Re: Multiple certificates
- From: Bill Cole <bill@xxxxxxxxxxxxx>
- Date: Sun, 24 Feb 2008 20:43:48 -0500
In article <47BD6623.FFB7.0000.0@xxxxxxxxxxxxxxxxxxx>,
"John Chajecki" <jchaj.news@xxxxxxxxxxxxxxxxxxx> wrote:
Please can someone advise us how we configure multiple certificates on our
sendmail server?
See http://www.sendmail.org/m4/starttls.html and
http://www.sendmail.org/~ca/email/starttls.html
Those documents explain how to selectively require verification and
other facets of TLS
We need to do TLS AND Verify with two different organisation servers. If the
certificate is not valid, the mail should not be accepted and the connection
dropped.
Is this just for when your Sendmail instance is acting as a server
(accepting mail) or also when being a client (sending mail)?
We have the usual certificates on our server with entries on the .mc as
follows:
define(`confCACERT_PATH', `/etc/mail/certs/')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/key.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/key.pem')dnl
The problem is how do we create the certificates so that both organsiations
can be verified by our mail server and vice-versa? Also how do we configure
these in sendmail. Do we put multiple certificates in the same cert.pem
file, or, do we put multiple confSERVER_CERT and confCLIENT_CERT entries?
I suggest that you read up on how X.509 certificates and TLS work, since
you seem to be unclear on the concepts.
The client and server certs that your Sendmail uses need to be signed by
CA certs that are trusted by any verifying partner, any the client and
server servers used by your partners need to be signed by CA certs that
they trust.
We are currently generating our own certificates (we're using using openssl)
and the two organisations in question likewise.
Then you each need each other's CA certs added to your set of trusted
CA's: either appended to the file defined by confCACERT or (safer) as
additional PEM files in the directory defined in confCACERT_PATH
--
Clues for the blacklisted: <http://www.scconsult.com/bill/dnsblhelp.html>
Current Peeve: Managers who make promises they have no capacity to keep.
If you could use a sysadmin, see http://www.scconsult.com/bill/resume.html
(being used seems to be my specialty)
.
- References:
- Multiple certificates
- From: John Chajecki
- Multiple certificates
- Prev by Date: Re: Why DNS request ?
- Next by Date: Re: Problem receiving email
- Previous by thread: Multiple certificates
- Next by thread: sendmail and Exchange
- Index(es):
Relevant Pages
|
