----------------------
Musings on getting a CA
signed cert for STARTTLS
and other gotchas....
----------------------
If you ask the companies who market
SSL certs about sendmail, they will
say that they don't support certs
for mail, but for websites only.
But maybe the help/support desks are wrong?
I found a vendor that only charged $15.99
for a starterssl signed by geotrust/equifax
and tried it with sendmail
I post the following to misc-at-openbsd
in the hope that others may benefit
and/or correct.
no flames please, if you see a glaring mistake,
let me know offlist and I'll post an amendment
or retraction if appropriate.
--------------
Starting the notes off tangeant...
If we want to use something other than our self signed
cert for sendmail, we will have to have a file like
web browsers that has a bundle of okay CA certs.
Getting a file with recent information of
somewhat trusted entity has of CA certificate signers
to use applications...
I'm sure there is a better way, and somewhere to get newer,
but the file in the src appears to be from March CET 2000
head /usr/src/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | grep "Last
Modified"
## Last Modified: Thu Mar 2 09:32:46 CET 2000
??
Going way off course.... to get a newer bundle maybe...
I googled several versions of
scripts that promised to convert a Mozilla file
certdata.txt to a ca-bundle that may be useable.
So let us find certdata.txt in a recent mozilla project....
The below renders a file claiming a revision date of 2005/04/18
curl
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.1/source/firefox-1.5.0.1-source.tar.bz2
-o firefox-1.5.0.1-source.tar.bz2
bunzip2 firefox-1.5.0.1-source.tar.bz2
tar -tvf firefox-1.5.0.1-source.tar | grep certdata.txt
tar -xvf firefox-1.5.0.1-source.tar
mozilla/security/nss/lib/ckfw/builtins/certdata.txt
We got it....
now for a tool to convert...
curl
http://www.opensource.apple.com/darwinsource/Current/apache_mod_ssl-680/mod_ssl/pkg.sslcfg/ca-bundle.pl
-o ca-bundle.pl
now to do the covert
/usr/bin/perl ca-bundle.pl > ca-bundle.crt
Note the ca-bundle.crt includes information in such a way
we may can just use it as CAcert.pem for starttls.
Can try copy or link ca-bundle.crt to CAcert.pem
If you are fooling around with STARTTLS for sendmail,
you really really would benefit by reading the man pages
man starttls
================================
on towards pems for sendmail
================================
It is very possible the the following has mistakes
or may not work or is wrong... could be done much
more elegantly or has a security issue,
so use with caution
So we may now have a file we can use for CAcert.pem
for STARTTLS to use that has most of the well
known CA providers. But if we
self sign our certificates that
will not help unless we concatenate our cert to that....
Okay so how can you on the cheap setup a
certificate signed bya Certificate Authority recognized
by most applications? Geotrust is well known and
cheaper than Thawte or Verisign... Froogle a vendor
for Geotrust... found registerfly.com
http://registerfly.com/ssl/
more on that latter...
The following may work for us....
BUT, before trying the following and spending $$, you may want to review
the instructions on man startssl and see if you can get sendmail working with
a self-signed certificate.
man startssl
OBSERVATION:
NOte that the man page for starttls can skip some steps, using one command
to both tenerate a certificate and the private key. Because
it is self signed we did not need a 'CSR'
openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \
-out /etc/mail/certs/mycert.pem -keyout \
/etc/mail/certs/mykey.pem
IF you did this more verbose...
You may make your key then make a csr then sign the csr....
Something like this
openssl genrsa -rand /dev/urandom \
-out /etc/mail/certs/mykey.pem 1024
chmod 400 /etc/mail/certs/mykey.pem
Now you need a certificate request, CSR, to have geotrust or some CA use
as input to sign and send you back a crt that hopefully will work
after taking your money.
openssl req -new -inform PEM -key \
/etc/mail/certs/mykey.pem -outform PEM \
-out /etc/mail/certs/mycsr.pem
chmod 400 /etc/mail/certs/mycsr.pem
YOu could self sign it, but then the above CAcert.pem that we extracted
would not have you in it.
openssl x509 -days 3650 -signkey /etc/mail/certs/mykey.pem \
-in /etc/mail/certs/mycsr.pem -req \
-out /etc/mail/certs/mycert.pem
chmod 444 /etc/mail/certs/mycert.pem
---------
BUT we may want to pay $$ (not $$$) to have a cert that Eudora/Microsoft
and other email applications would not complain about.
About the cheapest way I found to get a certificate for a website signed
by geotrust/equifax is to go through the vendor
http://registerfly.com/ssl/
You'll have to create and account and give the a minimum deposit of $25.00
Then you can by the cheapest STARTERSSL certificates for $15.99/year
Note that all the documenation says the certs are for web servers.
Want to chance $15.99 - continue....
It could not work and you'll be out what you paid,
so don't flame me - user of notes beware...
As you jump through the hoops pretending to setup a cert for website,
You can try using the request for certificate, /etc/mail/certs/mycsr.pem
when asked for a CSR. When asked for type of webserver, you can try OTHER
or mod_ssl maybe...
After confirmation and access to an email that is related to the domain
name, hopefully you'll get a ascii text file that you can cut and past to
file.
Instead of mycert.pem, try naming it something different to avoid
confusion, because if you loose this file and the key, your out your
money. for example
vi /etc/mail/certs/paidcert.pem
(paste the proper text)
chmod 400 /etc/mail/certs/paidcert.pem
In your configurations
try /etc/mail/certs/paidcert.pem instead of /etc/mail/certs/mycert.pem
and try /etc/mail/certs/ca-bundle.txt for CAcert.pem instead of
mycert.pem
---------
I hope it works for you, paying $15.99 for one year to have sendmail be
recognized by most applications as trusted signed is affordable compared
to some of the Verisign and Thawte solutions.
Possible ways to tell if it worked...
Eudora can be verbose about certificates, try it with starttls and see if
it complains about the signing.
You maybe can verify that the certificates have some information with the
following commands:
for the self signed
openssl x509 -in /etc/mail/certs/mycert.pem -text
for the paid
openssl x509 -in /etc/mail/certs/paidcert.pem -text
Sure hope the CA that you paid to sign the key is in the CAcert.pem
file we found or made from mozzilla file.... ;)
THEN perhaps in your m4 to make sendmail.cf
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/CAcert.pem')
define(`confSERVER_CERT', `CERT_DIR/paidcert.pem')
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')
define(`confCLIENT_CERT', `CERT_DIR/paidcert.pem')
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')
According to http://www.sendmail.org/~ca/email/starttls.html
"For simplicity, use the same filenames for confCLIENT_CERT and
confCLIENT_KEY, respectively." It seems if you wanted to you
could buy or generate different keys for when you are outgoing,
must be some why to allow have that feature....?
--------------------------
So for $15.99 and a lot of confusion, I think I
have sendmail using an officially signed certificate
and Thunderbird, MS Outlook Express and Eudora
(if STMP-AUTH with PLAIN and LOGIN
not CRAMMD5 nor DIGEST-MD5 if using unix password)
seem to be able to do SMTP-AUTH with TLS w/o complaining about the
cert signing, so this seems to work! or I bamboozled myself ;{
your mileage may vary :)
----------------------
================
Other GOTCHAS?
================
Some spam documentation suggests an access map option to
disable advertisement of STARTTLS,
Srv_Features: S
If you have this in access, there is possibility
that your email client like thunderbird will fail saying
no TLS. make sure you see STARTTLS as part of your troubleshooting
when you do this test:
telnet localhost smtp
EHLO localhost
-----------------------------
CRAM Gotcha
Trying to get that SMTP-AUTH to work with
more that PLAIN and LOGIN, yet use the unix passwords?
IF you use unix passowrds and set TRUST MECH CRAM-MD5 or DIGEST-MD5
and an application tries to use it, likely it will fail
And having /etc/mail/authinfo.db is not enough for serverside,
perhaps authinfo.db will help for setting up client.....
(EUDORA email reader will prefer CRAM over PLAIN and LOGIN)
try as troubleshooting
tail -f /var/log/authlog
and you may see "Could not open db"
It appears that saslauthd could not help CRAM-MD5 or DIGEST-MD5
get secrets from unix accounts....?????????
according to
http://www.puresimplicity.net/~hemi/freebsd/sendmail.html
"Why no CRAM-MD5 or DIGEST-MD5 support?
Adding support for CRAM-MD5 and DIGEST-MD5 complicates
password-management greatly. CRAM-MD5 and DIGEST-MD5
can not authenticate against the regular password system."
"Sendmail talks to saslauthd, which in turn
authenticates users based on varying password methods.
CRAM-MD5 and DIGEST-MD5 auth require a separate password
database to be maintained and saslauthd has to use that
password database (type sasldb, a flat file in Berkeley
database format) for authentication.
That requires somehow changing user
passwords in both databases..."
Please ammend if you have an elegant way or the above
is inaccurate....
-----------------
other quirks....
Some websites show the m4 feature using authinfo.db not authinfo ???
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
------------------
For some imaps to use SSl you may need to concatenate the paidcert with
the mykey and maybe reference paidcertandmykey.pem ?????? saw notes in a
file SSLBUILD and some openbsd mic emails, example for uw-imap port the
port patches mention
SSLCERTS=/etc/ssl/certs SSLKEYS=/etc/ssl/private ????
The docs say key is concatenated with cert, so why to directories... ????
oh well. If you are trying imap-uw try the following and let us know if it
worked....
cat /etc/mail/paidcert.pem /etc/mail/certs/mykey.pem >
/etc/mail/paidcertandmykey.pem
chmod 400 /etc/mail/paidcertandmykey.pem
cp -p /etc/mail/paidcertandmykey.pem /etc/ssl/ipop3d.pem
cp -p /etc/mail/paidcertandmykey.pem /etc/ssl/imapd.pem
???
--------------------------
==========================
I wrote the above musings as I was doing it, some of the notes may be
inaccurate and some steps missed, but I would think someone would benefit
by the above...
I'd be interested in corrections to the above rough notes....
==========================
-sincerely
[EMAIL PROTECTED]
15 March 2006
