For When You Can't Have The Real Thing
[ start | index | login ]
start > sendmail > tls

tls

Created by dave. Last edited by dave, 6 days ago. Viewed 2,252 times. #4
[diff] [history] [edit] [rdf]
labels
attachments
(2019-12-05)

Sendmail TLS configuration

This should be moderately best-practice as of the above date. Check the internet for updates.

Add this to your sendmail-mc

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-intermediate.bundle')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-cert.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-key-decrypt.key')dnl

..naturally replacing the paths and names with the correct values.

Change these corresponding lines to look as so:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

Add this at the end of your sendmail.mc:

LOCAL_CONFIG
O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Restart sendmail and you should be good to go.

Test:

# openssl s_client -connect vsp1.example.local:25 -starttls smtp

Sources:

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt