Configuring RedHat Linux 6.x/7.x for Sendmail 8.11 + SSL/TLS Changelog: * Tue Sept 11 2001 (0.6) - Added more info on "-lsfio not found" - sendmail-tls RPM is not respected by RedHat's up2date. Adding note * Fri Sept 7 2001 (0.5) - Ran Ispell - Reformatted logs/smtp chat transcripts for better readability * Thu Aug 30 14:07:39 IST 2001 (0.4) - Added section on compiling "sendmail-tls" RPM * 20th Aug 2001 14:07:39 IST 2001 (0.3) - Adding in information pertaining to RHL 6.2 * 18th Aug 2001 14:07:39 IST 2001 (0.2) - Added mail sample mail header * 17th Aug 2001 14:07:39 IST 2001 (0.1) - Initial roll out SYNOPSIS: SMTP AUTH can be used in anti-relay rulesets to allow relaying for those users that authenticated themselves to the MTA. Enabling TLS/SSL provides for a number of services, including confidentiality, integrity protection and strong authentication. DESCRIPTION: This document describes an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet. This gives SMTP agents the ability to protect some or all of their communications from eavesdroppers and attackers. [See ftp://ftp.isi.edu/in-notes/rfc2487.txt] The entire procedure for enabling SSL/TLS support in Sendmail can be summarized like this: (1) Build RPMS for Sendmail 8.11.x with SMTP AUTH+SSL/TLS support (2) Configure Sendmail to use STARTTLS (2) Generate SSL certificates for Sendmail without DES encryption (3) Configure mailer clients to use authentication for SMTP over SSL/TLS encryption REQUIREMENTS: For RHL 7.1: Sendmail ( RHL 7.1 ) Openssl ( RHL 7.1 ) cyrus-sasl ( RHL 7.1 ) Sfio ( rpmfind.net recompiled ) For 6.2: Start with a fully updated RHL 6.2 Installation. Sendmail SRPM ( RHL 7.1 recompiled ) Openssl095a ( RHL 7.1 recompiled ) Openssl-0.9.6 ( RHL 7.1 recompiled ) cyrus-sasl ( RHL 7.1 recompiled ) Sfio ( rpmfind.net recompiled ) Where ever possible, i have used SRPMS from 7.1 recompiled for 6.2. It is assumed that you already have a working instance of Sendmail + SMTP AUTH using SASL in place. INSTALLATION: RedHat (as of release 7.1) stock Sendmail RPMS do not have SSL/TLS support. We need to build custom RPMS from the stock RHL 7.1 sendmail SRPM. Step1: Installing the required libraries and devel packages Install the following packages: (1) Openssl-* (2) Sfio (3) Cyrus-sasl-* (4) Sendmail SRPM from RHL 7.1 Disc #2 Sendmail itself might require other basic devel packages to be installed for compilation. This should be taken care of by the reader as and when the compilation breaks. :) Step2: Hacking the RedHat Sendmail SRPM to add SSL/TLS Change to the redhat/SOURCES directory after installing the Sendmail SRPM [root@mail] ~# cd /usr/src/redhat/SOURCES/ The "sendmail-8.11.0-redhat.patch" contains the RedHat specific compile options which will be added to the source tgz during a rebuild. We need to hack this file and add on the TLS specific options. All changes in the patch have to be made in the "redhat.config.m4.redhat" block. Add "-DSFIO -DSTARTTLS" to define(`confENVDEF',`xxxx') Add "-lssl -lsfio" to the define(`confLIBS',`xxxx' ) Add "+define(`confSTDIO_TYPE', `portable')" as new define at the end. Sendmail-8.11.0-redhat.patch should looks like this: --- sendmail-8.10.0/redhat.config.m4.redhat Thu Mar 9 15:08:16 2000 +++ sendmail-8.10.0/redhat.config.m4 Thu Mar 9 15:08:16 2000 @@ -0,0 +1,10 @@ +define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX -DLDAPMAP') +define(`confENVDEF', `$(RPM_OPT_FLAGS) -DXDEBUG=0 -DTCPWRAPPERS -DSASL -DSFIO -DSTARTTLS') +define(`confLIBS', `-lnsl -lwrap -lldap -llber -lsasl -lcrypt -lgdbm -lssl -lsfio') +define(`confLDOPTS', `-s') +define(`confMANOWN', `root') +define(`confMANGRP', `root') +define(`confMANMODE', `644') +define(`confMAN1SRC', `1') +define(`confMAN5SRC', `5') +define(`confMAN8SRC', `8') +define(`confSTDIO_TYPE', `portable') Step3: Build RPMS [root@mail] ~# cd /usr/src/redhat/SPECS/ [root@mail] ~# rpm -ba sendmail.spec The stock Sendmail will now include TLS support during the compile. Sample compile snip: cc -O -I. -I../../sendmail -I../../include -DNEWDB -DNEWDB -DNIS -DMAP_REGEX -DLDAPMAP -O2 -march=i386 -mcpu=i686 -DUSE_VENDOR_CF_PATH=1 -DXDEBUG=0 -DTCPWRAPPERS -DSASL -DSFIO -DSTARTTLS -DNOT_SENDMAIL -c -o smdb.o smdb.c NOTE: If you want to create the RPM as "sendmail-tls" and not "sendmail", see the end of this section. Make sure that you see "-DSFIO -DSTARTTLS" during the compilation process. sfio.h not found: sendmail.h:33:25: sfio/stdio.h: No such file or directory In file included from sendmail.h:53, from main.c:29: ../../include/sendmail/sendmail.h:21:25: sfio/stdio.h: No such file or directory Sendmail compiles would break for me with a missing "sfio.h not found error" even with the Sfio RPM installed. To fix the problem create a symlink /usr/include/sfio.h pointing to /usr/include/sfio/sfio.h [root@mail] ~# ln -sfv /usr/include/sfio/sfio.h /usr/include/sfio.h Step4: Install the new Sendmail-TLS RPMS [root@mail] ~# cd /usr/src/redhat/RPMS/i386 [root@mail] ~# rpm -ivh --nodeps sendmail*.rpm ( or -Uvh as the case may be ) Creating Sendmail-tls RPM: ========================== UPDATE: The primary intention of creating "sendmail-tls", is to prevent accidental overwrites during automatic package upgrades. However, RedHat's "up2date", will force replace sendmail-tls with the latest version of RedHat sendmail and thus break packages. Basically, you are screwed if you use RedHat's update tools. Stick to manual upgrade methods and things should be fine. You might want to name the TLS sendmail as "sendmail-tls" for the following reasons: - To prevent accidental overwrite of sendmail-tls with sendmail during a system package upgrade - To clearly identify that the version of sendmail installed is TLS capable Step1: Changing references to the "sendmail" package to "sendmail-tls" in the SPEC file # cd /usr/src/redhat/SPECS Edit sendmail.spec and make the following changes: Change: Name: sendmail To: Name: sendmail-tls Change: Source0: ftp://ftp.cs.berkeley.edu/ucb/sendmail/sendmail.%{version}.tar.gz To: Source0: ftp://ftp.cs.berkeley.edu/ucb/sendmail/sendmail-tls.%{version}.tar.gz Step2: Renaming the sendmail.8.x.xx.tar.gz to sendmail-tls.8.x.xx.tar.gz The sendmail tar-ball will have to be renamed with the "-tls" extension under the redhat/SOURCES directory: # cd /usr/src/redhat/SOURCES # tar zxvf sendmai.8.x.x.tar.gz # mv sendmail.8.x.x/ sendmail-tls.8.x.x/ # tar zcvf sendmail-tls.8.x.x.tar.gz Now go ahead with the compile after making the other changes to sendmail-redhat patch. CONFIGURATION: Step1: Adding the SSL certificated to sendmail .mc file Edit the Sendmail .mc for and add the following lines in it [root@mail] ~# cd /usr/share/sendmail-cf/cf [root@mail] ~# vim redhat.mc -- redhat.mc -- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/CAcert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/MYcert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/MYkey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/MYkey.pem')dnl -- redhat.mc -- Uncomment ( near line 25 or add) these too if if have not added in SMTP AUTH support into the redhat.mc file: -- redhat.mc -- TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl -- redhat.mc -- Step2: Generate new sendmail.cf file [root@mail] ~# m4 redhat.mc > /etc/sendmail.cf Step3: Create /etc/mail/certs to hold the SSL certificates [root@mail] ~# cd /etc/mail [root@mail] ~# mkdir certs [root@mail] ~# chmod 700 certs Step4: Create SSL certificates [root@mail] ~# cd /usr/share/ssl/misc Sendmail 8.11 cannot understand DES-encrypted certificates. We need to disable DES. [root@mail] ~# cp CA CA-nodes [root@mail] ~# vim CA-nodes -- CA-nodes -- [root@mail] ~# create a certificate $REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS [..] [root@mail] ~# create a certificate request $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS -- CA-nodes -- SSL CERTIFICATES: We need to do the following now, (1) Create a new (dummy) SSL certificate (without DES encryption) (2) Generate a private Key (3) Sign the dummy certificate using the private Key (4) Copy the 3 .pem files to /etc/mail/certs/ Create a new SSL certificate and copy it to /etc/mail/certs as CAcert.pem [root@mail] ~# ./CA-nodes -newca [root@mail] ~# cp demoCA/cacert.pem /etc/mail/certs/CAcert.pem Generate the server's private key and copy it to /etc/mail/certs as MYkey.pem [root@mail] ~# ./CA-nodes -newreq [root@mail] ~# cp newreq.pem /etc/mail/certs/MYkey.pem Sign the certificate and copy it to /etc/mail/certs as MYcert.pem [root@mail] ~# ./CA-nodes -sign [root@mail] ~# cp newcert.pem /etc/mail/certs/MYcert.pem Make the mail/certs directory only user readable: [root@mail] ~# chmod -R go-rwx /etc/mail/certs Restart sendmail: [root@mail] ~# service sendmail stop [root@mail] ~# killall -9 sendmail [root@mail] ~# service sendmail start Check mail logs for sendmail errors. * NOTE * - Make sure that the "-nodes" option comes *before* "-keyout" :) - Sendmail is picky about permissions. Make sure the certs have 0600 perms - If you don't pass -nodes option while creating Certs, sendmail will fail to load the Keys. - There is no "cert.pem" (O ClientCertFile=/etc/mail/certs/cert.pem). AFAIK, this is like a public key/private key thingy which one can use for "password-less" authentication like in SSH. Sendmail error in /var/log/messages while loading keys encrypted *with* DES - Aug 17 11:55:57 monster sendmail: TLS: error: srv: SSL_CTX_use_PrivateKey_file(/etc/mail/certs/MYkey.pem) failed Aug 17 11:55:57 monster sendmail: TLS: error: PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:114: Aug 17 11:55:57 monster sendmail: TLS: error: PEM routines:PEM_do_header:bad password read:pem_lib.c:430: Aug 17 11:55:57 monster sendmail: TLS: error: SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos:ssl_rsa.c:707: Sendmail error in /var/log/messages while starting sendmail with TLS *not* compiled in - Aug 17 09:32:25 monster sendmail: Warning: Option: CACERTPath requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: CACERTFile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: ServerCertFile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: Serverkeyfile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: ClientCertFile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: Clientkeyfile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: CACERTPath requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: CACERTFile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: ServerCertFile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: Serverkeyfile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: ClientCertFile requires TLS support Aug 17 09:32:25 monster sendmail: Warning: Option: Clientkeyfile requires TLS support Aug 17 09:32:25 monster sendmail: sendmail startup succeeded TESTING: Step1: Basic testing Telnet to port 25 and type in "ehlo there". Sendmail will list the features supported. "STARTTLS" should be listed. If it *is* listed, then type "STARTTLS", you will be greeted with a "Ready to start TLS" reply. [root@mail] ~# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 foobar.com ESMTP Sendmail 8.11.2/8.11.2; 17 Aug 2001 15:26:04 +0530 ehlo there 250-foobar.com Hello IDENT:root@localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-STARTTLS 250 HELP STARTTLS 220 2.0.0 Ready to start TLS Step2: Mail client settings for Outlook It is assumed that you have already set up your client for SMTP AUTH 1. Click Tools -> MAIL -> Select Account -> Servers Tab -> Outgoing mail server -> Advanced 2. Click the "Use SSL for SMTP" check box. The SMTP port should be set to port 25. You will be prompted for accepting the SSL certificate when you send the mail Step3: Mail client settings for Netscape Messenger It is assumed that you have already set up your client for SMTP AUTH 1. Edit -> Preferences -> Mail Servers. Enable "Use Secure Socker Layer (SSL) or TLS for outgoing messages" Step4: Unix Mailers Both Mutt and Pine cannot do SSL/TLS. SSL/TLS functionality for Pine is expected only in version 4.40 LOGS: Here is a log snippet from a successful SSL/TLS connection for SMTP relay. Aug 17 12:26:18 monster sendmail: TLS: connection from shanu@godzilla.foobar.com [192.168.1.24], version=TLSv1/SSLv3, verify=NO, cipher=RC4-MD5,bits=128 This shows that a TLS connection was established with 128 bits encryption using RC4-MD5 as cipher. And the headers from a mail relayed using SMTP AUTH + TLS Return-Path: Received: from localhost (localhost.localdomain [127.0.0.1]) by foobar.com (8.11.2/8.8.7) with ESMTP id f7H6uif31018 for ; Fri, 17 Aug 2001 12:26:44 +0530 Received: from premium.foobar.com [203.197.173.224] by localhost with POP3 (fetchmail-5.7.4) for foouser@localhost (single-drop); Fri, 17 Aug 2001 12:26:44 +0530+(IST) Received: from foobar.com ([202.4.185.25]) by premium.foobar.com (8.10.0/8.10.0) with ESMTP id f7H6wlC05143 for ; Fri, 17 Aug 2001 12:28:49 +0530 Received: from foobar.com (shanu@godzilla.foobar.com [192.168.1.24]) (authenticated (0 bits)) by foobar.com (8.11.2/8.11.2) with ESMTP id f7H6uGv12261 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO) for ; Fri, 17 Aug 2001 12:26:18 +0530 Sender: shanu@foobar.com Message-ID: <3B7CC021.83176F11@foobar.com> Date: Fri, 17 Aug 2001 12:26:33 +0530 From: Shanker Balan X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.8-xfs i686) X-Accept-Language: en MIME-Version: 1.0 To: foouser Subject: Test TLS/SSL Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit FILES: /usr/share/sendmail-cf/cf/redhat.mc /etc/mail/CAcert.pem /etc/mail/MYcert.pem /etc/mail/MYkey.pem /usr/src/redhat/SOURCES/sendmail-8.11.0-redhat.patch /usr/usr/share/ssl/misc/CA{1) RPMS: All RPMS from RHL 7.1 except those specified. sendmail-8.11.2-14.src.rpm sendmail-doc-8.11.2-14.src.rpm sendmail-cf-8.11.2-14.src.rpm sfio-1999-2.i386.rpm ( RpmFind ) openssl-devel-0.9.6-3 openssl-perl-0.9.6-3 openssl095a-0.9.5a-1 openssl-python-0.9.6-3 openssl-0.9.6-3 cyrus-sasl-gssapi-1.5.24-17 cyrus-sasl-1.5.24-17 cyrus-sasl-devel-1.5.24-17 SEE ALSO: 2. Linux Journal: Securing Sendmail with TLS http://noframes.linuxjournal.com/articles/misc/0049.html 3. SMTP STARTTLS in sendmail 8.11/Secure Switch http://www.sendmail.org/~ca/email/starttls.html 3. Compiling STARTTLS in sendmail 8.11 http://www.sendmail.org/~ca/email/tlscomp.html 4. Configuring Sendmail's STARTTLS (SSL) and Relaying http://xi.nu/~jheiss/sendmail/tlsandrelay.shtml Acknowledgements: Jose Nazario who explained some doubts I had on TCP service port for SMTP+SSL. Author: Shanker Balan http://shankerbalan.com/