Sendmail 8.13.3 Securing Mailing Solution
3. Replace the entries marked with numbers in the following CA.pl script:
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"
);
1
$RET=$?;
print "Certificate is in newcert.pem, private key is in newkey.pem\n"
} elsif (/^-newreq$/) {
system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
2
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newreq-nodes$/)
1
Replace this line with the following:
system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS");
2
Replace this line with the following:
system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem
$DAYS");
The only change is the addition of the -nodes option while generating certificates.
If you do not include this option, Sendmail 8.13.3 cannot load the encrypted key
during startup. As a result, it logs the following error message in the
/var/adm/syslog/mail.log file:
“May 4 11:55:20 XXXXX sm-mta[23544]: STARTTLS=server, error:
SSL_CTX_use_PrivateKey_file(/etc/mail/certs/servername-key.pem) failed”
NOTE: You must modify the first line in the CA.pl script to the location of the
perl interpreter on your system. Otherwise, the following error message is logged
in the /var/adm/syslog/syslog.log file:
interpreter “/opt/perl/bin/perl” not found
4. Follow this procedure to create your own CA, and to create certificates and keys
for your Sendmail 8.13.3 server:
a. To create a CA, enter the following command:
$ ./CA.pl –newca
The following message displays:
CA certificate filename (or enter to create)
Enter the file name or press Enter.
The following message displays:
Making CA certificate...
Generating a 1024 bit RSA private key
.................++++++....++++++
Configuring Sendmail 8.13.3 with TLS and SSL 15