Encrypting Your Sendmail Traffic

Sendmail since version 8.11 supports the starttls command. Starttls allows for authentication and confidentiality. We are only interested in confidentiality.

Run the following script:

   mkdir /etc/mail/certs
cd /etc/mail/certs
openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout mykey.pem
rm dsa1024.pem
chmod -R go-rwx /etc/mail/certs

Then add the following lines to your sendmail.mc file:

   define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/mycert.pem')
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')

Regenerate sendmail.cf by typing make sendmail.cf. Copy the file to /etc/mail/sendmail.cf and restart sendmail.

Now try telnet localhost 25 and use the EHLO command to find out about the capabilities:

   220 openbsd.org ESMTP Sendmail 8.12.1/8.12.1/millert ready willing and able at Wed, 24 Oct 2001 16:48:01 -0600 (MDT)
EHLO citi.umich.edu
250-openbsd.cs.colorado.edu Hello [email protected], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP

If you see the STARTTLS command, sendmail supports encryption now. Also check /var/log/maillog.

Checking the headers of your email, will tell you if the email has been encrypted in transit:

   Received: from citi.umich.edu ([email protected] [141.211.133.1])
 by india.citi.umich.edu (8.11.3/8.11.3) with ESMTP id f9P0YON15029
 (using TLSv1/SSLv3 with cipher EDH-DSS-DES-CBC3-SHA (168 bits) verified NO)
 for <[email protected]>; Wed, 24 Oct 2001 20:34:25 -0400 (EDT)

For more detailed information on starttls check this article by Jose Nazario.

But what about Postfix?

You can find patches to support STARTTLS for Postfix at http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/.

Now you ask, but what about Qmail?

You can find patches to support STARTTLS for qmail at http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch.

Acknowledgements

Bill Simpson researched this and prodded me to turn it on.