Install Certificate in CanIt

From Roaring Penguin
Jump to: navigation, search

Here's my recommended "best practices" solution to this:

Part 0: Get certificate

Your server(s) will need a SSL certificate. If you use a self-signed/dummy certificate for HTTPS, the vast majority of browsers will throw a security warning. If you use a self-signed/dummy certificate for SMTP/TLS, many SMTP deliveries trying TLS will fail (some do accept invalid certs but not all). Often when the SSL handshake fails the sender does not fall back to insecure SMTP and the mail is not delivered.

Therefore, it is best to get a SSL certificate for your server. Each server will need its own. Wildcard certificates or certificates with Subject Alternate Names may work.

Every certificate provider (Certificate Authority, whoever you choose to sign your certificate) has their own process. Follow their process and at the end you should have:

  • SSL Certificate
  • Private Key
  • Certificate bundle/chain (may not need this; if you need it the CA will provide it)

Part 1: Install the server's certificate using the Setup : HTTPS function

This function asks you for the cert and its key. It will update files in /etc/ssl/ and it will get HTTPS working for your web interface.

This isn't what you asked for, but later we'll make Sendmail use the same cert/key for TLS. A big bonus of doing it this way is that when the time comes to update the cert/key, you can easily use Setup : HTTPS again and the updates will be used by both Apache and Sendmail. Future key updates are a snap.

Certificate Chain

On the Setup : HTTPS page it says:

Please paste your SSL certificate into the text box below. If your provider supplies a cerficate chain file, paste the contents of that file immediately below your certificate.

When you get your certificate signed by a Certificate Authority, they often provide a "certificate bundle" or "certificate chain". These are additional certificate bits with intermediate certificate information which connect your certificate all the way up the chain to the root CA.

When you paste in your key at Setup : HTTPS, it should look something like this:

-----BEGIN CERTIFICATE-----
... your cert ...
-----END CERTIFICATE-----

To add the certificate bundle / chain bits, just append them so it looks like this:

-----BEGIN CERTIFICATE-----
... your cert ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... certificate bundle ...
-----END CERTIFICATE-----

 NOTE: If you are simply updating your cert/key (or you needed to update it to add the certificate chain bundle bits) and you have already done the steps below then you don't need to redo them but you do need to restart Sendmail to make the new key take effect for SMTP/TLS.


Part 2: Making Sendmail behave

Step (1) will create / update /etc/ssl/private/canit-appliance.key and /etc/ssl/certs/canit-appliance.crt.

We'll leave Sendmail's config file alone; instead we'll just create symlinks in /etc/mail/tls/ to the appropriate files.

These commands will do the business:

  mv /etc/mail/tls/sendmail-client.crt /etc/mail/tls/sendmail-client.crt.orig
  mv /etc/mail/tls/sendmail-server.crt /etc/mail/tls/sendmail-server.crt.orig
  mv /etc/mail/tls/sendmail-common.key /etc/mail/tls/sendmail-common.key.orig
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-client.crt
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-server.crt
  ln -s /etc/ssl/private/canit-appliance.key /etc/mail/tls/sendmail-common.key

Then restart Sendmail:

/etc/init.d/sendmail restart

Part 3: Enabling TLS in sendmail.mc

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:

   include(`/etc/mail/tls/starttls.m4')dnl

in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.

NOTE: Look closely at the beginning: include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts.

Part 4: Testing TLS

Now that you've done all the work, make sure it behaves. This part is easy. At the console type:

telnet localhost 25

When you see the SMTP banner, type EHLO me

You'll get a bunch of info. 250-STARTTLS or similar should appear. Type QUIT to get back to the prompt.

Finally, there are many 3rd party web sites which can verify that SMTP TLS works.