-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander Dalloz wrote: <<--snip-->> | Hi James! | | It does not matter, as long as you don't use certificates for | authentication. From what I understand by your efforts you just want to | activate TLS, both for Sendmail as for POP3 (where it is called POP3s | then). In this case the certificate is only used for handshaking and | building an encrypted connection. The only important thing you must take | care for is to use as CN the real resolvable FQDN when creating the | certificate. Else some clients complain at every connection or they even | reject to connect due to a claimed insecure connection / mismatching | certificate detected. I myself simply name my mail server | mail.mydomain.tld and use that name for my users / customers for SMTP | (Sendmail) and IMAPs and POP3s. | | Alexander | | | Thanks for your help in this... I know you have been very patient with me. This is only the first time I've tried a secure email server. Pop3s was easy enough to setup. When I setup (or tried to) TLS things didn't work so easily. Changes: - - --------- a) /usr/lib/sasl2/Sendmail.conf ~ had pwcheck_method set to pam.... I'm not sure if this is the default or not... I changed this to shadow like you have suggested is the default. ~ I also renamed another file there called smtpd.conf to smtpd.conf.old just in case there was a conflict there. b) To help later to simplify configuring the secure clients, I took a page from one of the links you sent me (or maybe I found). Anyway, I created a directory called /etc/mail/ssl to store the ssl information. ~ I ran '/usr/share/ssl/misc/CA.pl -newca' which creates a ./demoCA directory with all the important information. I then moved the files in ./demoCA to the /etc/mail/ssl... I did this to help later with using and creating certificates later if need be. c) I had to copy /usr/share/ssl/certs/ipop3d.pem to /etc/mail/ssl/cacert.pem and /etc/mail/ssl/private/cakey.pem to fix an issue of both certificates having the same serial number. My email client kept complaining about both certificates having the same serial number and asking the administrator to fix the issue. It just may be my email client and not all. Of course, I still had to edit both of them, deleting the cert information form the cakey.pem file and the rsa information from the cacert.pem file. I'm guessing this was because both certs contained the exact same information; but, different keys where used to sign the key. d) I had to use the trick of using 'cp /etc/mail/ssl/cacert.pem /etc/mail/ssl/certs/`openssl x509 -noout -hash < /etc/mail/ssl/cacert.pem`.0'. This creates the hash (link) file needed by STARTTLS to not complain about the key not existing. e) I had to modify sendmail.mc to point to the new directories for the certs and keys... Everything seems to be working well now. Oh, I did change the password for the user!!!! Thanks, James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA9taxc7lFLjBWKW0RAlDFAJ4ppfPr52D37sZ/54PkKOsdn1CeZwCfYHA4 mN5JaxWriA/xWm1DfrJ/XfQ= =4B6q -----END PGP SIGNATURE-----
