Mirjam recently bought a new laptop and ... / 2010-03-30

2010-03-30 Mirjam recently bought a new laptop and ... 10 years ago
Mirjam recently bought a new laptop and installed Linux on it (sofar nothing special) but we thought it would be nice if mail from the laptop would work from anywhere in the world. Using the information from Relaying with TLS in Sendmail, ubuntu sendmail and a bit of my own thinking this was not very hard. By default ubuntu hides the entire sendmail certificate creation and signing process, and I needed 'better' certificates signed by my own certificate authority. For the client side:
root@machiavelli:/etc/mail/tls# openssl req -new -key sendmail-common.key -out sendmail-client.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [Utrecht]:
Locality Name (eg, city) [Utrecht]:
Organization Name (eg, company) [idefix.net]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:machiavelli.idefix.net
Email Address []:koos@machiavelli.idefix.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Next I signed this csr using the idefix.net CA, and put the resulting client certificate back in /etc/mail/tls/sendmail-client.crt. On the client, /etc/mail/submit.mc had to be changed to use tls and talk directly to the right machine:
FEATURE(`msp', `postbode.idefix.net', `MSA')
include(`/etc/mail/tls/starttls.m4')dnl
Now for the server side I also generated a csr for the name postbode.idefix.net and signed it. I changed /etc/mail/sendmail.mc to do this correctly:
include(`/etc/mail/tls/starttls.m4')dnl
dnl #
dnl # fix debian weird choice

define(`confTLS_SRV_OPTIONS', `')dnl
And updated the /etc/mail/access map to relay based on the data from the idefix.net certificate:
# SSL magic
CERTIssuer:/C=NL/ST=Utrecht/L=Utrecht/O=idefix.net/OU=Certificate+20Authority/CN=idefix.net+20CA/emailAddress=hostmaster@idefix.net     RELAY
Testing it was harder from home which is normally a trusted network.. it just lost that role for a few minutes. And I noticed that when I use mail -v it will ask the upstream mailhost to also be verbose. As noted in the linked article logging is sparse. One hint in the headers of the relayed mail is:
Received: from machiavelli.idefix.net (wireless-machiavelli.idefix.net [IPv6:2001:888:1011:1:21f:e1ff:fe45:2894])
        by kzdoos.xs4all.nl (8.14.2/8.14.2/Debian-2build1) with ESMTP id o2UKFH9
X002890
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
        for XXXXXXXXXXXXXXX; Tue, 30 Mar 2010 22:15:18 +0200

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.005013 seconds.