Recipe 8.13 Requesting Client Certificates

Previous page
Table of content
Next page

Problem

By default, STARTTLS does not require a TLS client to present a certificate. You want to configure sendmail to request certificates from selected TLS clients .

Solution

Make sure the system meets the basic OpenSSL and STARTTLS configuration requirements described in Introduction and in Chapter 1.

Create Srv_Features : access database entries for all clients that will be required to present a certificate. The key field of each entry is the tag Srv_Features : followed by the domain name , hostname, or IP address of the selected client. The return value of each entry is the letter v .

Add the access_db feature to the STARTTLS sendmail configuration. Here is the required FEATURE macro and sample defines: 

 dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db')

Following the instructions in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail.

Discussion

Srv_Features : entries control the way in which a server interacts with its clients. See Recipe 8.12 and Recipe 7.9 for more general information about the Srv_Features : entry.

Use the v return value on a Srv_Features : entry to request the TLS client's certificate. Use the V return value to specifically prevent sendmail from asking for the client's certificate.

Adding the following entry to the access database requires a certificate from all hosts connecting to the local host from the dialin.wrotethebook.com domain: 

 Srv_Features:dialin.wrotethebook.com          v

By itself, the Srv_Features : entry does not do anything with the client certificate. It merely requests that the client present a certificate, which can then be used for special purposes such as authorizing relaying. Using the certificate for a special purpose requires additional configuration as shown in other recipes in this chapter.

See Also

Recipe 8.4 describes the STARTTLS defines used in this configuration. Recipe 7.9 provides other examples of using the Srv_Features : record. Recipe 8.5, Recipe 8.6, and Recipe 8.9 use client certificates to grant relaying privileges. The sendmail book covers the Srv_Features : entry in Section 19.9.4.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Project Management JumpStart
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Introduction to 80x86 Assembly Language and Computer Architecture
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Special Edition Using Crystal Reports 10
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy