Document Information
Preface
Part I Network Services Topics
1. Network Service (Overview)
2. Managing Web Cache Servers
3. Time-Related Services
Part II Accessing Network File Systems Topics
4. Managing Network File Systems (Overview)
5. Network File System Administration (Tasks)
6. Accessing Network File Systems (Reference)
Part III SLP Topics
7. SLP (Overview)
8. Planning and Enabling SLP (Tasks)
9. Administering SLP (Tasks)
10. Incorporating Legacy Services
11. SLP (Reference)
Part IV Mail Services Topics
12. Mail Services (Overview)
13. Mail Services (Tasks)
Task Map for Mail Services
Planning Your Mail System
Setting Up Mail Services (Task Map)
Setting Up Mail Services
How to Set Up a Mail Server
How to Set Up a Mail Client
How to Set Up a Mail Host
How to Set Up a Mail Gateway
How to Use DNS With sendmail
Building the sendmail.cf Configuration File
How to Build a New sendmail.cf File
Managing Mail Delivery by Using an Alternate Configuration
How to Manage Mail Delivery by Using an Alternate Configuration of sendmail.cf
Administering Mail Alias Files (Task Map)
Administering Mail Alias Files
How to Initiate an NIS+ mail_aliases Table
How to List the Contents of the NIS+ mail_aliases Table
How to Add Aliases to the NIS+ mail_aliases Table From the Command Line
How to Add Entries by Editing an NIS+ mail_aliases Table
How to Edit Entries in an NIS+ mail_aliases Table
How to Set Up an NIS mail.aliases Map
How to Set Up a Local Mail Alias File
How to Create a Keyed Map File
Administering the Queue Directories (Task Map)
Administering the Queue Directories
How to Display the Contents of the Mail Queue, /var/spool/mqueue
How to Force Mail Queue Processing in the Mail Queue, /var/spool/mqueue
How to Run a Subset of the Mail Queue, /var/spool/mqueue
How to Move the Mail Queue, /var/spool/mqueue
How to Run the Old Mail Queue, /var/spool/omqueue
Administering .forward Files (Task Map)
Administering .forward Files
How to Disable .forward Files
How to Change the .forward-File Search Path
How to Create and Populate /etc/shells
Troubleshooting Procedures and Tips for Mail Services (Task Map)
Troubleshooting Procedures and Tips for Mail Services
How to Test the Mail Configuration
How to Test the sendmail Rule Sets
Resolving Error Messages
14. Mail Services (Reference)
Part V Serial Networking Topics
15. Solaris PPP 4.0 (Overview)
16. Planning for the PPP Link (Tasks)
17. Setting Up a Dial-up PPP Link (Tasks)
18. Setting Up a Leased-Line PPP Link (Tasks)
19. Setting Up PPP Authentication (Tasks)
20. Setting Up a PPPoE Tunnel (Tasks)
21. Fixing Common PPP Problems (Tasks)
22. Solaris PPP 4.0 (Reference)
23. Migrating From Asynchronous Solaris PPP to Solaris PPP 4.0 (Tasks)
24. UUCP (Overview)
25. Administering UUCP (Tasks)
26. UUCP (Reference)
Part VI Working With Remote Systems Topics
27. Working With Remote Systems (Overview)
28. Administering the FTP Server (Tasks)
29. Accessing Remote Systems (Tasks)
Part VII Monitoring Network Services Topics
30. Monitoring Network Performance (Tasks)
Glossary
Index
|
Setting SMTP to Use TLS
Starting in the Solaris 10 1/06 release, SMTP can use Transport Layer Security (TLS)
in version 8.13 of sendmail. This service to SMTP servers and clients provides private,
authenticated communications over the Internet, as well as protection from eavesdroppers and attackers. Note that
this service is not enabled by default.
How to Set SMTP to Use TLSThe following procedure uses sample data to show you how to set up the
certificates that enable sendmail to use TLS. For more information, see Support for Running SMTP With TLS in Version 8.13 of sendmail.
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a
role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Stop sendmail.
# svcadm -t disable network/smtp:sendmail
- Set up the certificates that enable sendmail to use TLS.
- Complete the following:
# cd /etc/mail
# mkdir -p certs/CA
# cd certs/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# cp /dev/null index.txt
# cp /etc/sfw/openssl/openssl.cnf .
- Use your preferred text editor to change the dir value in the openssl.cnf file from
/etc/sfw/openssl to /etc/mail/certs/CA.
- Use the openssl command-line tool to implement TLS.
Note that the following command line generates interactive text. # openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 \ -config openssl.cnf
Generating a 1024 bit RSA private key
.....................................++++++
.....................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Sun Microsystems
Organizational Unit Name (eg, section) []:Solaris
Common Name (eg, YOUR name) []:somehost.somedomain.example.com
Email Address []:someuser@example.com - req
This command creates and processes certificate requests.
- -new
This req option generates a new certificate request.
- -x509
This req option creates a self-signed certificate.
- -keyout private/cakey.pem
This req option enables you to assign private/cakey.pem as the file name for your newly created private key.
- -out cacert.pem
This req option enables you to assign cacert.pem as your output file.
- -days 365
This req option enables you to certify the certificate for 365 days. The default value is 30.
- -config openssl.cnf
This req option enables you to specify openssl.cnf as the configuration file.
Note that this command requires that you provide the following:
Country Name, such as US.
State or Province Name, such as California.
Locality Name, such as Menlo Park.
Organization Name, such as Sun Microsystems.
Organizational Unit Name, such as Solaris.
Common Name, which is the machine's fully qualified host name. For more information, see the check-hostname(1M) man page.
Email Address, such as someuser@example.com.
- (Optional) If you need a new secure connection, make a new certificate and sign the new
certificate with the certificate authority.
- Make a new certificate.
# cd /etc/mail/certs/CA
# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 \ -config openssl.cnf
Generating a 1024 bit RSA private key
..............++++++
..............++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Sun Microsystems
Organizational Unit Name (eg, section) []:Solaris
Common Name (eg, YOUR name) []:somehost.somedomain.example.com
Email Address []:someuser@example.com This command requires that you provide the same information that you provided in step
3c. Note that in this example, the certificate and private key are in the file
newreq.pem.
- Sign the new certificate with the certificate authority.
# cd /etc/mail/certs/CA
# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
Getting request Private Key
Generating certificate request
# openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/mail/certs/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 23 18:44:38 2005 GMT
Not After : Jun 23 18:44:38 2006 GMT
Subject:
countryName = US
stateOrProvinceName = California
localityName = Menlo Park
organizationName = Sun Microsystems
organizationalUnitName = Solaris
commonName = somehost.somedomain.example.com
emailAddress = someuser@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:D4:1F:C3:36:50:C5:97:D7:5E:01:E4:E3:4B:5D:0B:1F:96:9C:E2
X509v3 Authority Key Identifier:
keyid:99:47:F7:17:CF:52:2A:74:A2:C0:13:38:20:6B:F1:B3:89:84:CC:68
DirName:/C=US/ST=California/L=Menlo Park/O=Sun Microsystems/OU=Solaris/\
CN=someuser@example.com/emailAddress=someuser@example.com
serial:00
Certificate is to be certified until Jun 23 18:44:38 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# rm -f tmp.pem In this example the file newreq.pem contains the unsigned certificate and private key. The
file newcert.pem contains the signed certificate. - x509 utility
Displays certificate information, converts certificates to various forms, and signs certificate requests
- ca application
Used to sign certificate requests in a variety of forms and to generate CRLs (certificate revocation lists)
- Enable sendmail to use the certificates by adding the following lines to your .mc
file.
define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/CAcert.pem')dnl define(`confSERVER_CERT', `/etc/mail/certs/MYcert.pem')dnl define(`confSERVER_KEY', `/etc/mail/certs/MYkey.pem')dnl define(`confCLIENT_CERT', `/etc/mail/certs/MYcert.pem')dnl define(`confCLIENT_KEY', `/etc/mail/certs/MYkey.pem')dnl For more information, see Configuration File Options for Running SMTP With TLS.
- Rebuild and install your sendmail.cf file in your /etc/mail directory.
For detailed instructions, see Building the sendmail.cf Configuration File.
- Create symbolic links from the files you created with openssl to the files
you defined in your .mc file.
# cd /etc/mail/certs
# ln -s CA/cacert.pem CAcert.pem
# ln -s CA/newcert.pem MYcert.pem
# ln -s CA/newreq.pem MYkey.pem
- For added security, deny read permission to group and others for MYkey.pem.
# chmod go-r MYkey.pem
- Use a symbolic link to install CA certs in the directory assigned to confCACERT_PATH.
# C=CAcert.pem
# ln -s $C `openssl x509 -noout -hash < $C`.0
- For secure mail with other hosts, install their host certificates.
- Copy the file defined by the other host's confCACERT option to /etc/mail/certs/host.domain.cert.pem.
Replace host.domain with the other host's fully qualified host name.
- Use a symbolic link to install CA certs in the directory assigned to confCACERT_PATH.
# C=host.domain.cert.pem
# ln -s $C `openssl x509 -noout -hash < $C`.0 Replace host.domain with the other host's fully qualified host name.
- Restart sendmail.
# svcadm enable network/smtp:sendmail Example 13-1 Received: Mail Header The following is an example of a Received: header for secure mail with TLS. Received: from his.example.com ([IPv6:2001:db8:3c4d:15::1a2f:1a2b])
by her.example.com (8.13.4+Sun/8.13.4) with ESMTP id j2TNUB8i242496
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <janepc@her.example.com>; Tue, 29 Mar 2005 15:30:11 -0800 (PST)
Received: from her.example.com (her.city.example.com [192.168.0.0])
by his.example.com (8.13.4+Sun/8.13.4) with ESMTP id j2TNU7cl571102
version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <janepc@her.example.com>; Tue, 29 Mar 2005 15:30:07 -0800 (PST) Note that the value for verify is OK, which means that the authentication was
successful. For more information, see Macros for Running SMTP With TLS. See AlsoThe following OpenSSL man pages:
|