[rhn-users] RH EL 3 and STARTTLS
Paul A. Kennedy
pakenned at beckman.uiuc.edu
Tue Aug 24 18:35:05 UTC 2004
On Tue, Aug 24, 2004 at 05:45:24PM +0100, Ken Smith wrote:
> Hi,
>
> This is my first post to this list and I have a question about STARTTLS. I
> have found many pages on the net about it but no definitive Mini How To. I
> just seem to be finding bits of the jigsaw but no whole picture yet and the
> RH docs seem silent on this subject...
>
> I have also found many people asking what I'm about to ask...
>
> My logfiles have complaints like this..
>
> STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or
> directory: 372 Time(s)
> STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or
> directory: 372 Time(s)
> STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or
> directory: 372 Time(s)
> STARTTLS=client, error: load verify locs /etc/mail/certs,
> /etc/mail/certs/cacert.pem failed: 0: 372 Time(s)
>
>
> I found some docs about using the Makefile in /usr/share/ssl/certs but
> running
>
> make sendmail.pem
>
> certainly creates a file called sendmail.pem but what is that - a key file?
> A signed one or what?
A pem file should mean an ascii encoding. It's _de_facto_ meaning is typically
a concatenation of a private key file and a certificate.
I would recommend that you specify in your sendmail.mc file a certificate file
and a key file. This means taking the key from the "pem" file and putting in a
key file, and the cert from the "pem" file and putting it in a cert file.
You'll then want to have your sendmail.mc file have things like this:
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.crt')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.key')
Do not give anyone your private key. Ever.
> The directory /etc/mail/certs does not exist on my system.
You might try looking in /usr/share/ssl/certs. I'm coming from mostly 7.3 and
9 machines, so that's my familiarity. I've not had to set up SMTP AUTH on RHEL
3 (yet).
> I don't really want to become Western Europe's Guru on TLS. I just would
> like to get it working. I do have a basic understanding of public/private
> key security. So does anyone have a pointer to a simple recipe style
> "how-to" to get this working that I can follow without becoming an
> cryptology expert.
I've set up SMTP AUTH on a RHL 9 box. I've not exactly documented it, but I do
have some notes for what I have in place. There's a link from here:
http://www.uiuc.edu/~pakenned
My document is incomplete.
I found myself in the same situation that you find yourself in. There are a
lot of little pieces about not a coherent picture. Perhaps this can show you
what I have working on RHL9. I don't think that I have MTA<-->MTA
authentication working properly, but it's not been a big deal. If other people
want to contribute their knowledge, then maybe we can make a larger howto.
Paul
More information about the rhn-users
mailing list