Kako napraviti enkripciju za Sendmail

Zašto ovo uopšte raditi? Pa uglavnom zato što korisnici traže da se sa svojim mobilnim uređajima (i telefonima i tabletima) kače i skidaju mail…

Početni uslovi : funkcionalni mail server (u mom slučaju RHEL 6U2, MailScanner + Sendmail + Dovecot + Apache + Cyrus)

Provera Sendmail-a da li podržava SSL i SASL :
# sendmail -d0.1 -bv
Version 8.14.4
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = mail-2012
(canonical domain name) $j = mail-2012.test
(subdomain name) $m = test
(node name) $k = mail-2012.test
========================================================

Kako generisati sertifikate (lokalni, ne root sertifikati) :
# cd /etc/pki/tls/certs
# make sendmail.pem
…. Odgovarate na gomilu standardnih sertifikacionih pitanja
I na kraju na datoj lokaciji (/etc/pki/tls/certs) dobijate sertifikat :
-rw——- 1 root root 3129 Sep 25 10:04 sendmail.pem

Taj sertifikat treba aktivirati pod /etc/mail/sendmail.mc fajlom :
define(`confAUTH_OPTIONS’, `A y’)dnl
Ovim tražimo autentifikaciju, i branimo anonymous logovanje

define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl
define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl
define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl
define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

DAEMON_OPTIONS(`Port=smtp, Name=MSA, M=bh’)dn Da radi i po portu 25
DAEMON_OPTIONS(`Port=smtps, Name=MSA, M=s’)dnl Ovo je za port 456
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea’)dnl Ovo je za port 587
E-disallow ETRN (see RFC 2476), a-traži SMTP autentifikaciju
Napomena : ove stavke već postoje u fajlu, samo ih treba od-dnl-ovati

# /etc/mail/make
# service MailScanner restart

Testiranje postavljenog (post 25, port 587-submission i 465-smtps) :
# telnet 127.0.0.1 587
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.trezor ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 10:43:16 +0200
starttls Ovo se ručno kuca…
220 2.0.0 Ready to start TLS

# telnet 127.0.0.1 587
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.trezor ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 10:50:57 +0200
auth plain Ovo se ručno kuca…
334 Vidi se da je dozvoljena i “plain” autentifikacija

# telnet 127.0.0.1 465
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.

[root@mail-2012 mail]# telnet 127.0.0.1 25
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 mail-2012.test ESMTP Sendmail 8.14.4/8.14.4; Tue, 25 Sep 2012 14:16:00 +0200
ehlo localhost ručni unos
250-mail-2012.test Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
auth login ručni unos
334 VXNlcm5hbWU6
dmVs(*ppE= ručni unos username u Base64
334 UGFzc3dvcmQ6
OoTkklmR1ci5taW5l ručni unos, lozinka u Base64
235 2.0.0 OK Authenticated
mail from: velda@test.rs
250 2.1.0 velda@test.rs… Sender ok
rcpt to: velda@test.rs
250 2.1.5 velda@test.rs… Recipient ok
data
354 Enter mail, end with “.” on a line by itself
sa servera 14:18
.
250 2.0.0 q8PCG0QF009231 Message accepted for delivery
quit
221 2.0.0 mail-2012.test closing connection
Connection closed by foreign host.

Da bi se autentifikacija vršila i pri odlazu (outgoing server SMTP), OBAVEZNO mora biti podignut i saslauthd servis (i da se stavi da se podiže pri paljenju servera) :
# service saslauthd start

Da bi radio POP3S protokol (port 995) treba podesiti u /etc/dovecot/dovecot.conf linije :
ssl = yes
ssl_cert =