STARTTLS wierdness in sendmail 8.12.10-1
I cannot get STARTTLS to work with the newest snendmail in unstable. It *always* complains that the key file is group readable! Now, before you scream RTFM, I did use GroupReadableKeyFile! I updated to sendmail 8.12.10-1 to patch CAN-2003-0681 CAN-2003-0694 When I startup I get... sm-mta[30148]: starting daemon (8.12.10): SMTP sm-mta[30148]: STARTTLS=server: file /etc/mail/tls/sendmail-common.key unsafe: Group readable file Fine, so GroupReadableKeyFile was not set by default as was before, so I stuck this in starttls.m4 define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') Which does work and puts this in submit.cf O DontBlameSendmail=GroupReadableKeyFile But, I *still* get: sm-mta[6346]: starting daemon (8.12.10): SMTP sm-mta[6346]: STARTTLS=server: file /etc/mail/tls/sendmail-common.key unsafe: Group readable file Back on previous versions from testing and stable I do not get these messages. sm-mta[31901]: starting daemon (8.12.9): SMTP sm-mta[3719]: starting daemon (8.12.3): SMTP Anyone else see this? later, -Brian signature.asc Description: This is a digitally signed message part
Re: STARTTLS wierdness in sendmail 8.12.10-1
On Friday 19 September 2003 17:59, Brian Rectanus wrote: Hi Brian, I cannot get STARTTLS to work with the newest snendmail in unstable. It *always* complains that the key file is group readable! Now, before you scream RTFM, I did use GroupReadableKeyFile! please copy /usr/share/sendmail/examples/starttls.m4 to /etc/mail/tls and execute 'sendmailconfig' after you copied the file over. It's an updated file you have to use by now. You should have read the install message by the sendmail update and the changelog too ;p You have to do the same with SASLv2 m4 if you use SASLv2. Anyone else see this? yes, Solution above. Anyway, even after that, TLS does not work anylonger. I always get verify=NOT if I try to send mail with my other clients. 8.12.9-latest from SID before 8.12.10-1 works fine. -- ciao, Marc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: STARTTLS wierdness in sendmail 8.12.10-1
Hey, On Fri, 2003-09-19 at 13:33, Marc-Christian Petersen wrote: On Friday 19 September 2003 17:59, Brian Rectanus wrote: Hi Brian, I cannot get STARTTLS to work with the newest snendmail in unstable. It *always* complains that the key file is group readable! Now, before you scream RTFM, I did use GroupReadableKeyFile! please copy /usr/share/sendmail/examples/starttls.m4 to /etc/mail/tls and execute 'sendmailconfig' after you copied the file over. It's an updated file you have to use by now. You should have read the install message by the sendmail update and the changelog too ;p You have to do the same with SASLv2 m4 if you use SASLv2. Yeah, I had done that (for tls and sasl). It puts this in submit.cf: O DontBlameSendmail=,GroupReadableKeyFile I thought maybe that screwed things up starting with a comma, so (as I wrote earlier) I just added a straight define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') to give O DontBlameSendmail=GroupReadableKeyFile But *neither* work. Both put GroupReadableKeyFile in submit.cf, and seem to ignore it, giving me: STARTTLS=server: file /etc/mail/tls/sendmail-common.key unsafe: Group readable file Anyone else see this? yes, Solution above. Anyway, even after that, TLS does not work anylonger. I always get verify=NOT if I try to send mail with my other clients. 8.12.9-latest from SID before 8.12.10-1 works fine. -- ciao, Marc I have gone to using the stable version until a fixed version is in unstable. Thanks, -Brian signature.asc Description: This is a digitally signed message part
Re: STARTTLS wierdness in sendmail 8.12.10-1
On Friday 19 September 2003 23:27, Richard A Nelson wrote:
Hi Richard,
aha... in my case (all my boxen, in fact) the certificate just
expired !!!
I ran /usr/share/sendmail/update_tls new to create a new set of
certificates and things are now kosher !
Sep 19 21:22:20 renegade sendmail[22155]: STARTTLS=client,
relay=localhost.badlands.org., version=TLSv1/SSLv3, verify=OK,
cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 19 21:22:20 renegade sm-mta[22156]: STARTTLS=server, relay=localhost
[127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA,
bits=256/256
so, if you get a FAIL message, please check your expiration dates!
#openssl x509 -in /etc/mail/tls/sendmail-{server,client}.crt -enddate
that was my first try after I saw verify=NOT and it does not help at all, at
least not for me. My certificates are valid until January 2004!
--
ciao, Marc
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
STARTTLS wierdness in sendmail 8.12.10-1
I cannot get STARTTLS to work with the newest snendmail in unstable. It *always* complains that the key file is group readable! Now, before you scream RTFM, I did use GroupReadableKeyFile! I updated to sendmail 8.12.10-1 to patch CAN-2003-0681 CAN-2003-0694 When I startup I get... sm-mta[30148]: starting daemon (8.12.10): SMTP sm-mta[30148]: STARTTLS=server: file /etc/mail/tls/sendmail-common.key unsafe: Group readable file Fine, so GroupReadableKeyFile was not set by default as was before, so I stuck this in starttls.m4 define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') Which does work and puts this in submit.cf O DontBlameSendmail=GroupReadableKeyFile But, I *still* get: sm-mta[6346]: starting daemon (8.12.10): SMTP sm-mta[6346]: STARTTLS=server: file /etc/mail/tls/sendmail-common.key unsafe: Group readable file Back on previous versions from testing and stable I do not get these messages. sm-mta[31901]: starting daemon (8.12.9): SMTP sm-mta[3719]: starting daemon (8.12.3): SMTP Anyone else see this? later, -Brian signature.asc Description: This is a digitally signed message part
Re: STARTTLS wierdness in sendmail 8.12.10-1
On Friday 19 September 2003 17:59, Brian Rectanus wrote: Hi Brian, I cannot get STARTTLS to work with the newest snendmail in unstable. It *always* complains that the key file is group readable! Now, before you scream RTFM, I did use GroupReadableKeyFile! please copy /usr/share/sendmail/examples/starttls.m4 to /etc/mail/tls and execute 'sendmailconfig' after you copied the file over. It's an updated file you have to use by now. You should have read the install message by the sendmail update and the changelog too ;p You have to do the same with SASLv2 m4 if you use SASLv2. Anyone else see this? yes, Solution above. Anyway, even after that, TLS does not work anylonger. I always get verify=NOT if I try to send mail with my other clients. 8.12.9-latest from SID before 8.12.10-1 works fine. -- ciao, Marc
Re: STARTTLS wierdness in sendmail 8.12.10-1
Hey, On Fri, 2003-09-19 at 13:33, Marc-Christian Petersen wrote: On Friday 19 September 2003 17:59, Brian Rectanus wrote: Hi Brian, I cannot get STARTTLS to work with the newest snendmail in unstable. It *always* complains that the key file is group readable! Now, before you scream RTFM, I did use GroupReadableKeyFile! please copy /usr/share/sendmail/examples/starttls.m4 to /etc/mail/tls and execute 'sendmailconfig' after you copied the file over. It's an updated file you have to use by now. You should have read the install message by the sendmail update and the changelog too ;p You have to do the same with SASLv2 m4 if you use SASLv2. Yeah, I had done that (for tls and sasl). It puts this in submit.cf: O DontBlameSendmail=,GroupReadableKeyFile I thought maybe that screwed things up starting with a comma, so (as I wrote earlier) I just added a straight define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') to give O DontBlameSendmail=GroupReadableKeyFile But *neither* work. Both put GroupReadableKeyFile in submit.cf, and seem to ignore it, giving me: STARTTLS=server: file /etc/mail/tls/sendmail-common.key unsafe: Group readable file Anyone else see this? yes, Solution above. Anyway, even after that, TLS does not work anylonger. I always get verify=NOT if I try to send mail with my other clients. 8.12.9-latest from SID before 8.12.10-1 works fine. -- ciao, Marc I have gone to using the stable version until a fixed version is in unstable. Thanks, -Brian signature.asc Description: This is a digitally signed message part
Re: STARTTLS wierdness in sendmail 8.12.10-1
On Friday 19 September 2003 23:27, Richard A Nelson wrote:
Hi Richard,
aha... in my case (all my boxen, in fact) the certificate just
expired !!!
I ran /usr/share/sendmail/update_tls new to create a new set of
certificates and things are now kosher !
Sep 19 21:22:20 renegade sendmail[22155]: STARTTLS=client,
relay=localhost.badlands.org., version=TLSv1/SSLv3, verify=OK,
cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 19 21:22:20 renegade sm-mta[22156]: STARTTLS=server, relay=localhost
[127.0.0.1], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA,
bits=256/256
so, if you get a FAIL message, please check your expiration dates!
#openssl x509 -in /etc/mail/tls/sendmail-{server,client}.crt -enddate
that was my first try after I saw verify=NOT and it does not help at all, at
least not for me. My certificates are valid until January 2004!
--
ciao, Marc
