0

I'm configuring an internal mail network that is supposed to do all the transmission using ssl and I want to have all the encryption done by stunnel. So far I have pop3s, imaps and sendmail in server mode all using ssl encryption provided by stunnel. Is it possible to use stunnel to wrap outgoing connections with ssl ecnryption?

I so - how do I do this, I'm having difficulties finding a decent tutorial...

As I said in another question here - I'm a developer of an embedded platform - I don't usually configure anything as weird as sendmail...

  • You say "internal mail network". Does that mean that it's *really* internal, and that noone external to your user base will ever send mail to, or receive it from, this server? Or are you hoping to exchange mail, either in- or out-bound, with other mail servers? – MadHatter Nov 03 '10 at 14:12
  • It's REALLY internal - as in not-connected-to-the-internet –  Nov 03 '10 at 14:15
  • Then that begs the question, *what* outgoing connections do you think you'll need to encrypt? What is this server going to connect out to? – MadHatter Nov 03 '10 at 14:41
  • Oh I know what you mean - It's a number of smtp servers connected within an isolated network, but with no connection to the internet. By outgoing connections I meant sendmail connecting to another smtp server in client mode. Hope that's specific enough. Sorry if sometimes I can't express myself clearly - english is not my native language. –  Nov 03 '10 at 14:52

1 Answers1

0

Your explanation is excellent and clear. If sendmail is configured to offer TLS, it is TLS-capable itself, and when connecting to another MTA offering TLS, will automatically negotiate a secure connection. There's a good article on this at http://www.brandonhutchinson.com/Using_TLS_with_Sendmail.html .

My own m4 file says:

dnl TLS support
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl

And that, plus a self-signed certificate, was all I needed to make my server TLS-capable. You can test the capability by talking to the MTA and doing an EHLO:

[madhatta@risby tmp]$ telnet www.teaparty.net 25
Trying 193.219.118.100...
Connected to www.teaparty.net.
Escape character is '^]'.
220 : ESMTP banner removed
EHLO me
250-www.teaparty.net Hello (source address deleted), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 14000000
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP

Note the 250-STARTTLS. Once all your sendmail boxes offer that capability, they should all automatically encrypt all inter-server SMTP connections. If you want to go the extra mile, minting your own CA root and installing it on all the servers, and using it to sign each server's certificate, will enable to servers to validate each other's identities when negotiating TLS, which will add to the internal security. Minting and using your own CA is outwith the scope of this answer!

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thanks, that got me a few steps further, but still there are some issues. I can't seem to find the ca-bundle.crt file on my system or any .crt file actually. And if I skip this one line I don't see the STARTTLS instruction in ehlo answer. Sendmail seems to have some TLS support though because when I run strings on the binary it has lots of TLS messages it didn't have before. If I add this line to the configuration: "DAEMON_OPTIONS(`Port=ssmtp, Name=TLSMTA, M=s')dnl" (found it somewhere on a mailing list) and try to telnet the 465 port it says: "454 4.3.3 TLS not available: error generating SSL –  Nov 05 '10 at 11:40
  • handle". Any help? –  Nov 05 '10 at 11:42
  • For me, it comes as part of the openssl package (openssl-0.9.8e-12.el5_4.6(; you have that installed, yes? Even if not, you're running all-internal so you won't be using publicly-verifiable certificates anyway and can probably safely omit the CA-related config. The TLS not available error is more problematic; can you confirm that you have the openssl package installed? – MadHatter Nov 05 '10 at 12:11
  • Yes the openssl libraries are compiled and installed and running sendmail -d0 indicates that it compiled properly with STARTTLS support. Issuing ehlo however does not show the STARTTLS command as available... This is the message it adds to /var/log/mail when I do type STARTTLS anyway: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA –  Nov 05 '10 at 12:40
  • 1) can you confirm the contents of the openssl package (rpm -ql openssl)? 2) does sendmail log anything TLS-related when you start it up? 3) is TLS offered on standard MTA port (telnet server 25 ; ehlo me)? – MadHatter Nov 05 '10 at 13:31
  • While we're at it, you *did* make your server certificate, didn't you? You have an /etc/pki/tls/certs/sendmail.pem , right? – MadHatter Nov 05 '10 at 13:35
  • 1) I compiled it from sources –  Nov 05 '10 at 13:40
  • 2) No it does not –  Nov 05 '10 at 13:41
  • 3) No And as for the certificates I'm using certificates that already exist on the platform. There is the server pem file and key, and there are two directories containing the CA certificates and CRLs. Is that ok? Their paths are correct in the .mc file. –  Nov 05 '10 at 13:42
  • Your certificate sounds fine, so I suppose we must look at the CA file as being the problem. You should be able to find a bundle easily with google, I found one at http://www.certifie.com/ca-bundle/ . Could you try putting that in place and restarting sendmail? Then try "telnet server 25 ; ehlo me" again? – MadHatter Nov 05 '10 at 13:50
  • Nothing changed - still no STARTTLS offered... –  Nov 05 '10 at 14:00
  • Forgive the question, but I'm thinking you also built sendmail from source, right? It was linked against the openssl libraries you built? – MadHatter Nov 05 '10 at 14:34
  • Yes, but now when I checked sendmail's binary with ldd I don't see any openssl libraries linked with it. Does sendmail use the openssl libraries like libdb - only when it needs to? Or should they be linked on compile time? –  Nov 08 '10 at 06:31
  • EDIT: it seems to be statically linked - readelf shows lots of ssl functions –  Nov 08 '10 at 07:04
  • so, what do you get from "ldd /usr/sbin/sendmail"? and have you tried installing a certificate bundle yet? – MadHatter Nov 08 '10 at 09:14
  • 1
    Well I found the cause - the .key file I have to use is encrypted with a password, but sendmail did not prompt for it - I have to write my own callback it seems. Thanks for help! –  Nov 08 '10 at 09:16
  • Oh, nicely done! Sorry not to have been all that helpful; I always store the damn keys unencrypted to avoid exactly this sort of problem (they make unattended reboots a bloody nightmake). – MadHatter Nov 08 '10 at 10:12