Getting Domainkeys, dkim, and SMTP-AUTH/TLS to play nicely togetherin sendmail 8.13.8
in [Sendmail]
|
Prev: milter-ahead - PLEASE HELP SORRY!
Next: Getting Domainkeys, dkim, and SMTP-AUTH/TLS to play nicely together in sendmail 8.13.8
From: Don Levey on 26 Apr 2010 16:40 On 4/20/2010 11:41, Bruce Esquibel wrote: > Don Levey <Don_CMS(a)the-leveys.us> wrote: > >> That didn't do it either - but now I get a different error: >> SSL_CTX_use_PrivateKey_file(/var/db/starttls/mail.key.pem) failed > >> I don't see additional information as to why it failed, though. The >> file itself is set at 400, owned by root. Everything I've seen via >> Google so far suggests a permissions issue, though. Any ideas? > > > Not permissions this time. > > That error, if I remember correctly has something to do with the format of > the key, maybe with rsa vs. des. > > Thing is, how did you generate the key to begin with? > I've just generated new self-signed certs, according to the instructions here: http://www.falkotimme.com/howtos/sendmail_smtp_auth_tls/ > With sendmail you need both a cert and key defined. I think the dkim just > uses a key to validate/generate the headers from the public key used in the > DNS entry for the machine. > > With sendmail this command line I think is the standard... > > openssl req -new -x509 -keyout mail.key.pem -out mail.cert.pem -days 365 > openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365 is the line in the instructions I mentioned, and it appears to be consistent. > and stick the two files made into your /var/db/starttls directory. > > With the sendmail.mc add these in: > > define('confCACERT_PATH','/var/db/starttls') > define('confSERVER_CERT','/var/db/starttls/mail.cert.pem') > define('confSERVER_KEY','/var/db/starttls/mail.key.pem') > > (note I can't print the leading ' (the one above tab) on this terminal.) > The above instructions also have me do: openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 365 and then: openssl x509 -noout -text -in sendmail.pem adding the following to sendmail.mc: define(`confCACERT_PATH', `/var/db/starttls')dnl define(`confCACERT', `/var/db/starttls/cacert.pem')dnl define(`confSERVER_CERT', `/var/db/starttls/sendmail.pem')dnl define(`confSERVER_KEY', `/var/db/starttls/sendmail.pem')dnl define(`confCLIENT_CERT', `/var/db/starttls/sendmail.pem')dnl define(`confCLIENT_KEY', `/var/db/starttls/sendmail.pem')dnl > I'm just saying what dkim is using I don't think is compatable with what > sendmail is expecting. My advice is dump the dkim stuff for now, get the > STARTTLS stuff working and after, go back to getting dkim to work. > > Again, I just don't think the key(s) each program is using can be re-used > for both. Just need to generate the public/private keys for the dkim stuff, > set the path/owner/permissions for it's use, then generate the key/cert for > sendmail, stick those for it's path/owner/permissions separate. > The domainkeys/dkim stuff seems undisturbed by what I'm doing with STARTTLS, even after redirecting the cert paths in sendmail.mc, which means that for all intents and purposes they are now completely separated. Thank you for your time and help! -- Don Levey, Framingam MA If knowledge is power, (email address in header works) and power corrupts, then... NOTE: Don't send mail to to salearn(a)the-leveys.us GnuPG public key: http://www.the-leveys.us:6080/keys/don-dsakey.asc |