Posted by: Xjlittle
centos, isp, openssl, password, sasl, sendmail, ssl, starttls
Many ISPs are requiring SSL and a password to connect and send mail. This how to shows how to set up your sendmail server to use SSL with a password for connecting and sending mail through your ISP.
I set this up on a CentOS 5.2 virtual machine. You should have the following packages installed:
First let’s generate our self signed certificate. Be sure and use the FQDN of your server for the machine name.
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > test.pem ; \
echo "" >> test.pem ; \
cat $PEM2 >> test.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
writing new private key to '/tmp/openssl.wc3819'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:AZ
Locality Name (eg, city) [Newbury]:Tempe
Organization Name (eg, company) [My Company Ltd]:Self
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) :mail.home.local
Email Address :firstname.lastname@example.org
Next we need to make some edits to the sendmail.mc file. cd to /etc/mail and open the file with your favourite editor. The following lines should be edited or added to match your configuration and/or connection information to your ISP. Note that dnl at the front of a line indicates a comment. This should be removed from the beginning of any lines that are edited.
define(`SMART_HOST', `smtp.att.yahoo.com')dnl <==put your ISP's smtp server here
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl <==uncomment the next two lines and add the third line
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl <==uncomment these 4 lines
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl <==Remove the loopback address from this line
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl <==uncomment this line
Now we need to set up the login information for your ISP’s smtp server. In the /etc/mail directory perform the following:
chmod 700 auth
Add the following line to the client-info file:
AuthInfo:your.isp.net "U:root" "I:user" "P:password"
Repace user with your ISP username and password with your smtp password. Save and close the file and perform the following:
makemap hash client-info < client-info
chmod 600 client-info*
Now issue the following command so that everything is compile as sendmail likes it:
make -C /etc/mail
Last edit the following file and make sure that it contains the following two lines:
pwcheck_method:saslauthd <==make sure that these two lines are in the file
mech_list: plain login
If you are using tcpwrappers as I have suggested in the past add the following line to hosts.allow. Change the ip configuration to match your setup:
Now it’s time to test. Make sure that the correct services are running:
After starting check the log at /var/log/maillog. If you find any errors that contain `starttls’ then either something is wrong with the sendmail.pem file that you created or the saslauth daemon is not started. I had a situation once where something happened to the sendmail.pem file and recreating it solved the problem. Beyond that check your firewall, syntax in the sendmail.mc and hosts.allow and hosts.deny files.
Once everything is started cleanly open up your mail client. I used evolution for testing. Edit the preferences and use the settings for your sendmail server. For mine I used the IP address of the sendmail server, check “Server requires authentication”, set “Use secure connection” to SSL encryption and entered the user name that I use to login to the sendmail server. Note that this is not your ISP username.
Now you should be able to send a test message out through the internet and receive it back through your ISP’s pop server.