Run the following script:
mkdir /etc/mail/certs cd /etc/mail/certs openssl dsaparam 1024 -out dsa1024.pem openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout mykey.pem rm dsa1024.pem chmod -R go-rwx /etc/mail/certs |
Then add the following lines to your sendmail.mc file:
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs') define(`confCACERT_PATH', `CERT_DIR') define(`confCACERT', `CERT_DIR/mycert.pem') define(`confSERVER_CERT', `CERT_DIR/mycert.pem') define(`confSERVER_KEY', `CERT_DIR/mykey.pem') define(`confCLIENT_CERT', `CERT_DIR/mycert.pem') define(`confCLIENT_KEY', `CERT_DIR/mykey.pem') |
Regenerate sendmail.cf by typing make sendmail.cf. Copy the file to /etc/mail/sendmail.cf and restart sendmail.
Now try telnet localhost 25 and use the EHLO command to find out about the capabilities:
220 openbsd.org ESMTP Sendmail 8.12.1/8.12.1/millert ready willing and able at Wed, 24 Oct 2001 16:48:01 -0600 (MDT) EHLO citi.umich.edu 250-openbsd.cs.colorado.edu Hello [email protected], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP |
If you see the STARTTLS command, sendmail supports encryption now. Also check /var/log/maillog.
Checking the headers of your email, will tell you if the email has been encrypted in transit:
Received: from citi.umich.edu ([email protected] [141.211.133.1]) by india.citi.umich.edu (8.11.3/8.11.3) with ESMTP id f9P0YON15029 (using TLSv1/SSLv3 with cipher EDH-DSS-DES-CBC3-SHA (168 bits) verified NO) for <[email protected]>; Wed, 24 Oct 2001 20:34:25 -0400 (EDT) |
For more detailed information on starttls check this article by Jose Nazario.