|
1. Create a certificate directory and go there:
# mkdir /etc/mail/cert # cd /etc/mail/cert
2. Create a key for the server, giving a new pass phrase when prompted:
# openssl genrsa -des3 -out server.key 1024 # openssl rsa -in server.key -out server.key.open
3. Create a clear-text copy of the key (so it is not pass-phrase-protected), giving the pass phrase when asked:
# openssl req -new -x509 -days 3650 -key server.key.open -out server.crt
4. Answer the X.509v3 questions appropriately.
5. Make the files root-read-only:
# chmod 600 server.*
6. Edit /etc/mail/sendmail.cf and add these lines. You should find commented-out versions of these settings in the file, maybe about a third of the way through it.
O CACertPath=/etc/mail/cert O CACertFile=/etc/mail/cert/server.crt O ServerCertFile=/etc/mail/cert/server.crt O ServerKeyFile=/etc/mail/cert/server.key.open O ClientKeyFile=/etc/mail/cert/server.crt
7. Restart sendmail:
# /etc/init.d/sendmail restart
You can modify sendmail.mc instead of sendmail.cf and have your changes persist through make runs. Thanks to Dave Miller for pointing this out:
dnl # define(`confCACERT_PATH', `/etc/mail/cert')dnl define(`confCACERT', `/etc/mail/cert/server.crt')dnl define(`confSERVER_CERT', `/etc/mail/cert/server.crt')dnl define(`confSERVER_KEY', `/etc/mail/cert/server.key.open')dnl define(`confCLIENT_KEY', `/etc/mail/cert/server.crt')dnl dnl#
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Feb 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
