s AUTHENTICATING AND SECURING YOUR MAIL in Font

Print Data Matrix in Font s AUTHENTICATING AND SECURING YOUR MAIL

For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]: State or Province Name (full name) [New South Wales]: Locality Name (eg, city) [Sydney]: Organization Name (eg, company) [puppy.yourdomain.com]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:puppy.yourdomain.com Email Address []:admin@puppy.yourdomain.com

sCaution I used the -nodes option to create the certificate and private key. This tells OpenSSL to not

secure the certificate with a passphrase. Otherwise, every time the certificate was accessed, it would require the passphrase. The SMTP server has no scope to enter this passphrase, and a connection would simply hang while waiting for the passphrase to be entered.

This will create two files: puppy.yourdomain.com.key.pem and puppy.yourdomain.com.csr.pem. These files consist of a keyfile for your system and a certificate request. The final stage of your certificate creation is to sign the certificate request using your new CA. Listing 8-2 shows the resulting messages after you run the command. Listing 8-2. Signing Your Certificate Request puppy# openssl ca -config /etc/mail/certs/mailCA/openssl.cnf -policy policy_anything -out puppy.yourdomain.com.cert.pem -infiles puppy.yourdomain.com.csr.pem Using configuration from /etc/mail/certs/mailCA/mailssl.cnf Enter pass phrase for /etc/mail/certs/mailCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Apr 2 00:46:41 2004 GMT Not After : Apr 2 00:46:41 2007 GMT Subject: countryName = AU stateOrProvinceName = New South Wales localityName = Sydney organizationName = puppy.yourdomain.com commonName = puppy.yourdomain.com emailAddress = admin@puppy.yourdomain.com

X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EB:62:9D:27:65:3E:AB:55:44:67:8D:A7:09:E5:08:B3:FC:FF:0B:38 X509v3 Authority Key Identifier: keyid:09:6A:E4:42:E8:DD:53:93:9C:49:01:49:D4:B3:BD:20:5F:82:2A:20 DirName:/C=AU/ST=New South Wales/L=Sydney/O=puppy.yourdomain.com/ CN=puppy/emailAddress=admin@puppy.yourdomain.com serial:00 Certificate is to be certified until Apr 2 00:46:41 2007 GMT (1095 days) Sign the certificate [y/n]:y 1 out of 1 certificate requests certified, commit [y/n]y Write out database with 1 new entries Data Base Updated This will output a final file called puppy.yourdomain.com.cert.pem, which is your certificate file. You can now delete the certificate request file, which is puppy.yourdomain.com.csr.pem.

s Note You can use whatever naming convention you like for your certificates, keys, and requests. I just use the previous convention because it represents a simple way to identify all your SSL components and to which system they belong.

Finally, as you can see in Listing 8-3, you should change the permissions of the files in your certs directory to ensure they are more secure. Listing 8-3. Certificate Permissions puppy# puppy# puppy# puppy# cd /etc/mail chmod 0755 certs cd certs chmod -R 0400 *

The first thing Sendmail needs to run TLS is OpenSSL. You need to ensure the latest version of OpenSSL is installed and that Sendmail has been compiled with SSL support. Listing 8-4 shows the fastest way to check the options with which Sendmail has been compiled.

Listing 8-4. Determining the Options with Which Sendmail Has Been Compiled puppy# sendmail -bt -d0.1 Sendmail will respond with a list of the options compiled into it similar to the one in Listing 8-5. If you see STARTTLS in that list, then TLS already has been compiled into Sendmail; you can skip to the section Configuring Sendmail with TLS. Otherwise, see the next section for instructions about how to compile TLS into Sendmail. Listing 8-5. Options Compiled into Sendmail Version 8.12.11 Compiled with: DNSMAP LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB PIPELINING SASL SCANF STARTTLS USERDB XDEBUG

Compiling Sendmail with support for TLS is a simple process. Add the lines in Listing 8-6 to site.config.m4. Listing 8-6. Sendmail with TLS APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_ENVDEF', `-lssl -lcrypto') On some systems, the SSL libraries and includes are not in the place Sendmail expects. Add the two lines in Listing 8-7 to tell Sendmail where to find the SSL libraries and includes. Listing 8-7. Specifing the SSL Libraries and Includes APPENDDEF(`conf_sendmail_INCDIRS', `-I/path/to/ssl/include') APPENDDEF(`conf_sendmail_LIBDIRS', `-L/path/to/ssl/lib')

s On some Red Hat systems, most notably Red Hat 9 and RHEL 3, you may also need to add an include Tip

to point Sendmail to the Kerberos includes. Usually they would be located in /usr/include/kerberos, but Red Hat has moved them in recent releases to /usr/kerberos/include.

Compile or recompile Sendmail mail with the Build command from /sendmail-yourversion/. Enter the following: puppy# ./Build -c The -c tells the Sendmail compile to include the contents of the site.config.m4 file. Then install the new Sendmail with TLS included by entering the following: puppy# ./Build install Finally, restart Sendmail to make sure you are running the new version.