Sendmail 8.13.3 Secure Mailing Solution HP Part Number: 5992-3190 Published: October 2007 Edition: 1.
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Executive Summary..............................................................................................................9 Intended Audience...............................................................................................................9 Introduction..........................................................................................................................9 TLS/SSL Support....................................................................................
List of Tables 1 2 OpenSSL Versions.......................................................................................................14 OpenSSL Versions.......................................................................................................
List of Examples 1 2 Sample saslpasswd2 Command..................................................................................24 Sample Authentication Information...........................................................................
Executive Summary This white paper discusses the STARTTLS and AUTH features that are supported in Sendmail 8.13.3. It also describes how to configure these features on HP-UX systems, to provide an effective secure mailing solution. In addition, this white paper includes selected usage models and examples, and discusses the benefits of using these Sendmail 8.13.3 features on HP-UX systems.
communication over the Internet. It enables the SMTP agents to protect some or all of their communications from eavesdroppers and attackers. The STARTTLS feature offers the following benefits: • • • • Verifies the identity of the client and server in a mail transmission. Authenticates a user for relaying through a mail server. Encrypts mail transmissions. Encrypts transmissions between two mail servers over the Internet. Sendmail 8.13.3 relies on the OpenSSL implementation for cryptographic algorithms.
minor changes to the input appear as large changes in the output. Popular hash algorithms include SHA-1, MD5, and RIPEMD. Hash algorithms are used for integrity checking; that is, to ensure that data is not tampered during transmission. Certificates and Authorities A certificate is a collection of information that uniquely identifies a client or a server. It includes descriptive fields, such as the name of an organization and its location, as well as cryptographic information, such as keys and signatures.
of the certificate, various administration information, such as a serial number of the certificate, and any other required information, such as Netscape-specific tags. These certificates are used to establish the identity and trustworthiness of the presenter, such as a server or a client. These certificates are also used to authenticate the connecting party and to take appropriate action, such as allowing a connection to proceed, and mail relaying, or entry into a network.
7. 8. 9. The SASL library returns some bytes to the client application. The client application transmits these bytes over the network. The client application repeats steps 7 – 9 until the server informs the application that the authentication is successful. An application in the server interacts with the SASL library as follows: 1. 2. 3. 4. A server makes a few calls to initialize the SASL library.
NOTE: The KRNG11i strong random number generator is required only for the HP-UX 11i v1 operating system. For the HP-UX 11i v2 and HP-UX 11i v3 operating systems, the random number generator is available as part of the core HP-UX operating system. • The OpenSSL software NOTE: You must install the latest version of the OpenSSL software from http:// www.software.hp.com lists to avoid errors while running the CA.pl script.
3. Replace the entries marked with numbers in the following CA.pl script: exit 0; } elsif (/^-newcert$/) { # create a certificate system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS" ); 1 $RET=$?; print "Certificate is in newcert.pem, private key is in newkey.pem\n" } elsif (/^-newreq$/) { system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); 2 $RET=$?; print "Request is in newreq.pem, private key is in newkey.
writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Enter the passphrase. NOTE: Select a unique passphrase so that no one can abuse your CA and sign a certificate. The following message displays: Verifying - Enter PEM pass phrase: Enter the passphrase again. The following message displays: You are about to be asked to enter information that will be incorporated into your certificate request. Enter the organization name, location, and your name.
The ./CA.pl –newreq command creates the following files: • The private key of the Sendmail 8.13.3 server (./newkey.pem) • The original (unsigned) certificate request (./newreq.pem) c. To sign the certificate using the CA created in Step a, enter the following command: $ CA.pl –sign A signed public certificate, ./newcert.pem (with its public key), is created for the Sendmail 8.13.3 server. 5. 6.
NOTE: The link name fea4e1bb.0 is only an example. The link name must be of the format .0. The Sendmail 8.13.3 server is now ready with the signed public certificate and the private key pair. If you have multiple Sendmail 8.13.3 servers (for example, relay and forwarders), you can either create an individual key pairs and a signed certificate for each Sendmail 8.13.3 server and get it signed by the CA, or use the cryptographic keys to be distributed across the Sendmail 8.13.
3. 4. 5. 6. 7. 8. 9. cd /usr/newconfig/etc/mail/cf/cf To run the gen_cf utility, enter the following command: $ ./gen_cf Select the 2: STARTTLS option under the 4: Security Options option in the main menu. Select the 5: Generate sendmail.cf option and press Enter to generate the Sendmail 8.13.3 configuration file (sendmail.cf.gen) with the STARTTLS feature enabled. Repeat Steps 1–4. Select the 6: Generate submit.cf option and press Enter to generate the configuration file of the Sendmail 8.13.
(/etc/mail/submit.cf), use the following option in the Sendmail 8.13.3 configuration file: DontBlameSendmail=GroupReadableKeyFile 11. Follow this procedure if MSP is disabled in Sendmail 8.13.3: a. To change the directory to /etc/mail/certs, enter the following command: / cd /etc/mail/certs NOTE: For more information about configuring Sendmail 8.13.3, see the HP-UX Mailing Services Administrator's Guide at: http://www.docs.hp.com/en/netcom.html#Internet%20Services b.
Specifies the host name. Specifies the domain name. Enter the EHLO command, as follows: $ EHLO localhost The following output displays: 250- Hello localhost [127.0.0.1], pleased to meet you 250-ENH ANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP You must ensure that you obtain a response similar to 250-STARTTLS from the Sendmail 8.13.3 server.
for root@ Thu, 5 Jul 2007 19:07:51 +0530 (IST) Date: Thu, 5 Jul 2007 19:07:51 +0530 (IST) From: . The verify macro in the message header in the mtail command output contain the result of the verification of the presented certificate. The verify macro can contain the following values: OK NO FAIL NONE TEMP PROTOCOL SOFTWARE Verification succeeded. No certificate presented. Certificate presented, but is not be verified. For example, CA is missing.
NOTE: You must install the latest version of the OpenSSL software from http:// www.software.hp.com, to avoid errors while running the CA.pl script. Table 2 (page 23) lists the version of OpenSSL that you must install for a particular HP-UX operating system. Table 2 OpenSSL Versions • Operating System Name OpenSSL Version HP-UX 11i v1 A.00.09.07l HP-UX 11i v2 A.00.09.07l.001 HP-UX 11i v3 A.00.09.08d.001 The CyrusSASL version A.06.00-2.1.21 product in the HP-UX Internet Express bundle.
1. Uncomment the following entries in the /etc/mail/sendmail.cf file: C{TrustAuthMech}GSSAPI DIGEST-MD5 LOGIN PLAIN O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 LOGIN PLAIN EXTERNAL O DefaultAuthInfo=/etc/mail/default-auth-info O AuthOptions=A NOTE: If these entries are already uncommented, ensure that you assign the previously mentioned values to the TrustAuthMech, AuthMechanisms, DefaultAuthInfo, and AuthOptions options. 2. Create the /usr/lib/sasl2/Sendmail.
1. To establish a Telnet session with the localhost, enter the following command: % telnet localhost 25 The following output displays: Trying... Connected to localhost. Escape character is '^]'. 220 ESMTP Sendmail @(#)Sendmail version 8.13.3 - Revision 1.000 - 1st August,2006/8.13.3; Thu, 5 Jul 2007 18:37:50 +0530 (IST) 2. To send an EHLO message to the Sendmail 8.13.
1. Follow this procedure to generate the /etc/mail/sendmail.cf file: NOTE: Ensure that you obtain a backup of the existing Sendmail 8.13.3 configuration files (/etc/mail/sendmail.cf and /etc/mail/submit.cf) so that you can revert to the original state if you encounter any configuration issues and you do not loose any site-specific customized configuration. a. To change the directory to the /usr/newconfig/etc/mail/cf/cf directory, enter the following command: cd /usr/newconfig/etc/mail/cf/cf b.
d. Enter your authentication information in the client-info file using the following syntax: AuthInfo: "U:root" "I: " "P: " “M: ” where: server_name username password auth_mech Specifies the Sendmail 8.13.3 SASL server name. Specifies the user name to which the authentication information applies. Specifies the password that is configured using the saslpasswd2 command in the Sendmail 8.13.3 SASL server.
NOTE: If you use the FEATURE(`authinfo') option, the hostname in the map entry must match exactly with the hostname of the ISP mailserver, as explained in the ../cf/README file. Sendmail 8.13.3 searches only for domain parts or IP nets if you use the access map. If you use the authinfo feature, Sendmail 8.13.3 performs only three lookups, one default and two exact matches. Verifying the Cyrus SASL Setup This section discusses how to verify the Cyrus SASL setup.
Glossary AES Advanced Encryption Standard (AES) also known as Rijndael, is a encryption method that operates on fixed-length groups of bits and termed blocks. DES Data Encryption Standard (DES) is a method for encrypting information. ESMTP Extended Simple Mail Transfer Protocol (ESMTP) specifies extensions to the original protocol (SMTP) for sending mail that supports graphics, audio, and video files, and text in various national languages.
