Introduction
Words
Words
Words
Things you see
Things you type
Bonus:
Notes on STARTTLS in Sendmail at the end of this document.
Prepare the build environment
If you’ve never built an RPM before, you’ll have to install the programs for compiling and packaging software.
Install the package group with gcc, the rpm-build package, and some RPMs we’ll need for openssl.
yum -y groupinstall "Development tools"
yum -y install rpm-build zlib-devel krb5-devel
mkdir -p /usr/src/redhat/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir /usr/src/redhat' > ~/.rpmmacros
If your mailserver is already configured for STARTTLS, it should pick up the changes:
openssl s_client -connect localhost:25 -starttls smtp
Old TLS v1
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
New TLS v1.2
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Certificate for Sendmail
You can use an included script to generate a certificate for sendmail and STARTTLS. Let's increase the lifetime and size of the key.
cd /etc/pki/tls/certs
sed -i -e "s/days 365 /days 3653 /g" Makefile
sed -i -e "s/2048/4096/g" Makefile
make sendmail.pem
openssl dhparam -2 -out dh1024.pem 1024
cat dh1024.pem >> sendmail.pem
Sendmail Configuration for STARTTLS
Quick updates to sendmail.mc by removing the prefix of 'dnl' and rebuilding the sendmail.cf file
m4 sendmail.mc > sendmail.cf
/etc/init.d/sendmail restart
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confDH_PARAMETERS', `/etc/pki/tls/certs/dh1024.pem')dnl
m4 sendmail.mc > sendmail.cf
/etc/init.d/sendmail restart
Output from /var/log/maillog
before: version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
after: version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
The end.