Install Certificate in CanIt
Here's my recommended "best practices" solution to this:
Part 0: Get certificate
Your server(s) will need a SSL certificate. If you use a self-signed/dummy certificate for HTTPS, the vast majority of browsers will throw a security warning. If you use a self-signed/dummy certificate for SMTP/TLS, many SMTP deliveries trying TLS will fail (some do accept invalid certs but not all). Often when the SSL handshake fails the sender does not fall back to insecure SMTP and the mail is not delivered.
Therefore, it is best to get a SSL certificate for your server. Each server will need its own. Wildcard certificates or certificates with Subject Alternate Names may work.
Every certificate provider (Certificate Authority, whoever you choose to sign your certificate) has their own process. Follow their process and at the end you should have:
- SSL Certificate
- Private Key
- Certificate bundle/chain (may not need this; if you need it the CA will provide it)
Part 1: Install the server's certificate using the Setup : HTTPS function
This function asks you for the cert and its key. It will update files in /etc/ssl/ and it will get HTTPS working for your web interface.
This isn't what you asked for, but later we'll make Sendmail use the same cert/key for TLS. A big bonus of doing it this way is that when the time comes to update the cert/key, you can easily use Setup : HTTPS again and the updates will be used by both Apache and Sendmail. Future key updates are a snap.
On the Setup : HTTPS page it says:
Please paste your SSL certificate into the text box below. If your provider supplies a cerficate chain file, paste the contents of that file immediately below your certificate.
When you get your certificate signed by a Certificate Authority, they often provide a "certificate bundle" or "certificate chain". These are additional certificate bits with intermediate certificate information which connect your certificate all the way up the chain to the root CA.
When you paste in your key at Setup : HTTPS, it should look something like this:
-----BEGIN CERTIFICATE----- ... your cert ... -----END CERTIFICATE-----
To add the certificate bundle / chain bits, just append them so it looks like this:
-----BEGIN CERTIFICATE----- ... your cert ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... certificate bundle ... -----END CERTIFICATE-----
￼ NOTE: If you are simply updating your cert/key (or you needed to update it to add the certificate chain bundle bits) and you have already done the steps below then you don't need to redo them but you do need to restart Sendmail to make the new key take effect for SMTP/TLS.
Part 2: Making Sendmail behave
Step (1) will create / update /etc/ssl/private/canit-appliance.key and /etc/ssl/certs/canit-appliance.crt.
We'll leave Sendmail's config file alone; instead we'll just create symlinks in /etc/mail/tls/ to the appropriate files.
These commands will do the business:
mv /etc/mail/tls/sendmail-client.crt /etc/mail/tls/sendmail-client.crt.orig mv /etc/mail/tls/sendmail-server.crt /etc/mail/tls/sendmail-server.crt.orig mv /etc/mail/tls/sendmail-common.key /etc/mail/tls/sendmail-common.key.orig
ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-client.crt ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-server.crt ln -s /etc/ssl/private/canit-appliance.key /etc/mail/tls/sendmail-common.key
Then restart Sendmail:
Part 3: Enabling TLS in sendmail.mc
This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:
in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.
NOTE: Look closely at the beginning:
include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.
make -C /etc/mail && /etc/init.d/sendmail restart
You need to do this on all hosts.
Part 4: Testing TLS
Now that you've done all the work, make sure it behaves. This part is easy. At the console type:
telnet localhost 25
When you see the SMTP banner, type
You'll get a bunch of info.
250-STARTTLS or similar should appear. Type
QUIT to get back to the prompt.
Finally, there are many 3rd party web sites which can verify that SMTP TLS works.