-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jonathan Horne wrote: > i know, slightly off topic, but is *on* a freebsd server... right? > > my smtp is the only remaining part of my email system, that has no encryption > options, and i think i would like to add tls (even tho i rarely send smtp > mail from outside my lan). my setup is right now, fairly basic (only > includes spamassassin, sasl2, and procmail). even tho i dont much about it, > i say tls instead of ssl, as i have a few outlook clients, that would surely > annoy me 'do you really want to use this certificate', and it would surely be > each time i sent a mail. im also assuming that hopefully tls might not do > this.
Adding TLS / SSL capability to the stock FreeBSD sendmail is easy. You need something like the following in your /etc/mail/$(hostname).cf: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl This defines two keys and certs for sendmail to use -- one set for where sendmail is the server and the other for where it is the client. As shown, you can use the same key and cert for either role, and it will work pretty well all the time. Occasionally however you may run into systems that get snotty about the distinction between client and server certs -- in that case, the STARTTLS negociation would fail and you'ld probably end up sending the message in plain text. That's not a huge disadvantage given that the majority of mail systems on the net don't offer the possibility of TLS in any case. Unlike eg. HTTPS, there's no big thing about buying a server cert signed by one of the well known CAs -- TLS is more about anti-snooping than assurance of the other parties identity. While you can get e-mail certs from, eg. Thawte for free, they are generally aimed at use in e-mail client applications. E-mail servers almost exclusively use self-signed certificates. To generate a self-signed cert, you can follow the instructions here: http://www.sendmail.org/~ca/email/other/cagreg.html That's a very basic set of instructions. There are some more expansive general instructions on setting up TLS at: http://aput.net/~jheiss/sendmail/tlsandrelay.shtml You don't need to worry about the section of the instructions about compiling sendmail with SSL support -- that's all already enabled in the system sendmail. > before i spend hours and hours googling out my instructions on how to so do, > does the tls session operate over the standard port 25, or is this what is > referred to as the smtps port? and if so, can the server accept either > version over the same port? E-mails generally use the 'STARTTLS' approach -- that is, you make an initial unencrypted connection on the usual port 25 and then turn that into an encrypted connection over the same port numbers. There is an alternative approach using port 465, where encryption is assumed from the very beginning (much more like how HTTPS works) This is not used by the majority of MTAs out there on the 'net -- I believe it exists to support certain client software that can't do STARTTLS when submitting new messages. If you're using eg. Thunderbird, then it supports STARTTLS perfectly well and you only need port 25 -- possibly port 587 if you want to be compliant with RFC 2476. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNdqx8Mjk52CukIwRCLyZAJ9pDb0/8y7txGPniAdRdvQrRS7rogCdHXth ri700SbDqcCw0lOL9KDggd8= =sozL -----END PGP SIGNATURE----- _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"