UNIX / Linux keyboard.

How to make Sendmail use SSL/TLS whenever possible


We want Sendmail to transfer mail through SMTP over TLS whenever possible for a variety of security reasons. Yes, TLS and not SSL — we might use "SSL" as a generic term, but the actual protocol we want to use is TLS and not literally SSL. The security involves authenticating both end points and encrypting the content for confidentiality while in transit.

Why the concern about TLS instead of SSL? A series of vulnerability discoveries from mid-2011 through late 2014 clearly showed that all versions of SSL have fundamental insecurities that cannot be fixed by patching or configuring workarounds.

Of course, SSL is still used as a generic term for the collection of multiple versions of both SSL and TLS, so yes, in that sense you are "using SSL" but you should be literally using SSL.

Do not use SSL, use TLS.

I have quite a bit of background on my dedicated SSL/TLS Security page, have a look at that to find links to the research papers and vulnerability announcements explaining all this in detail.

What security can we achieve with SMTP over TLS? The first part is host authentication, ideally mutual host authentication. SMTP is used for delivery to a server. The workstation where you composed the message can use STMP to upload the message to your corporate outbound mail server, and then your corporate mail server uses SMTP to relay the message to my ISP's mail server.

In the first step from the workstation to the outbound server, the workstation probably won't have the needed key pair and digital certificate, and very likely won't be able to verify the server's authentication, but at least the content will be encrypted as it traverses your organization's internal networks. More importantly, if you are working remotely, it will be encrypted as goes from your home or hotel to your corporate server.

The greater authentication benefit is on the server-to-server hops. Each server needs to have a public/private key pair, and its public key needs to be contained within a digital certificate. If the issuer of the digital certificate, an entity known as a CA or Certification Authority, is known and trusted by both servers, then they can mutually authenticate. Each server can have high confidence in the identity of the other based on the trustworthiness of the CA plus confidence in the mathematics of the cryptography.

If both servers belong to the same organization, as is the case for many of the SMTP server-to-server hops at either end, then mutual authentication and CA trust is very straightforward as they will have used the same CA.

For authentication and trust between organizations, the digital certificates could be issued by the same public CA.

SMTP/S or SMTP over TLS uses TCP port 465, rather than SMTP's port 25. TCP/465 is another port you may need to open on one or more firewalls.

Create your own key pairs and certificates

1. Create a certificate directory and go there:

# mkdir /etc/mail/cert
# cd /etc/mail/cert 

2. Create a key for the server, giving a new pass phrase when prompted:

# openssl genrsa -des3 -out server.key 1024
# openssl rsa -in server.key -out server.key.open 

3. Create a clear-text copy of the key (so it is not pass-phrase-protected), giving the pass phrase when asked:

# openssl req -new -x509 -days 3650 -key server.key.open -out server.crt 

4. Answer the X.509v3 questions appropriately.

5. Make the files root-read-only:

# chmod 600 server.* 

6. Edit /etc/mail/sendmail.cf and add these lines. You should find commented-out versions of these settings in the file, maybe about a third of the way through it.

O CACertPath=/etc/mail/cert
O CACertFile=/etc/mail/cert/server.crt
O ServerCertFile=/etc/mail/cert/server.crt
O ServerKeyFile=/etc/mail/cert/server.key.open
O ClientKeyFile=/etc/mail/cert/server.crt 

7. Restart sendmail:

# /etc/init.d/sendmail restart 

Alternative method, using sendmail.mc

You can modify sendmail.mc instead of sendmail.cf and have your changes persist through make runs. Thanks to Dave Miller for pointing this out:

dnl #
define(`confCACERT_PATH', `/etc/mail/cert')dnl
define(`confCACERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_CERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_KEY', `/etc/mail/cert/server.key.open')dnl
define(`confCLIENT_KEY', `/etc/mail/cert/server.crt')dnl
Back to the Unix page