Difference between revisions of "TLS certificate for sendmail"

From Tech
Jump to navigationJump to search
 
(13 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
#webroot for pomo: directoy apache serves for http://pomo.komputilo.org
 
#webroot for pomo: directoy apache serves for http://pomo.komputilo.org
   
To install the certificate in sendmail, insert into /etc/mail/sendmail.mc (partially copied from [https://www.sendmail.org/~ca/email/starttls.html sendmail.org]:
+
To install the certificate in sendmail, insert into /etc/mail/sendmail.mc (partially copied from [https://www.sendmail.org/~ca/email/starttls.html sendmail.org], and [https://community.letsencrypt.org/t/letsencrypt-and-sendmail/24885/2 letsencrypt.org]):
 
define(`confCACERT_PATH', `/etc/letsencrypt/live/pomo.komputilo.org')dnl
 
define(`confCACERT_PATH', `/etc/letsencrypt/live/pomo.komputilo.org')dnl
 
define(`confCACERT', `/etc/letsencrypt/live/pomo.komputilo.org/chain.pem')dnl
 
define(`confCACERT', `/etc/letsencrypt/live/pomo.komputilo.org/chain.pem')dnl
Line 13: Line 13:
 
define(`confCLIENT_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl
 
define(`confCLIENT_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl
 
define(`confAUTH_OPTIONS', `A p y')dnl
 
define(`confAUTH_OPTIONS', `A p y')dnl
  +
  +
After changing the sendmail.mc file, run
  +
cd /etc/mail
  +
make
  +
/etc/init.d/sendmail reload
  +
  +
Note that this fails: sendmail doesn't like the /etc/letsencrypt/archive/pomo.komputilo.org/privkey1.pem file being group&world readable.
  +
chmod 0600 /etc/letsencrypt/live/pomo.komputilo.org/privkey.pem
  +
  +
To test:
  +
telnet localhost 25
  +
Trying 127.0.0.1...
  +
Connected to localhost.
  +
Escape character is '^]'.
  +
220 pomo.komputilo.org ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Sat, 18 Apr 2020 10:31:08 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
  +
Issue the ehlo localhost command, and check the response for '250-STARTTLS':
  +
ehlo localhost
  +
250-pomo.komputilo.org Hello localhost [127.0.0.1], pleased to meet you
  +
250-ENHANCEDSTATUSCODES
  +
250-PIPELINING
  +
250-EXPN
  +
250-VERB
  +
250-8BITMIME
  +
250-SIZE
  +
250-DSN
  +
250-ETRN
  +
250-AUTH DIGEST-MD5 CRAM-MD5
  +
250-STARTTLS
  +
250-DELIVERBY
  +
250 HELP
  +
  +
To obtain the certificate (see [https://cromwell-intl.com/open-source/sendmail-ssl.html here]):
  +
openssl s_client -connect pomo.komputilo.org:465 -tls1_2
  +
  +
  +
Related to [http://www.antradar.com/blog-fixing-gmails-tls-negotiation-failed-error-2020 Gmail-TLS-negotiation failed] error
  +
  +
===Sendmail file permissions===
  +
certbot stores all cert files with group/other read permission. This is OK, as they are in a directory that only has owner-access, but sendmail still doesn't trust it, and fails to load the cert files. Currently I'm trying to fix this with:
  +
  +
cat /etc/systemd/system/certbot.service
  +
  +
[Unit]
  +
Description=Certbot
  +
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
  +
Documentation=https://letsencrypt.readthedocs.io/en/latest/
  +
[Service]
  +
Type=oneshot
  +
ExecStartPre=/usr/bin/certbot -q renew
  +
ExecStart=/bin/chmod -R og-r /etc/letsencrypt/archive/
  +
ExecStartPost=/usr/sbin/service sendmail restart
  +
PrivateTmp=true
  +
  +
==Other stuff==
  +
The dhparam.pem can be generated with:
  +
openssl dhparam -out /etc/mail/certs/dhparam4096.pem 4096
  +
And in sendmail:
  +
define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT
  +
  +
Client email servers that cause:
  +
Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1
  +
Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.
  +
Only way I've found, is [https://serverfault.com/questions/701934/sendmail-down-on-ubuntu-12-04-after-update-ssl-related disabling TLS] for these servers:
  +
Try_TLS:example.com NO

Latest revision as of 20:59, 11 November 2021

Getting the certificate:

apt install certbot
certbot certonly --webroot
#domain name: pomo.komputilo.org
#webroot for pomo: directoy apache serves for http://pomo.komputilo.org

To install the certificate in sendmail, insert into /etc/mail/sendmail.mc (partially copied from sendmail.org, and letsencrypt.org):

define(`confCACERT_PATH',  `/etc/letsencrypt/live/pomo.komputilo.org')dnl
define(`confCACERT',       `/etc/letsencrypt/live/pomo.komputilo.org/chain.pem')dnl
define(`confSERVER_CERT',  `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl
define(`confSERVER_KEY',   `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl
define(`confCLIENT_CERT',  `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl
define(`confCLIENT_KEY',   `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl
define(`confAUTH_OPTIONS', `A p y')dnl

After changing the sendmail.mc file, run

cd /etc/mail
make
/etc/init.d/sendmail reload

Note that this fails: sendmail doesn't like the /etc/letsencrypt/archive/pomo.komputilo.org/privkey1.pem file being group&world readable.

chmod 0600 /etc/letsencrypt/live/pomo.komputilo.org/privkey.pem

To test:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 pomo.komputilo.org ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Sat, 18 Apr 2020 10:31:08 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]

Issue the ehlo localhost command, and check the response for '250-STARTTLS':

ehlo localhost
250-pomo.komputilo.org Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP

To obtain the certificate (see here):

openssl s_client -connect pomo.komputilo.org:465 -tls1_2


Related to Gmail-TLS-negotiation failed error

Sendmail file permissions

certbot stores all cert files with group/other read permission. This is OK, as they are in a directory that only has owner-access, but sendmail still doesn't trust it, and fails to load the cert files. Currently I'm trying to fix this with:

cat /etc/systemd/system/certbot.service

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStartPre=/usr/bin/certbot -q renew
ExecStart=/bin/chmod -R og-r /etc/letsencrypt/archive/
ExecStartPost=/usr/sbin/service sendmail restart
PrivateTmp=true

Other stuff

The dhparam.pem can be generated with:

openssl dhparam -out /etc/mail/certs/dhparam4096.pem 4096

And in sendmail:

define(`confDH_PARAMETERS',   `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT

Client email servers that cause:

Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1
Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.

Only way I've found, is disabling TLS for these servers:

Try_TLS:example.com NO