AUTH. If you did not already
change that, then change that to allow LOGIN and PLAIN only after
STARTTLS has been done:

define(`confAUTH_OPTIONS', `A p')dnl

Else it matters how the user configured his client, if he did activate
SSL/TLS in his mail client. And you know, never trust the user.

> James Kosin

Kind regards

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) Athlon CPU kernel 2.6.6-1.435.2.3.uml
Serendipity 21:26:08 up 2 days, 19:08, load average: 0.37, 0.16, 0.16 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040715/6a1a04c6/attachment-0001.sig>

More information about the fedora-list mailing list