> Leo Bicknell wrote: > > >After searching the archives and looking at the source, I find > >myself more confused. I've been asked to set up sendmail + ssl + > >SMTP auth on a FreeBSD host. > > > >A quick "strings" on the sendmail binary shows a number of SSL > >functions, so I'm thinking the SSL bits are in there, but I'm not > >quite sure how to take advantage of them. Issuing "AUTH" to a > >stock -STABLE sendmail gets command unrecognized though, so I don't > >think that is there. > > > >If no one else has figured this mess out, I'll do it and write a > >page for the handbook. If someone else has, please clue me in, and > >if necessary I'll still write that handbook page. :-) It would be > >very nice if it was simple to make FreeBSD sendmail SSL and > >authenticate against the password file. > > > I've managed to set it up to use AUTH, however I have not yet found the > time to make it use SSL. > The only usefull documentation I have been able to find is this one: > http://www.sendmail.org/~ca/email/auth.html
You have to generate a public key certificate and have the private key available to the sendmail daemon before it will do the STARTTLS thing. I've got a shell script around there that signs a certificate with a bogus CA which enable the use of STARTTLS. You can't validate the other end of the connection, but at least it negotiates an encrypted session. It's attached below, and it's a horrible blecherous hack and provides very little security other than allowing the session to be encrypted. It's at least obviously not able to protect against man-in-the-middle attacks since the CA signing the cert is completely bogus. It will make long distance phone calls when you're not looking, eat your food, and make rude remarks about your spouse. Use at your own risk. But it seems to do, er, something. At least it makes passive traffic sniffing less productive. louie
make-sendmail-cert.sh
Description: make-sendmail-cert.sh
