[Gllug] STARTTLS RH 3 Config

Neil Fryer nfryer at marimba.com
Tue Aug 24 19:38:04 UTC 2004 

Hi Ken,

Try creating a cert yourself with SSL, this is what I had to do to get TLS running on Postfix.
Here's a quick command line to do it.
Let me know if this works/doesn't, and hopefully I can help you out with this, as I had to learn TLS the hard way.

openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

The above cmd is what I used for Postfix, you may have to rename the certs.
The man page on openssl should tell you all you need though, if not, let me know.


Neil



-----Original Message-----
From: gllug-bounces at gllug.org.uk on behalf of Ken Smith
Sent: Tue 8/24/2004 10:58 AM
To: 'Greater London Linux Users Group'
Subject: [Gllug] STARTTLS RH 3 Config
 
Hi,

Looking round the web I have found many pages, very confusing and mutually
contradictory, but no definitive "Mini How To" to get this going. I just
seem to be finding bits of the jigsaw but no whole picture yet and the RH
docs seem silent on this subject...

I have also found many people asking what I'm about to ask...

My logfiles have entries like this...

STARTTLS=client: file /etc/mail/certs/key.pem unsafe: No such file or
directory: 372 Time(s)
STARTTLS=client: file /etc/mail/certs/cacert.pem unsafe: No such file or
directory: 372 Time(s)
STARTTLS=client: file /etc/mail/certs/cert.pem unsafe: No such file or
directory: 372 Time(s) STARTTLS=client, error: load verify locs
/etc/mail/certs, /etc/mail/certs/cacert.pem failed: 0: 372 Time(s)


I found some info about using the Makefile in /usr/share/ssl/certs that says
to run

make sendmail.pem

that certainly creates a file called sendmail.pem but I don't know what that
file is - a key file? A signed one or what?

The directory /etc/mail/certs does not exist on this system. I know I can
create it. But it seems strange that sendmail.mc has STARTTLS enabled by
default but the /etc/mail/certs directory is missing and the makecerts.sh
file mentioned in the comments in sendmail.mc file is nowhere to be found!

It sounds like STARTTLS configuration is something that just wasn't finished
before RH 3 release.

I don't really want to become a guru on TLS. I just would like to get it
working. I do have a basic understanding of public/private key security. So
does anyone have a pointer to a simple recipe style "how-to" to get this
working that I can follow without becoming a cryptology expert. Once I've
cracked it I'll publish a How-To if there isn't one already.

Thanks for your patience

Ken



-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug



-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 3781 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040824/34d3d699/attachment.bin>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list