openssl

Using SSL and a password to connect Sendmail to your ISP

Many ISPs are requiring SSL and a password to connect and send mail. This how to shows how to set up your sendmail server to use SSL with a password for connecting and sending mail through your ISP.

I set this up on a CentOS 5.2 virtual machine. You should have the following packages installed:
sendmail
sendmail-cf
cyrus-sasl
cyrus-sasl-lib
cyrus-sasl-plain
openssl

First let’s generate our self signed certificate. Be sure and use the FQDN of your server for the machine name.

cd /etc/pki/tls/certs
make sendmail.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > test.pem ; \
echo “” >> test.pem ; \
cat $PEM2 >> test.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
……..++++++
…………………………++++++
writing new private key to ‘/tmp/openssl.wc3819′
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:AZ
Locality Name (eg, city) [Newbury]:Tempe
Organization Name (eg, company) [My Company Ltd]:Self
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.home.local
Email Address []:myself@yahoo.com


Next we need to make some edits to the sendmail.mc file. cd to /etc/mail and open the file with your favourite editor. The following lines should be edited or added to match your configuration and/or connection information to your ISP. Note that dnl at the front of a line indicates a comment. This should be removed from the beginning of any lines that are edited.

define(`SMART_HOST’, `smtp.att.yahoo.com’)dnl <==put your ISP’s smtp server here

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl <==uncomment this line


Now we need to set up the login information for your ISP’s smtp server. In the /etc/mail directory perform the following:

mkdir auth
chmod 700 auth
cd auth
vi client-info

Add the following line to the client-info file:

AuthInfo:your.isp.net “U:root” “I:user” “P:password”

Repace user with your ISP username and password with your smtp password. Save and close the file and perform the following:

makemap hash client-info < client-info
chmod 600 client-info*
cd ..

Now issue the following command so that everything is compile as sendmail likes it:

make -C /etc/mail

Last edit the following file and make sure that it contains the following two lines:

vi /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd <==make sure that these two lines are in the file
mech_list: plain login


If you are using tcpwrappers as I have suggested in the past add the following line to hosts.allow. Change the ip configuration to match your setup:

vi /etc/hosts.allow
sendmail: 172.16.

Now it’s time to test. Make sure that the correct services are running:

/etc/init.d/sendmail start
/etc/init.d/saslauthd start


After starting check the log at /var/log/maillog. If you find any errors that contain `starttls’ then either something is wrong with the sendmail.pem file that you created or the saslauth daemon is not started. I had a situation once where something happened to the sendmail.pem file and recreating it solved the problem. Beyond that check your firewall, syntax in the sendmail.mc and hosts.allow and hosts.deny files.

Once everything is started cleanly open up your mail client. I used evolution for testing. Edit the preferences and use the settings for your sendmail server. For mine I used the IP address of the sendmail server, check “Server requires authentication”, set “Use secure connection” to SSL encryption and entered the user name that I use to login to the sendmail server. Note that this is not your ISP username.

Now you should be able to send a test message out through the internet and receive it back through your ISP’s pop server.

Enjoy!

-j

Generate a self signed SSL certificate for your Apache Web Server

After getting tired of clicking ok to the certificate messages that popped up every time I or someone else accessed my personal Apache Web Server using SSL I decided to generate my own self signed SSL certificate.

Note that all of these steps are performed on a CentOS or Red Hat apache web server. Depending on the paths that you have setup in your httpd.conf or virtualhost container your paths may be somewhat different. Simply substitute your paths for the ones that I use when I copy my certificates into the designated path.

Let’s get started. First cd into the /etc/pki/tls directory. You have three commands to enter here to finally generate your self signed certificate. You may name the certificate anything that you want. I chose to use my server’s name.

First issue each of the following commands. All three are necessary to generate your ssl certificate. I will comment on them either in the code or just below the code.

##First command to generate the key
[root@web tls]# openssl genrsa -rand /etc/passwd:/etc/group:/etc/httpd/web-sites/hosts-ssl -out secserve.sytes.net.key 1024
7843 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
……..++++++
……………………++++++
e is 65537 (0×10001)

##third command
[root@web tls]# openssl x509 -req -days 730 -in secserve.sytes.net.csr -signkey secserve.sytes.net.key -out secserve.sytes.net.crt
Signature ok
subject=/C=US/ST=Indiana/L=Plainfield/O=MyWeb/OU=Web/CN=secserve.sytes.net/emailAddress=jlittle_97@yahoo.com
Getting Private key
[root@web tls]# ls
cert.pem certs misc openssl.cnf private  secserve.sytes.net.crt  secserve.sytes.net.csr  secserve.sytes.net.key


The first command generates the rsa key file. You can use random files as I did to help generate the key or leave them out and let openssl generate it’s own key. The 1024 at the end is to make it a 1024 bit key.

The second command generates the csr file. This is where you put in your information about your location and server name. The server name referred to here is the internet name of the web server, not the name of the machine on which the server is running. Be sure and substitute your own values for the ones that I have. Leave the challenge password and optional company name entries blank.

The third command is generating the private key for your server. TThe -req -days is set to 720 days or 2 years.. The ls command is used to verify that the files are there.

Now you need to check your apache web server to find out where it looks for your signed ssl certificate files. My SSL server is on a virtual host. I keep my virtual host container file in a directory located at /etc/httpd/web-hosts with a file name of hosts-ssl. Let’s open that to the secserve container and see where apache expects to see the ssl certificate.

[root@web tls]# vim /etc/httpd/web-sites/hosts-ssl

I can see in my container that secserve.sytes.net is my web server and that it expects to find the ssl certificate files under /etc/httpd/ssl/(filename.{crt,key}. Copy all three of the files from the /etc/pki/tls directory where you generated them into this directory. Note that you can designate any directory where you want to place your files.

All that’s left is to restart or reload the web server.

You can check under /var/log/httpd/ to make sure that there are no errors generated by the ssl certificate files. If not you are good to go.

A couple of notes are in order here. In the first command you can use the switch -des3 which will encrypt the files and force you to use a password to complete the ssl certicates. While this a very secure way to protect your web server it is not very practical, at least for me. Every time the web server is restarted you will have to put in the password. Aside from being a little inconvenient what if someone has to reboot the machine or restart the apache web service that doesn’t and should not know the password?

My suggestion around the above scenarios is to chmod your keys to 600 and make sure that root is the owner.

So now you can generate your own self signed SSL certificate. This process will work for other SSL applications such as Dovecot.

One last note. If you have a ServerAlias that you use to access your web site from inside your firewall you can also generate a certificate for it as well. Just use the ServerAlias name in your configuration file.

You can probably have the complete setup done in less time than it takes to read this article.

Have fun!

-j