Hi Paul, if I remember correctly, the last time I tried Postfix on OpenBSD, I can use self-generated SSL cert. Hope it's helpful to you.
Regards Andrew On Thu, 16 Mar 2006 04:53:58 +0000 (GMT), "Paul Pruett" <[EMAIL PROTECTED]> said: > ---------------------- > Musings on getting a CA > signed cert for STARTTLS > and other gotchas.... > ---------------------- > > > If you ask the companies who market > SSL certs about sendmail, they will > say that they don't support certs > for mail, but for websites only. > > But maybe the help/support desks are wrong? > > I found a vendor that only charged $15.99 > for a starterssl signed by geotrust/equifax > and tried it with sendmail > > I post the following to misc-at-openbsd > in the hope that others may benefit > and/or correct. > > no flames please, if you see a glaring mistake, > let me know offlist and I'll post an amendment > or retraction if appropriate. > > > > > > -------------- > > > Starting the notes off tangeant... > If we want to use something other than our self signed > cert for sendmail, we will have to have a file like > web browsers that has a bundle of okay CA certs. > > > Getting a file with recent information of > somewhat trusted entity has of CA certificate signers > to use applications... > > > I'm sure there is a better way, and somewhere to get newer, > but the file in the src appears to be from March CET 2000 > > head /usr/src/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | grep "Last > Modified" > ## Last Modified: Thu Mar 2 09:32:46 CET 2000 > > ?? > > Going way off course.... to get a newer bundle maybe... > > I googled several versions of > scripts that promised to convert a Mozilla file > certdata.txt to a ca-bundle that may be useable. > > > So let us find certdata.txt in a recent mozilla project.... > The below renders a file claiming a revision date of 2005/04/18 > > curl > http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.1/source/firefox-1.5.0.1-source.tar.bz2 > > -o firefox-1.5.0.1-source.tar.bz2 > > bunzip2 firefox-1.5.0.1-source.tar.bz2 > > tar -tvf firefox-1.5.0.1-source.tar | grep certdata.txt > > tar -xvf firefox-1.5.0.1-source.tar > mozilla/security/nss/lib/ckfw/builtins/certdata.txt > > We got it.... > now for a tool to convert... > > curl > http://www.opensource.apple.com/darwinsource/Current/apache_mod_ssl-680/mod_ssl/pkg.sslcfg/ca-bundle.pl > > -o ca-bundle.pl > > now to do the covert > > /usr/bin/perl ca-bundle.pl > ca-bundle.crt > > > Note the ca-bundle.crt includes information in such a way > we may can just use it as CAcert.pem for starttls. > Can try copy or link ca-bundle.crt to CAcert.pem > > > If you are fooling around with STARTTLS for sendmail, > you really really would benefit by reading the man pages > > man starttls > > > > ================================ > on towards pems for sendmail > ================================ > > It is very possible the the following has mistakes > or may not work or is wrong... could be done much > more elegantly or has a security issue, > so use with caution > > > So we may now have a file we can use for CAcert.pem > for STARTTLS to use that has most of the well > known CA providers. But if we > self sign our certificates that > will not help unless we concatenate our cert to that.... > > > Okay so how can you on the cheap setup a > certificate signed bya Certificate Authority recognized > by most applications? Geotrust is well known and > cheaper than Thawte or Verisign... Froogle a vendor > for Geotrust... found registerfly.com > http://registerfly.com/ssl/ > more on that latter... > > > The following may work for us.... > > BUT, before trying the following and spending $$, you may want to review > the instructions on man startssl and see if you can get sendmail working > with > a self-signed certificate. > > man startssl > > > OBSERVATION: > > NOte that the man page for starttls can skip some steps, using one > command > to both tenerate a certificate and the private key. Because > it is self signed we did not need a 'CSR' > > openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \ > -out /etc/mail/certs/mycert.pem -keyout \ > /etc/mail/certs/mykey.pem > > > IF you did this more verbose... > You may make your key then make a csr then sign the csr.... > > Something like this > > openssl genrsa -rand /dev/urandom \ > -out /etc/mail/certs/mykey.pem 1024 > chmod 400 /etc/mail/certs/mykey.pem > > Now you need a certificate request, CSR, to have geotrust or some CA use > as input to sign and send you back a crt that hopefully will work > after taking your money. > > openssl req -new -inform PEM -key \ > /etc/mail/certs/mykey.pem -outform PEM \ > -out /etc/mail/certs/mycsr.pem > chmod 400 /etc/mail/certs/mycsr.pem > > > YOu could self sign it, but then the above CAcert.pem that we extracted > would not have you in it. > > openssl x509 -days 3650 -signkey /etc/mail/certs/mykey.pem \ > -in /etc/mail/certs/mycsr.pem -req \ > -out /etc/mail/certs/mycert.pem > chmod 444 /etc/mail/certs/mycert.pem > > > > --------- > > > BUT we may want to pay $$ (not $$$) to have a cert that Eudora/Microsoft > and other email applications would not complain about. > > About the cheapest way I found to get a certificate for a website signed > by geotrust/equifax is to go through the vendor > http://registerfly.com/ssl/ > > You'll have to create and account and give the a minimum deposit of > $25.00 > Then you can by the cheapest STARTERSSL certificates for $15.99/year > Note that all the documenation says the certs are for web servers. > > Want to chance $15.99 - continue.... > It could not work and you'll be out what you paid, > so don't flame me - user of notes beware... > > As you jump through the hoops pretending to setup a cert for website, > You can try using the request for certificate, /etc/mail/certs/mycsr.pem > when asked for a CSR. When asked for type of webserver, you can try OTHER > or mod_ssl maybe... > > After confirmation and access to an email that is related to the domain > name, hopefully you'll get a ascii text file that you can cut and past to > file. > Instead of mycert.pem, try naming it something different to avoid > confusion, because if you loose this file and the key, your out your > money. for example > > vi /etc/mail/certs/paidcert.pem > (paste the proper text) > chmod 400 /etc/mail/certs/paidcert.pem > > In your configurations > try /etc/mail/certs/paidcert.pem instead of /etc/mail/certs/mycert.pem > and try /etc/mail/certs/ca-bundle.txt for CAcert.pem instead of > mycert.pem > > > --------- > > I hope it works for you, paying $15.99 for one year to have sendmail be > recognized by most applications as trusted signed is affordable compared > to some of the Verisign and Thawte solutions. > > > Possible ways to tell if it worked... > > Eudora can be verbose about certificates, try it with starttls and see if > it complains about the signing. > > You maybe can verify that the certificates have some information with the > following commands: > > for the self signed > openssl x509 -in /etc/mail/certs/mycert.pem -text > for the paid > openssl x509 -in /etc/mail/certs/paidcert.pem -text > > > > Sure hope the CA that you paid to sign the key is in the CAcert.pem > file we found or made from mozzilla file.... ;) > > > > THEN perhaps in your m4 to make sendmail.cf > > define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs') > define(`confCACERT_PATH', `CERT_DIR') > define(`confCACERT', `CERT_DIR/CAcert.pem') > define(`confSERVER_CERT', `CERT_DIR/paidcert.pem') > define(`confSERVER_KEY', `CERT_DIR/mykey.pem') > define(`confCLIENT_CERT', `CERT_DIR/paidcert.pem') > define(`confCLIENT_KEY', `CERT_DIR/mykey.pem') > > > According to http://www.sendmail.org/~ca/email/starttls.html > "For simplicity, use the same filenames for confCLIENT_CERT and > confCLIENT_KEY, respectively." It seems if you wanted to you > could buy or generate different keys for when you are outgoing, > must be some why to allow have that feature....? > > > > -------------------------- > > So for $15.99 and a lot of confusion, I think I > have sendmail using an officially signed certificate > and Thunderbird, MS Outlook Express and Eudora > (if STMP-AUTH with PLAIN and LOGIN > not CRAMMD5 nor DIGEST-MD5 if using unix password) > seem to be able to do SMTP-AUTH with TLS w/o complaining about the > cert signing, so this seems to work! or I bamboozled myself ;{ > > your mileage may vary :) > > ---------------------- > > > > ================ > Other GOTCHAS? > ================ > > > > > Some spam documentation suggests an access map option to > disable advertisement of STARTTLS, > Srv_Features: S > If you have this in access, there is possibility > that your email client like thunderbird will fail saying > no TLS. make sure you see STARTTLS as part of your troubleshooting > when you do this test: > telnet localhost smtp > EHLO localhost > > ----------------------------- > > CRAM Gotcha > > Trying to get that SMTP-AUTH to work with > more that PLAIN and LOGIN, yet use the unix passwords? > > IF you use unix passowrds and set TRUST MECH CRAM-MD5 or DIGEST-MD5 > and an application tries to use it, likely it will fail > And having /etc/mail/authinfo.db is not enough for serverside, > perhaps authinfo.db will help for setting up client..... > (EUDORA email reader will prefer CRAM over PLAIN and LOGIN) > try as troubleshooting > tail -f /var/log/authlog > and you may see "Could not open db" > It appears that saslauthd could not help CRAM-MD5 or DIGEST-MD5 > get secrets from unix accounts....????????? > according to > http://www.puresimplicity.net/~hemi/freebsd/sendmail.html > "Why no CRAM-MD5 or DIGEST-MD5 support? > Adding support for CRAM-MD5 and DIGEST-MD5 complicates > password-management greatly. CRAM-MD5 and DIGEST-MD5 > can not authenticate against the regular password system." > "Sendmail talks to saslauthd, which in turn > authenticates users based on varying password methods. > CRAM-MD5 and DIGEST-MD5 auth require a separate password > database to be maintained and saslauthd has to use that > password database (type sasldb, a flat file in Berkeley > database format) for authentication. > That requires somehow changing user > passwords in both databases..." > Please ammend if you have an elegant way or the above > is inaccurate.... > > > > ----------------- > > > other quirks.... > Some websites show the m4 feature using authinfo.db not authinfo ??? > FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl > > > ------------------ > > For some imaps to use SSl you may need to concatenate the paidcert with > the mykey and maybe reference paidcertandmykey.pem ?????? saw notes in a > file SSLBUILD and some openbsd mic emails, example for uw-imap port the > port patches mention > SSLCERTS=/etc/ssl/certs SSLKEYS=/etc/ssl/private ???? > The docs say key is concatenated with cert, so why to directories... ???? > oh well. If you are trying imap-uw try the following and let us know if > it > worked.... > > cat /etc/mail/paidcert.pem /etc/mail/certs/mykey.pem > > /etc/mail/paidcertandmykey.pem > chmod 400 /etc/mail/paidcertandmykey.pem > cp -p /etc/mail/paidcertandmykey.pem /etc/ssl/ipop3d.pem > cp -p /etc/mail/paidcertandmykey.pem /etc/ssl/imapd.pem > > ??? > > > > -------------------------- > ========================== > > I wrote the above musings as I was doing it, some of the notes may be > inaccurate and some steps missed, but I would think someone would benefit > by the above... > > > I'd be interested in corrections to the above rough notes.... > > ========================== > > > -sincerely > [EMAIL PROTECTED] > 15 March 2006 > -- Andrew Ng [EMAIL PROTECTED] -- http://www.fastmail.fm - Same, same, but different