Configuring sendmail for TLS certificate communication.

If you are new to tls and secure mail then this might seem a bit of a massive task, but actually its relativly simple.

You need a few things:

1: sendmail compiled with TLS support – see my previous article to check this.

2:a certificate suitable for your mail domain

3:access to your mail servers file and the ability to recompile this to – you may need the sendmail-cf package.

Provided you have all these things, here are the steps that need to be taken.

Put your cert onto your mail server in /etc/pki/tls/certs

This will be a .crt file most likely. Sendmail needs a pem file, so to convert your cert do the following:

cd /etc/pki/tls/certs

make sendmail.pem

If you do the above you will be creating a self signed cert. If you have a certificate bought from a CA such as thawte etc. Place the Private key followed by the certificate in the sendmail.pem file.

simple – you should now have a sendmail.pem which should contain a private key and a certificate.

Now you need to configure sendmail to use this file.

cd to /etc/mail and edit (its wise to backup both the and the file just incase things dont work out)

find the lines that start with

dnl define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl
dnl define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl
dnl define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl
dnl define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl

dnl define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl

dnl define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl

dnl define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl

dnl define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl

remove the dnl from all the above lines so they start with define and save this file.

now type


to make the into the new

If you get an error about needing package sendmail-cf you will have to install that rpm, and most likely the m4 package as well as its a dependancy.

Once you have successfully done a make, its wise to do a diff on your current and your backup, just to ensure that it all looks good and there are no important options that were changed, i.e Daemon IP bindings etc..

Provided you are happy with your restart sendmail, and you should be now using TLS!

Wasn’t that hard was it? 🙂

You can follow any responses to this entry through the RSS 2.0 feed.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This blog is kept spam free by WP-SpamFree.