Difference between revisions of "TLS certificate for sendmail"
From Tech
Jump to navigationJump to search (dhparam file) |
|||
| Line 56: | Line 56: | ||
And in sendmail: |
And in sendmail: |
||
define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT |
define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT |
||
| + | |||
| + | Client email servers that cause: |
||
| + | Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1 |
||
| + | Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed. |
||
| + | Only way I've found, is [https://serverfault.com/questions/701934/sendmail-down-on-ubuntu-12-04-after-update-ssl-related disabling TLS] for these servers: |
||
| + | Try_TLS:example.com NO |
||
Revision as of 22:30, 13 October 2020
Getting the certificate:
apt install certbot certbot certonly --webroot #domain name: pomo.komputilo.org #webroot for pomo: directoy apache serves for http://pomo.komputilo.org
To install the certificate in sendmail, insert into /etc/mail/sendmail.mc (partially copied from sendmail.org, and letsencrypt.org):
define(`confCACERT_PATH', `/etc/letsencrypt/live/pomo.komputilo.org')dnl define(`confCACERT', `/etc/letsencrypt/live/pomo.komputilo.org/chain.pem')dnl define(`confSERVER_CERT', `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl define(`confSERVER_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl define(`confCLIENT_CERT', `/etc/letsencrypt/live/pomo.komputilo.org/cert.pem')dnl define(`confCLIENT_KEY', `/etc/letsencrypt/live/pomo.komputilo.org/privkey.pem')dnl define(`confAUTH_OPTIONS', `A p y')dnl
After changing the sendmail.mc file, run
cd /etc/mail make /etc/init.d/sendmail reload
Note that this fails: sendmail doesn't like the /etc/letsencrypt/archive/pomo.komputilo.org/privkey1.pem file being group&world readable.
chmod 0600 /etc/letsencrypt/live/pomo.komputilo.org/privkey.pem
To test:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 pomo.komputilo.org ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Sat, 18 Apr 2020 10:31:08 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
Issue the ehlo localhost command, and check the response for '250-STARTTLS':
ehlo localhost 250-pomo.komputilo.org Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP
To obtain the certificate (see here):
openssl s_client -connect pomo.komputilo.org:465 -tls1_2
Related to Gmail-TLS-negotiation failed error
dhparams file
The dhparam.pem can be generated with:
openssl dhparam -out /etc/mail/certs/dhparam4096.pem 4096
And in sendmail:
define(`confDH_PARAMETERS', `/etc/mail/certs/dhparam4096.pem')dnl # <= EDIT
Client email servers that cause:
Oct 13 23:18:21 localhost sm-mta[2690]: STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1 Oct 13 23:18:21 localhost sm-mta[2690]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.example.com, reject=403 4.7.0 TLS handshake failed.
Only way I've found, is disabling TLS for these servers:
Try_TLS:example.com NO
