Open Source Software and Linux

Feb 19 2009   7:01PM GMT

Using SSL and a password to connect Sendmail to your ISP

John Little Profile: Xjlittle

Many ISPs are requiring SSL and a password to connect and send mail. This how to shows how to set up your sendmail server to use SSL with a password for connecting and sending mail through your ISP.

I set this up on a CentOS 5.2 virtual machine. You should have the following packages installed:

First let’s generate our self signed certificate. Be sure and use the FQDN of your server for the machine name.

cd /etc/pki/tls/certs
make sendmail.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > test.pem ; \
echo "" >> test.pem ; \
cat $PEM2 >> test.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
writing new private key to '/tmp/openssl.wc3819'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:AZ
Locality Name (eg, city) [Newbury]:Tempe
Organization Name (eg, company) [My Company Ltd]:Self
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:mail.home.local
Email Address []

Next we need to make some edits to the file. cd to /etc/mail and open the file with your favourite editor. The following lines should be edited or added to match your configuration and/or connection information to your ISP. Note that dnl at the front of a line indicates a comment. This should be removed from the beginning of any lines that are edited.

define(`SMART_HOST', `')dnl <==put your ISP's smtp server here

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl <==uncomment the next two lines and add the third line
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl <==uncomment these 4 lines
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl <==Remove the loopback address from this line

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl <==uncomment this line

Now we need to set up the login information for your ISP’s smtp server. In the /etc/mail directory perform the following:

mkdir auth
chmod 700 auth
cd auth
vi client-info

Add the following line to the client-info file: "U:root" "I:user" "P:password"

Repace user with your ISP username and password with your smtp password. Save and close the file and perform the following:

makemap hash client-info < client-info
chmod 600 client-info*
cd ..

Now issue the following command so that everything is compile as sendmail likes it:

make -C /etc/mail

Last edit the following file and make sure that it contains the following two lines:

vi /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd <==make sure that these two lines are in the file
mech_list: plain login

If you are using tcpwrappers as I have suggested in the past add the following line to hosts.allow. Change the ip configuration to match your setup:

vi /etc/hosts.allow
sendmail: 172.16.

Now it’s time to test. Make sure that the correct services are running:

/etc/init.d/sendmail start
/etc/init.d/saslauthd start

After starting check the log at /var/log/maillog. If you find any errors that contain `starttls’ then either something is wrong with the sendmail.pem file that you created or the saslauth daemon is not started. I had a situation once where something happened to the sendmail.pem file and recreating it solved the problem. Beyond that check your firewall, syntax in the and hosts.allow and hosts.deny files.

Once everything is started cleanly open up your mail client. I used evolution for testing. Edit the preferences and use the settings for your sendmail server. For mine I used the IP address of the sendmail server, check “Server requires authentication”, set “Use secure connection” to SSL encryption and entered the user name that I use to login to the sendmail server. Note that this is not your ISP username.

Now you should be able to send a test message out through the internet and receive it back through your ISP’s pop server.



 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: