I recently needed to setup TLS for my company’s email server. My primary goal was to reconfigure our sendmail server to negotiate TLS with other email servers that supported it. This would allow us to send secure information via email to companies that also supported email over TLS.
The first step was to generate certificates. This is easily done with openssl. I already have a key and scripts setup to generate cert requests with all necessary info filled in. The script looks something like this:
read -p "Hostname: " hostname
openssl req -new -nodes -days 365 -key company.key -config csr_config -out $hostname.csr
Take the output from that certificate request and provide it to your favorite signer to get a signed certificate. Take the key you used to generate the request and the signed certificate and put it somewhere on your server, say /etc/ssl/crt. Also make sure to put the cacerts bundle, or signing certificate chain, in that directory (or any other for that matter).
Next step is to configure sendmail. The following are the changes I needed to make to my sendmail.mc file under /etc/mail:
confAUTH_OPTIONS', A p y')dnl
Most of that config points sendmail to your keys and certificates to be used for server and client mode. The line
confAUTH_OPTIONS', A p y’)dnl
tells sendmail to perform smtp authentication after TLS negotiation has completed. The line
tells sendmail to skip requests for clients’ certificates.
Next, recompile the config file and restart sendmail with
make -C /etc/mail
service sendmail restart
You can test your server using openssl:
openssl s_client -connect localhost:25 -CAfile /etc/ssl/crt/cacerts.crt -starttls smtp
You should see “Verify return code: 0 (ok)” near the end of the output. Type “quit” to end the communication.
To test that sendmail will communicate properly as a client with another server, you can use the great site test.smtp.org.