Difference between revisions of "TLS certificate for sendmail"
(5 intermediate revisions by the same user not shown) | |||
Line 49: | Line 49: | ||
Related to [http://www.antradar.com/blog-fixing-gmails-tls-negotiation-failed-error-2020 Gmail-TLS-negotiation failed] error |
Related to [http://www.antradar.com/blog-fixing-gmails-tls-negotiation-failed-error-2020 Gmail-TLS-negotiation failed] error |
||
+ | |||
+ | ===Sendmail file permissions=== |
||
+ | certbot stores all cert files with group/other read permission. This is OK, as they are in a directory that only has owner-access, but sendmail still doesn't trust it, and fails to load the cert files. Currently I'm trying to fix this with: |
||
+ | |||
+ | cat /etc/systemd/system/certbot.service |
||
+ | |||
+ | [Unit] |
||
+ | Description=Certbot |
||
+ | Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html |
||
+ | Documentation=https://letsencrypt.readthedocs.io/en/latest/ |
||
+ | [Service] |
||
+ | Type=oneshot |
||
+ | ExecStartPre=/usr/bin/certbot -q renew |
||
+ | ExecStart=/bin/chmod -R og-r /etc/letsencrypt/archive/ |
||
+ | ExecStartPost=/usr/sbin/service sendmail restart |
||
+ | PrivateTmp=true |
||
+ | |||
+ | ==Other stuff== |
||
+ | The dhparam.pem can be generated with: |
||
+ | openssl dhparam -out /etc/mail/certs/dhparam4096.pem 4096 |
||
+ | And in sendmail: |
||
+ | define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT |
||
+ | |||
+ | Client email servers that cause: |
||
+ | Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1 |
||
+ | Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed. |
||
+ | Only way I've found, is [https://serverfault.com/questions/701934/sendmail-down-on-ubuntu-12-04-after-update-ssl-related disabling TLS] for these servers: |
||
+ | Try_TLS:example.com NO |
Latest revision as of 20:59, 11 November 2021
Getting the certificate:
apt install certbot certbot certonly --webroot #domain name: pomo.komputilo.org #webroot for pomo: directoy apache serves for http://pomo.komputilo.org
To install the certificate in sendmail, insert into /etc/mail/sendmail.mc (partially copied from sendmail.org, and letsencrypt.org):
define(`confCACERT_PATH', `/etc/letsencrypt/live/pomo.komputilo.org')dnl define(`confCACERT', `/etc/letsencrypt/live/pomo.komputilo.org/chain.pem')dnl define(`confSERVER_CERT', `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl define(`confSERVER_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl define(`confCLIENT_CERT', `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl define(`confCLIENT_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl define(`confAUTH_OPTIONS', `A p y')dnl
After changing the sendmail.mc file, run
cd /etc/mail make /etc/init.d/sendmail reload
Note that this fails: sendmail doesn't like the /etc/letsencrypt/archive/pomo.komputilo.org/privkey1.pem file being group&world readable.
chmod 0600 /etc/letsencrypt/live/pomo.komputilo.org/privkey.pem
To test:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 pomo.komputilo.org ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Sat, 18 Apr 2020 10:31:08 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
Issue the ehlo localhost command, and check the response for '250-STARTTLS':
ehlo localhost 250-pomo.komputilo.org Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP
To obtain the certificate (see here):
openssl s_client -connect pomo.komputilo.org:465 -tls1_2
Related to Gmail-TLS-negotiation failed error
Sendmail file permissions
certbot stores all cert files with group/other read permission. This is OK, as they are in a directory that only has owner-access, but sendmail still doesn't trust it, and fails to load the cert files. Currently I'm trying to fix this with:
cat /etc/systemd/system/certbot.service [Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStartPre=/usr/bin/certbot -q renew ExecStart=/bin/chmod -R og-r /etc/letsencrypt/archive/ ExecStartPost=/usr/sbin/service sendmail restart PrivateTmp=true
Other stuff
The dhparam.pem can be generated with:
openssl dhparam -out /etc/mail/certs/dhparam4096.pem 4096
And in sendmail:
define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT
Client email servers that cause:
Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1 Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.
Only way I've found, is disabling TLS for these servers:
Try_TLS:example.com NO