Difference between revisions of "Install Certificate in CanIt"

From Roaring Penguin
Jump to: navigation, search
(Add starttls.m4 instructions and note for back-tick char)
Line 31: Line 31:
  
 
/etc/init.d/sendmail restart
 
/etc/init.d/sendmail restart
 +
 +
===Part 3: Enabling TLS in sendmail.mc===
 +
 +
This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:
 +
 +
    include(`/etc/mail/tls/starttls.m4')dnl
 +
 +
in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.
 +
 +
NOTE: Look closely at the beginning: <code>include(`</code>.  Notice the next character after the open bracket is a back-tick (shift-tilde on most 105key US keyboard layouts).  This is important.
 +
 +
Then type:
 +
 +
    make -C /etc/mail && /etc/init.d/sendmail restart
 +
 +
You need to do this on all hosts.
  
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Setup]][[category:Best Practices]]
 
[[category:All]][[category:Setup]][[category:Best Practices]]

Revision as of 13:10, 7 December 2017

Here's my recommended "best practices" solution to this:

Part 1: Install the server's certificate using the Setup : HTTPS function

This function asks you for the cert and its key. It will update files in /etc/ssl/ and it will get HTTPS working for your web interface.

This isn't what you asked for, but later we'll make Sendmail use the same cert/key for TLS. A big bonus of doing it this way is that when the time comes to update the cert/key, you can easily use Setup : HTTPS again and the updates will be used by both Apache and Sendmail. Future key updates are a snap.

Part 2: Making Sendmail behave

Step (1) will create / update /etc/ssl/private/canit-appliance.key and /etc/ssl/certs/canit-appliance.crt.

We'll leave Sendmail's config file alone; instead we'll just create symlinks in /etc/mail/tls/ to the appropriate files.

These commands will do the business:

  mv /etc/mail/tls/sendmail-client.crt /etc/mail/tls/sendmail-client.crt.orig
  mv /etc/mail/tls/sendmail-server.crt /etc/mail/tls/sendmail-server.crt.orig
  mv /etc/mail/tls/sendmail-common.key /etc/mail/tls/sendmail-common.key.orig
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-client.crt
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-server.crt
  ln -s /etc/ssl/private/canit-appliance.key /etc/mail/tls/sendmail-common.key

Then restart Sendmail:

/etc/init.d/sendmail restart

Part 3: Enabling TLS in sendmail.mc

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:

   include(`/etc/mail/tls/starttls.m4')dnl

in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.

NOTE: Look closely at the beginning: include(`. Notice the next character after the open bracket is a back-tick (shift-tilde on most 105key US keyboard layouts). This is important.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts.