April 21, 2023 1

STARTTLS

April 21, 2023 2

STARTTLS: Objectives• Define STARTTLS and the reasons for using it

• Describe how the SSL protocol works

• Identify the STARTTLS configuration variables

• Describe how the Sendmail clients and servers determine whether a server supports STARTTLS

• Identify how to set up a private certificate authority (CA)

• Describe how to use gen_cf to create a configuration file for STARTTLS

• Describe the line that must be added to the access file.

April 21, 2023 3

STARTTLS• STARTTLS is the SMTP command to "Start Transport Layer

Security”; or in other words to turn on Secure Socket Layer (SSL).

• Transport Layer Security (TLS) provides authentication (identification), privacy, confidentiality, and integrity for securing a mail transaction.

• TLS uses different STARTTLS algorithms for encryption, signing, and message authentication.

• To use Sendmail with STARTTLS, you must install the OpenSSL software on your system from http://www.software.hp.com.

• You can use the /usr/newconfig/etc/mail/cf/cf/gen_cf script to generate the sendmail.cf configuration file that supports the STARTTLS feature.

• HP only supports STARTTLS if used in conjunction with the access database. HP does not support the use of custom rulesets.

April 21, 2023 4

Step by Step SSL Protocol

SSL client (e.g. browser) SSL server

Client suggests/requests information from the SSL server

ServerCertificate

April 21, 2023 5

Step by Step SSL Protocol (cont’d)

Server responds with its digital certificate and encryption

preferences. Encryption level negotiation complete.

ServerCertificate

SSL client (e.g. browser) SSL server

April 21, 2023 6

1) Client verifies the server certificate2) It computes a shared secret session key 3) It encrypts the shared secret session key using the master’s public key and sends it to the server

Step by Step SSL Protocol (cont’d)

ServerCertificat

e

SSL client (e.g. browser) SSL server

April 21, 2023 7

Server decrypts the master public key and computes shared session

key

Step by Step SSL Protocol (cont’d)

ServerCertificate

ServerCertificat

e

SSL client (e.g. browser) SSL server

April 21, 2023 8

Step by Step SSL Protocol (cont’d)

ServerCertificate

ServerCertificat

e

Client and server exchange encrypted data using the shared

session keySSL client (e.g. browser)

SSL server

April 21, 2023 9

STARTTLS configuration variables• UseTLS - Enables the TLS handshake in the SMTP transaction. • CERT_DIR - Specifies the directory for storing Sendmail

certificates. • CACERT_PATH - Specifies the path that stores the certificates of

all the Certificate Authorities known to the Sendmail server.• CACertFile - Specifies the file containing the certificate of the

Certificate Authority that issued the certificate of the Sendmail server.

• ServerCertFileand ClientCertfile - Refers to the server and client certificate.

• ServerkeyFileand Clientkeyfile - Specifies the private keys that correspond to the certificates of the Sendmail server and the Sendmail client.

April 21, 2023 10

When Sendmail is a ServerClients issue the EHLO command during an SMTP session to determine whether the server supports STARTTLS. If the server supports STARTTLS, it will include it in the list of commands the client can issue.

ehlo localhost250-inet16.india.hp.com Hello localhost [127.0.0.1], pleased to meet you250-ENHANCEDSTATUSCODES250-PIPELINING250-EXPN250-VERB250-8BITMIME 250-SIZE250-DSN250-ETRN250-STARTTLS <<<<<<<< Note250-DELIVERBY250 HELP

If the "next" mail server offers "STARTTLS" as one of its allowed commands, our Sendmail (which has been compiled to support STARTTLS) will always accept the offer and issue a STARTTLS command--even if it has no certificates configured!

When Sendmail is a Client

April 21, 2023 11

STARTTLS set up• Warning: do not use sendmail –bs for testing the

STARTTLS set up. • The set up discussed in this class uses a private CA

(certificate authority). Private CAs are often used for STARTTLS within a company.

• Install OpenSSL on the Sendmail server that will be the private CA. You can download OpenSSL from software.hp.com (security and manageability, OPENSSL).

• Setting up a private CA is for example use only. Always consider a commercial CA prior to using a private CA.

• Building a private CA is the most complex method of signing certificates.

• Evaluate alternatives to choose the approach suitable for the situation.

April 21, 2023 12

Set up a private CA on the Sendmail Server1. # cd /etc/mail2. # mkdir certs3. # cd certs4. # /opt/openssl/misc/CA.sh – newca

(see notes for output on this command)

5. # mv demoCA CA6. # cd CA7. # chmod 0700 private8. # cp /opt/openssl/openssl.cnf

sendmailssl.cnf9. vi sendmailssl.cnf

Change dir =./demoCATo dir =./etc/mail/certs/CA

April 21, 2023 13

Create certificate request (csr)1. # cd /etc/mail

2. # mkdir certs

3. # umask 0066

4. # openssl req –nodes –new –x509 –keyout key.pem –out newcert.pem

(see notes for output on this command)

5. # openssl x509 –x509toreq –in newcert.pem –signkey key.pem –out csr.pem

(see notes for output on this command)

6. FTP/move the csr.pem to the CA host (wtecd350.atl.hp.com) in the /etc/mail/certs/CA directory.

April 21, 2023 14

Sign the certificate request (csr)1. # cd /etc/mail/certs/CA

2. # openssl ca –config ./sendmailssl.cnf –policy policy_anything –out cert.pem –infiles csr.pem

(see output in notes)

3. Move/FTP the cert.pem to the /etc/mail/certs directory on the Sendmail host.

4. Move/FTP the CA/cacert.pem to the /etc/mail/certs/CA directory on the Sendmail host.

5. # cd /etc/mail

6. # chmod –R 600 certs

April 21, 2023 15

Create a configuration file for STARTTLS• The following steps are taken to run gen_cf to

create a configuration file for STARTTLS.1. # cd /usr/newconfig/etc/mail/cf/cf

2. ./gen_cf

a. 4: Security Options

b. 2: STARTTLS

c. 3: Anti-spamming Options

d. 1: Access DB

e. 5: Generate sendmail.cf

3. Backup the sendmail.cf file:1. cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf/bak

4. Move the sendmail.cf.gen file to the /etc/mail directory1. cp /usr/newconfig/etc.mail/cf/cf/sendmail.cf.gen

April 21, 2023 16

Sendmail.cf file configuration additions and changes• Important note: There is a bug with the

/dev/random file.

• If you have a /dev/random file and a /dev/urandom file add the following to the sendmail.cf: O RandFile=egd:/dev/random

1. Modify the following parameter:O UseTLS=True

April 21, 2023 17

Allow relaying based on the CA - configuration file changes• To allow relaying based on the CA the following

changes need to be made to the sendmail.cf configuration file STARTTLS parameters. O UseTLS=True

O CACertPath=/etc/mail/certs

O CACertFile=/etc/mail/certs/CA/cacert.pem

O ServerCertFile=/etc/mail/certs/cert.pem

O ServerKeyFile=/etc/mail/certs/key.pem

O ClientCertFile=/etc/mail/certs/cert.pem

O ClientKeyFile=/etc/mail/certs/key.pem

# O CRLFile=/etc/mail/certs/crlf

April 21, 2023 18

Example - Sendmail STARTTLS relay based on CA Issuer • Following is an example set up using linux to linux

systems. The two systems are as follows: linux1.ban.hp.com: This is the sending system

linux4.ban.hp.com: This is the relaying system

• On the linux1.ban.hp.com system the configuration parameters are set as follows:

O CACertPath=/etc/mail/certs

O CACertFile=/etc/mail/certs/CA/cacert.pem

O ServerCertFile=/etc/mail/certs/cert.pem

O ServerKeyFile=/etc/mail/certs/key.pem

O ClientCertFile=/etc/mail/certs/cert.pem

O ClientKeyFile=/etc/mail/certs/key.pem

# “Smart” relay host (may be null)

DSlinux4.ban.hp.com

April 21, 2023 19

Test the Relay• On the linux1 system the following command is entered to test the relay:

[root@linux mail] # echo “Subject: test starttls” | sendmail –v –oL99 ban@atl.hp.com

(The log level of 99 is turned on to see maximum logging for some of the STARTTLS output; this is done by turning on -oL99 )

April 21, 2023 20

The /var/log/maillog output• A look at the /var/log/mailog output shows the relay that is used.

May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, init=1

May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, start=ok

May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, get_verify: 0 get_peer: 0x8149538

May 1 11:53:49 linux sendmail[1543]: STARTTLS=client, relay=linux4.ban.hp.com.,

version=TLSv1/SSLv3, verify=OK, cipher=EDH-RSA-DES CBC3-SHA, bits=168/168

May 1 11:53:49 linux sendmail[1543]: STARTTLS=client,

cert-subject=/C=US/ST=Georgia/L=Atlanta/O=HP/CN=linux4.ban.hp.com/ Email=root@linux4.ban.hp.com,

cert-issuer=/C=US/ST=Georgia/L=Atlanta/O=HP/CN=unix.ban.hp.com/ Email=root@unix.ban.hp.com,

verifymsg=ok

April 21, 2023 21

Add a line to the access database• On the linux4 (relay system) you must add the

following line to the access file and then rebuild the access database.

CERTISSUER:/C=US/ST=Georgia/L=Atlanta/O=HP/CN=unix.ban.hp.com/emailAddress=root@unix.ban.hp.com RELAY

• Note that the email tag is emailAddress. Make sure you add emailAddress to the access database.

• (see additional notes for output that represents an incoming email message)

April 21, 2023 22