How to make sendmail use SSL/TLS whenever possible

  1. Create a certificate directory and go there:
    # mkdir /etc/mail/cert
    # cd /etc/mail/cert
  2. Create a key for the server, giving a new pass phrase when prompted:
    # openssl genrsa -des3 -out server.key 1024
    # openssl rsa -in server.key -out server.key.open
  3. Create a clear-text copy of the key (so it is not pass-phrase-protected), giving the pass phrase when asked:
    # openssl req -new -x509 -days 3650 -key server.key.open -out server.crt
  4. Answer the X.509v3 questions appropriately.
  5. Make the files root-read-only:
    # chmod 600 server.*
  6. Edit /etc/mail/sendmail.cf and add these lines. You should find commented-out versions of these settings in the file, maybe about a third of the way through it.
    O CACertPath=/etc/mail/cert
    O CACertFile=/etc/mail/cert/server.crt
    O ServerCertFile=/etc/mail/cert/server.crt
    O ServerKeyFile=/etc/mail/cert/server.key.open
    O ClientKeyFile=/etc/mail/cert/server.crt
  7. Restart sendmail:
    # /etc/init.d/sendmail restart

Back to the Unix page...


Home Page Site Map Public Key E-Mail
Use /bin/vi! Hosted on OpenBSD
Hosted on Apache Valid XHTML 1.1! Valid CSS!
© Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here