The most recent doc I can find on sendmail.org is from several
versions ago (and that had to be found with an external google
search) https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html
Hey there all,
It seems in sendmail if you configure:
[... CACERT_DIR vs. CACERT ...]
Then sendmail will, by default, request a client certificate signed by any
of those CA's. Either can be used to validate connections as a client, but only the monolithic list can be sent when running as a server.
[...]
Gushi <gushimailtest@gmail.com> wrote:
Then sendmail will, by default, request a client certificate signed by any of those CA's.
For shure there is nothing sent in the TLS handshake that specifies a
list of root certificates with which a possibly exepted client
certificate has to be signed.
As far as I know CACERT_DIR and CACERT are kind of mutually exclusive.
Neither is sent to the other side!
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/cacert.pem')
Then sendmail will, by default, request a client certificate signed by any
of those CA's. Either can be used to validate connections as a client, but
Postfix seems to instruct that asking for a client cert is only something
you want to do in rare circumstances (like, for relaying), and typically
only want to specify something like an internal CA.
Is this still a best practice?
The most recent doc I can find on sendmail.org is from several versions ago
As someone already mentioned: use the docs which come with your
version of sendmail
[...]
Neither is sent to the other side!
See the fine documentation (doc/op.*):
The file specified via CACertFile can
contain several certificates of CAs. The DNs of
these certificates are sent to the client during
the TLS handshake (as part of the Certifi-
cateRequest) as the list of acceptable CAs. How-
ever, do not list too many root CAs in that file,
otherwise the TLS handshake may fail; e.g.,
Am 26.09.2022 um 14:06:44 Uhr schrieb Gushi:
The most recent doc I can find on sendmail.org is from severalA documentation for the current version is included in the tarball.
versions ago (and that had to be found with an external google
search) https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.17.1.tar.gz https://ftp.sendmail.org/sendmail.8.17.1.tar.gz
Go to the subfolder cf an read README.
Gushi wrote:
define(`confCACERT_PATH', `CERT_DIR')But the client can ignore that...
define(`confCACERT', `CERT_DIR/cacert.pem')
Then sendmail will, by default, request a client certificate signed by any of those CA's. Either can be used to validate connections as a client, but
Postfix seems to instruct that asking for a client cert is only something you want to do in rare circumstances (like, for relaying), and typically only want to specify something like an internal CA.
Is this still a best practice?doc/op.*
6.6.1. Certificates for STARTTLS
When acting as a server, sendmail requires
X.509 certificates to support STARTTLS: one as cer-
tificate for the server (ServerCertFile and corre-
sponding private ServerKeyFile) at least one root
CA (CACertFile), i.e., a certificate that is used
to sign other certificates, and a path to a direc-
tory which contains (zero or more) other CAs (CAC-
ertPath). The file specified via CACertFile can
contain several certificates of CAs. The DNs of
these certificates are sent to the client during
the TLS handshake (as part of the Certifi-
cateRequest) as the list of acceptable CAs. How-
ever, do not list too many root CAs in that file,
otherwise the TLS handshake may fail; e.g.,
error:14094417:SSL routines:SSL3_READ_BYTES:
sslv3 alert illegal parameter:s3_pkt.c:964:SSL alert number 47
You should probably put only the CA cert into that
file that signed your own cert(s), or at least only
those you trust.
doc/op/op.txt doesn't exist, and if we're at the point where I need to load
Follow on question(s) then, since it's a bit unusual in open source software to have to attach the root cert: How does Sendmail use confCACERT, when
acting only as a server? Does it validate its own cert at startup time?
Does it auto-attach the CA cert to the server chain when doing the SSL handshake?
Put another way -- if I put a totally different CA cert than what signed my cert and key, would sendmail refuse to speak SSL or would handshakes fail in some way?
Is this option still required if I have set srv_features v?
[...]
Follow on question(s) then, since it's a bit unusual in open source
software to have to attach the root cert: How does Sendmail use
confCACERT, when acting only as a server? Does it validate its own
cert at startup time? Does it auto-attach the CA cert to the server
chain when doing the SSL handshake?
Put another way -- if I put a totally different CA cert than what
signed my cert and key, would sendmail refuse to speak SSL or would handshakes fail in some way?
Is this option still required if I have set srv_features v?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 43:28:00 |
Calls: | 6,709 |
Calls today: | 2 |
Files: | 12,243 |
Messages: | 5,354,021 |