April 21, 2023 1
STARTTLS
April 21, 2023 2
STARTTLS: Objectives• Define STARTTLS and the reasons for using it
• Describe how the SSL protocol works
• Identify the STARTTLS configuration variables
• Describe how the Sendmail clients and servers determine whether a server supports STARTTLS
• Identify how to set up a private certificate authority (CA)
• Describe how to use gen_cf to create a configuration file for STARTTLS
• Describe the line that must be added to the access file.
April 21, 2023 3
STARTTLS• STARTTLS is the SMTP command to "Start Transport Layer
Security”; or in other words to turn on Secure Socket Layer (SSL).
• Transport Layer Security (TLS) provides authentication (identification), privacy, confidentiality, and integrity for securing a mail transaction.
• TLS uses different STARTTLS algorithms for encryption, signing, and message authentication.
• To use Sendmail with STARTTLS, you must install the OpenSSL software on your system from http://www.software.hp.com.
• You can use the /usr/newconfig/etc/mail/cf/cf/gen_cf script to generate the sendmail.cf configuration file that supports the STARTTLS feature.
• HP only supports STARTTLS if used in conjunction with the access database. HP does not support the use of custom rulesets.
April 21, 2023 4
Step by Step SSL Protocol
SSL client (e.g. browser) SSL server
Client suggests/requests information from the SSL server
ServerCertificate
April 21, 2023 5
Step by Step SSL Protocol (cont’d)
Server responds with its digital certificate and encryption
preferences. Encryption level negotiation complete.
ServerCertificate
SSL client (e.g. browser) SSL server
April 21, 2023 6
1) Client verifies the server certificate2) It computes a shared secret session key 3) It encrypts the shared secret session key using the master’s public key and sends it to the server
Step by Step SSL Protocol (cont’d)
ServerCertificat
e
SSL client (e.g. browser) SSL server
April 21, 2023 7
Server decrypts the master public key and computes shared session
key
Step by Step SSL Protocol (cont’d)
ServerCertificate
ServerCertificat
e
SSL client (e.g. browser) SSL server
April 21, 2023 8
Step by Step SSL Protocol (cont’d)
ServerCertificate
ServerCertificat
e
Client and server exchange encrypted data using the shared
session keySSL client (e.g. browser)
SSL server
April 21, 2023 9
STARTTLS configuration variables• UseTLS - Enables the TLS handshake in the SMTP transaction. • CERT_DIR - Specifies the directory for storing Sendmail
certificates. • CACERT_PATH - Specifies the path that stores the certificates of
all the Certificate Authorities known to the Sendmail server.• CACertFile - Specifies the file containing the certificate of the
Certificate Authority that issued the certificate of the Sendmail server.
• ServerCertFileand ClientCertfile - Refers to the server and client certificate.
• ServerkeyFileand Clientkeyfile - Specifies the private keys that correspond to the certificates of the Sendmail server and the Sendmail client.
April 21, 2023 10
When Sendmail is a ServerClients issue the EHLO command during an SMTP session to determine whether the server supports STARTTLS. If the server supports STARTTLS, it will include it in the list of commands the client can issue.
ehlo localhost250-inet16.india.hp.com Hello localhost [127.0.0.1], pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-EXPN250-VERB250-8BITMIME 250-SIZE250-DSN250-ETRN250-STARTTLS <<<<<<<< Note250-DELIVERBY250 HELP
If the "next" mail server offers "STARTTLS" as one of its allowed commands, our Sendmail (which has been compiled to support STARTTLS) will always accept the offer and issue a STARTTLS command--even if it has no certificates configured!
When Sendmail is a Client
April 21, 2023 11
STARTTLS set up• Warning: do not use sendmail –bs for testing the
STARTTLS set up. • The set up discussed in this class uses a private CA
(certificate authority). Private CAs are often used for STARTTLS within a company.
• Install OpenSSL on the Sendmail server that will be the private CA. You can download OpenSSL from software.hp.com (security and manageability, OPENSSL).
• Setting up a private CA is for example use only. Always consider a commercial CA prior to using a private CA.
• Building a private CA is the most complex method of signing certificates.
• Evaluate alternatives to choose the approach suitable for the situation.
April 21, 2023 12
Set up a private CA on the Sendmail Server1. # cd /etc/mail2. # mkdir certs3. # cd certs4. # /opt/openssl/misc/CA.sh – newca
(see notes for output on this command)
5. # mv demoCA CA6. # cd CA7. # chmod 0700 private8. # cp /opt/openssl/openssl.cnf
sendmailssl.cnf9. vi sendmailssl.cnf
Change dir =./demoCATo dir =./etc/mail/certs/CA
April 21, 2023 13
Create certificate request (csr)1. # cd /etc/mail
2. # mkdir certs
3. # umask 0066
4. # openssl req –nodes –new –x509 –keyout key.pem –out newcert.pem
(see notes for output on this command)
5. # openssl x509 –x509toreq –in newcert.pem –signkey key.pem –out csr.pem
(see notes for output on this command)
6. FTP/move the csr.pem to the CA host (wtecd350.atl.hp.com) in the /etc/mail/certs/CA directory.
April 21, 2023 14
Sign the certificate request (csr)1. # cd /etc/mail/certs/CA
2. # openssl ca –config ./sendmailssl.cnf –policy policy_anything –out cert.pem –infiles csr.pem
(see output in notes)
3. Move/FTP the cert.pem to the /etc/mail/certs directory on the Sendmail host.
4. Move/FTP the CA/cacert.pem to the /etc/mail/certs/CA directory on the Sendmail host.
5. # cd /etc/mail
6. # chmod –R 600 certs
April 21, 2023 15
Create a configuration file for STARTTLS• The following steps are taken to run gen_cf to
create a configuration file for STARTTLS.1. # cd /usr/newconfig/etc/mail/cf/cf
2. ./gen_cf
a. 4: Security Options
b. 2: STARTTLS
c. 3: Anti-spamming Options
d. 1: Access DB
e. 5: Generate sendmail.cf
3. Backup the sendmail.cf file:1. cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf/bak
4. Move the sendmail.cf.gen file to the /etc/mail directory1. cp /usr/newconfig/etc.mail/cf/cf/sendmail.cf.gen
April 21, 2023 16
Sendmail.cf file configuration additions and changes• Important note: There is a bug with the
/dev/random file.
• If you have a /dev/random file and a /dev/urandom file add the following to the sendmail.cf: O RandFile=egd:/dev/random
1. Modify the following parameter:O UseTLS=True
April 21, 2023 17
Allow relaying based on the CA - configuration file changes• To allow relaying based on the CA the following
changes need to be made to the sendmail.cf configuration file STARTTLS parameters. O UseTLS=True
O CACertPath=/etc/mail/certs
O CACertFile=/etc/mail/certs/CA/cacert.pem
O ServerCertFile=/etc/mail/certs/cert.pem
O ServerKeyFile=/etc/mail/certs/key.pem
O ClientCertFile=/etc/mail/certs/cert.pem
O ClientKeyFile=/etc/mail/certs/key.pem
# O CRLFile=/etc/mail/certs/crlf
April 21, 2023 18
Example - Sendmail STARTTLS relay based on CA Issuer • Following is an example set up using linux to linux
systems. The two systems are as follows: linux1.ban.hp.com: This is the sending system
linux4.ban.hp.com: This is the relaying system
• On the linux1.ban.hp.com system the configuration parameters are set as follows:
O CACertPath=/etc/mail/certs
O CACertFile=/etc/mail/certs/CA/cacert.pem
O ServerCertFile=/etc/mail/certs/cert.pem
O ServerKeyFile=/etc/mail/certs/key.pem
O ClientCertFile=/etc/mail/certs/cert.pem
O ClientKeyFile=/etc/mail/certs/key.pem
# “Smart” relay host (may be null)
DSlinux4.ban.hp.com
April 21, 2023 19
Test the Relay• On the linux1 system the following command is entered to test the relay:
[root@linux mail] # echo “Subject: test starttls” | sendmail –v –oL99 [email protected]
(The log level of 99 is turned on to see maximum logging for some of the STARTTLS output; this is done by turning on -oL99 )
April 21, 2023 20
The /var/log/maillog output• A look at the /var/log/mailog output shows the relay that is used.
May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, init=1
May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, start=ok
May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, get_verify: 0 get_peer: 0x8149538
May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, relay=linux4.ban.hp.com.,
version=TLSv1/SSLv3, verify=OK, cipher=EDH-RSA-DES CBC3-SHA, bits=168/168
May 1 11:53:49 linux sendmail[1543]: STARTTLS=client,
cert-subject=/C=US/ST=Georgia/L=Atlanta/O=HP/CN=linux4.ban.hp.com/ [email protected],
cert-issuer=/C=US/ST=Georgia/L=Atlanta/O=HP/CN=unix.ban.hp.com/ [email protected],
verifymsg=ok
April 21, 2023 21
Add a line to the access database• On the linux4 (relay system) you must add the
following line to the access file and then rebuild the access database.
CERTISSUER:/C=US/ST=Georgia/L=Atlanta/O=HP/CN=unix.ban.hp.com/[email protected] RELAY
• Note that the email tag is emailAddress. Make sure you add emailAddress to the access database.
• (see additional notes for output that represents an incoming email message)
April 21, 2023 22