Daniel Ouellet wrote:
Hi,
I am having problem testing this and my be I am missing something
simple, so any pointers would be appreciates.
To test this I created the cert as describe in man 8 starttls as
follow and below are all the steps I did without success so far:
Create the missing directory and change to it.
# mkdir /etc/mail/certs
# cd /etc/mail/certs
Generate the key and certificate based on my interface name dc0 in
this case as follow:
# openssl dsaparam 1024 -out dsa1024.pem
# openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \
-out /etc/mail/certs/dc0.crt -keyout /etc/mail/certs/dc0.key
I answer the various question about the country, start, city, etc.
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
Then all look good after that.
I move my certificate and key to be root readable only as recommended
in man 8 starttls as follow:
# chmod -R go-rwx /etc/mail/certs
And I finally removed the not needed dsa1024.pem file as well as
suggested in man 8 starttls
# rm dsa1024.pem
Now it look like this:
# ls -al
total 16
drwx------ 2 root wheel 512 Jun 2 20:50 .
drwxr-xr-x 3 root wheel 1024 Jun 2 20:44 ..
-rw------- 1 root wheel 1241 Jun 2 20:47 dc0.crt
-rw------- 1 root wheel 668 Jun 2 20:47 dc0.key
I also created a link for the lo0 interface, witch I am not sure why
we should use tls there as it's local, but anyway, for completeness I
did never the less. Here I used the same key, but I could created a
second key too. Unless I am missing something, I guess for lo0
shou;dn't tls be ignore anyway? Just a thought as you are already on
the system at that point so why use it, or even smtps?
Anyway, I do:
# ln -s dc0.crt lo0.crt
# ln -s dc0.key lo0.key
and I have the final needed files as this:
# ls -al
total 16
drwx------ 2 root wheel 512 Jun 2 20:53 .
drwxr-xr-x 3 root wheel 1024 Jun 2 20:44 ..
-rw------- 1 root wheel 1241 Jun 2 20:47 dc0.crt
-rw------- 1 root wheel 668 Jun 2 20:47 dc0.key
lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.crt -> dc0.crt
lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.key -> dc0.key
Then I put the configuration in the /etc/mail/smtpd.conf file to use
them:
listen on lo0 tls certificate /etc/mail/certs/lo0.crt enable auth
listen on dc0 tls certificate /etc/mail/certs/dc0.crt enable auth
and I get errors:
# pkill smtpd
# smtpd
/etc/mail/smtpd.conf:12: syntax error
/etc/mail/smtpd.conf:13: syntax error
Even only on dc0 only I get the same things:
# cat /etc/mail/smtpd.conf | grep listen
listen on dc0 tls certificate /etc/mail/certs/dc0.crt enable auth
# pkill smtpd
# smtpd
/etc/mail/smtpd.conf:6: syntax error
Any variation of it give me the same errors except this one:
listen on dc0 tls
If I try to specify the certificate name, location, full path, etc I
get errors, even if I add or not the end options enable auth.
I can't connect to the smtpd using clients with only tls enable.
I test this using thunderbird and setup the sending mail server to use
tls ONLY. I keep getting errors trying to connect to it. It refuse
connection to it.
I try everything I can think of some far and I am still not successful
doing it.
The only part that works very well for weeks so far is without any tls
like this:
# cat /etc/mail/smtpd.conf | grep listen
listen on dc0
# pkill smtpd
# smtpd
But with tls configuration, I can see the starttls in the offering:
# telnet no-spam1.realconnect.com 25
Trying ::1...
Connected to no-spam1.realconnect.com.
Escape character is '^]'.
220 no-spam1.realconnect.com ESMTP OpenSMTPD
EHLO testing
250-no-spam1.realconnect.com Hello testing [IPv6:::1], pleased to meet
you
250-8BITMIME
250-STARTTLS
250 HELP
quit
221 no-spam1.realconnect.com Closing connection
Connection closed by foreign host.
Anything I am forgetting that is obvious, or is it not ready to be use
yet?
Thanks for the feedback.
Best,
Daniel
I didn't see you mention a certificate authority, is this self-signed?
starttls says:
If you don't intend to use TLS for authentication (and if you are using
self-signed certificates you probably don't) you can simply link
your new
certificate to CAcert.pem.
# ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem
If, on the other hand, you intend to use TLS for authentication you
should install your certificate authority bundle as
/etc/mail/certs/CAcert.pem.
You didn't mention this file.
Chris Bennett
--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
-- Robert Heinlein
