Securing Sendmail

I recently needed to setup TLS for my company’s email server. My primary goal was to reconfigure our sendmail server to negotiate TLS with other email servers that supported it. This would allow us to send secure information via email to companies that also supported email over TLS.

The first step was to generate certificates. This is easily done with openssl. I already have a key and scripts setup to generate cert requests with all necessary info filled in. The script looks something like this:

#!/bin/bash
read -p "Hostname: " hostname
openssl req -new -nodes -days 365 -key company.key -config csr_config -out $hostname.csr

Take the output from that certificate request and provide it to your favorite signer to get a signed certificate. Take the key you used to generate the request and the signed certificate and put it somewhere on your server, say /etc/ssl/crt. Also make sure to put the cacerts bundle, or signing certificate chain, in that directory (or any other for that matter).

Next step is to configure sendmail. The following are the changes I needed to make to my sendmail.mc file under /etc/mail:

define(confTLS_SRV_OPTIONS', V')dnl
define(confAUTH_OPTIONS', A p y')dnl
define(CERT_DIR', /etc/ssl/crt')dnl
define(confCACERT',CERT_DIR/cacerts.crt')dnl
define(confCACERT_PATH', CERT_DIR/cacerts')dnl
define(confSERVER_CERT',CERT_DIR/your_signed_cert.crt')dnl
define(confSERVER_KEY',CERT_DIR/your_key.key')dnl
define(confCLIENT_CERT',CERT_DIR/your_signed_cert.crt')dnl
define(confCLIENT_KEY',CERT_DIR/your_key.key')dnl
define(confDONT_BLAME_SENDMAIL',groupreadablekeyfile')dnl

Most of that config points sendmail to your keys and certificates to be used for server and client mode. The line

define(confAUTH_OPTIONS', A p y’)dnl

tells sendmail to perform smtp authentication after TLS negotiation has completed. The line

define(confTLS_SRV_OPTIONS', V’)dnl

tells sendmail to skip requests for clients’ certificates.

I would like to thank this site and this site for that helpful information.

Next, recompile the config file and restart sendmail with make -C /etc/mail
service sendmail restart

You can test your server using openssl:
openssl s_client -connect localhost:25 -CAfile /etc/ssl/crt/cacerts.crt -starttls smtp

You should see “Verify return code: 0 (ok)” near the end of the output. Type “quit” to end the communication.

To test that sendmail will communicate properly as a client with another server, you can use the great site test.smtp.org.

Leave a Reply

Your email address will not be published. Required fields are marked *