jtgrant65
IS-IT--Management
- Nov 17, 2008
- 1
- 0
- 0
I have recently been given a requirement that all emails sent from our server be signed with a valid x509 certificate. My server is a DELL 9650 and the O/S is redhat 4.5. The sendmail version is 8.13.1-3.3. I have sendmail configured to function strictly as a client, i.e it sends email out through the localhost ip and does not recieve or relay email.
I have obtained the x509 certificate from our CA and have configured my submit.mc and sendmail.mc files. This is what they look like:
Sendmail.mc:
define(`confCACERT_PATH',`/etc/mail/ssl/')
define(`confCACERT',`/etc/mail/ssl/caroot.pem')
define(`confSERVER_CERT',`/etc/mail/ssl/c27cfms5nrfk05d.cert')
define(`confSERVER_KEY',`/etc/mail/ssl/c27cfms5nrfk05d.key')
define(`confCLIENT_CERT',`/etc/mail/ssl/c27cfms5nrfk05d.cert')
define(`confCLIENT_KEY',`/etc/mail/ssl/c27cfms5nrfk05d.key')
Submit.mc:
define(`confCACERT_PATH',`/etc/mail/ssl/')
define(`confCACERT',`/etc/mail/ssl/caroot.pem')
define(`confCLIENT_CERT',`/etc/mail/ssl/c27cfms5nrfk05d.cert')
define(`confCLIENT_KEY',`/etc/mail/ssl/c27cfms5nrfk05d.key')
After I bounce the sendmail server, I check to make sure that STARTTLS is available by using the following command:
telnet localhost 25
ehlo localhost
I get the following output as follows:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
As you can see, STARTTLS is available. I then try to send an email and get the following log entry:
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: mALGhh42032256: from=root, size=48, class=0, nrcpts=1, msgid=<200811211643.mALGhh42032256@c27cfms5nrfk05d.thc.cnic.navy.mil>, relay=root@localhost
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: STARTTLS=client: file /etc/mail/ssl/c27cfms5nrfk05d.key unsafe: Permission denied
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: ruleset=trust_auth, arg1=root@c27cfms5nrfk05d.thc.cnic.navy.mil, relay=localhost.localdomain [127.0.0.1], reject=550 5.7.1 <root@c27cfms5nrfk05d.thc.cnic.navy.mil>... not authenticated
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: mALGhhl0032305: from=<root@c27cfms5nrfk05d.thc.cnic.navy.mil>, size=387, class=0, nrcpts=1, msgid=<200811211643.mALGhh42032256@c27cfms5nrfk05d.thc.cnic.navy.mil>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: mALGhh42032256: to=john.grant@dataline.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30048, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (mALGhhl0032305 Message accepted for delivery)
Nov 21 11:43:44 c27cfms5nrfk05d sendmail[32307]: mALGhhl0032305: to=<john.grant@dataline.com>, ctladdr=<root@c27cfms5nrfk05d.thc.cnic.navy.mil> (0/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=120387, relay=mail1.dataline.com. [216.54.46.141], dsn=2.0.0, stat=Sent (ok: Message 20593897 accepted)
Nov 21 11:43:44 c27cfms5nrfk05d sendmail[32307]: mALGhhl0032305: done; delay=00:00:01, ntries=1
For some reason, sendmail can not read my private key file. It gives me a permission denied error. I have set the permissions on my key file as follows and have gotten these results:
0400 Permission denied
0440 Group readable error
0600 Permission denied
I set the ownership on the file to root:smmsp using the same permissions as above and got the same results
I set the ownership to smmsp:smmsp and got the same results.
I set the ownership to root:mail and got the same results.
I set the ownership to mail:mail and got the same results.
I set the ownership to root:root and got the same results.
I set the permissions to 700 where the owner was root and got the same results.
I set DONT_BLAME_SENDMAIL to groupreadablekeyfile and then set the permissions to 0440 again and got the same results.
Has anyone successfully configure sendmail to use STARTTLS such that it was not relaying but only functioning as a client. If so please let me know how you did it.
Thanks
John
I have obtained the x509 certificate from our CA and have configured my submit.mc and sendmail.mc files. This is what they look like:
Sendmail.mc:
define(`confCACERT_PATH',`/etc/mail/ssl/')
define(`confCACERT',`/etc/mail/ssl/caroot.pem')
define(`confSERVER_CERT',`/etc/mail/ssl/c27cfms5nrfk05d.cert')
define(`confSERVER_KEY',`/etc/mail/ssl/c27cfms5nrfk05d.key')
define(`confCLIENT_CERT',`/etc/mail/ssl/c27cfms5nrfk05d.cert')
define(`confCLIENT_KEY',`/etc/mail/ssl/c27cfms5nrfk05d.key')
Submit.mc:
define(`confCACERT_PATH',`/etc/mail/ssl/')
define(`confCACERT',`/etc/mail/ssl/caroot.pem')
define(`confCLIENT_CERT',`/etc/mail/ssl/c27cfms5nrfk05d.cert')
define(`confCLIENT_KEY',`/etc/mail/ssl/c27cfms5nrfk05d.key')
After I bounce the sendmail server, I check to make sure that STARTTLS is available by using the following command:
telnet localhost 25
ehlo localhost
I get the following output as follows:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
As you can see, STARTTLS is available. I then try to send an email and get the following log entry:
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: mALGhh42032256: from=root, size=48, class=0, nrcpts=1, msgid=<200811211643.mALGhh42032256@c27cfms5nrfk05d.thc.cnic.navy.mil>, relay=root@localhost
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: STARTTLS=client: file /etc/mail/ssl/c27cfms5nrfk05d.key unsafe: Permission denied
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: ruleset=trust_auth, arg1=root@c27cfms5nrfk05d.thc.cnic.navy.mil, relay=localhost.localdomain [127.0.0.1], reject=550 5.7.1 <root@c27cfms5nrfk05d.thc.cnic.navy.mil>... not authenticated
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32305]: mALGhhl0032305: from=<root@c27cfms5nrfk05d.thc.cnic.navy.mil>, size=387, class=0, nrcpts=1, msgid=<200811211643.mALGhh42032256@c27cfms5nrfk05d.thc.cnic.navy.mil>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 21 11:43:43 c27cfms5nrfk05d sendmail[32256]: mALGhh42032256: to=john.grant@dataline.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30048, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (mALGhhl0032305 Message accepted for delivery)
Nov 21 11:43:44 c27cfms5nrfk05d sendmail[32307]: mALGhhl0032305: to=<john.grant@dataline.com>, ctladdr=<root@c27cfms5nrfk05d.thc.cnic.navy.mil> (0/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=120387, relay=mail1.dataline.com. [216.54.46.141], dsn=2.0.0, stat=Sent (ok: Message 20593897 accepted)
Nov 21 11:43:44 c27cfms5nrfk05d sendmail[32307]: mALGhhl0032305: done; delay=00:00:01, ntries=1
For some reason, sendmail can not read my private key file. It gives me a permission denied error. I have set the permissions on my key file as follows and have gotten these results:
0400 Permission denied
0440 Group readable error
0600 Permission denied
I set the ownership on the file to root:smmsp using the same permissions as above and got the same results
I set the ownership to smmsp:smmsp and got the same results.
I set the ownership to root:mail and got the same results.
I set the ownership to mail:mail and got the same results.
I set the ownership to root:root and got the same results.
I set the permissions to 700 where the owner was root and got the same results.
I set DONT_BLAME_SENDMAIL to groupreadablekeyfile and then set the permissions to 0440 again and got the same results.
Has anyone successfully configure sendmail to use STARTTLS such that it was not relaying but only functioning as a client. If so please let me know how you did it.
Thanks
John
