Solved

renewing SSL cert for sendmail on red hat

Posted on 2014-01-26
3
773 Views
Last Modified: 2014-02-22
I adopted mail server configured on red hat linux 6 from a previous admin. We recently received a renewal notice for our SSL cert and I want to make sure I renew the cert properly.

I can see that the current cert is located at
/etc/pki/tls/certs/sendmail.pem

Can I simply replace the old sendmail.pem with the new one and restart sendmail? Or is their anything else required? This is an older redhat enterprise 6 server.

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/intermediate.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/etc/pki/tls/certs/mail.key')
0
Comment
Question by:binovpd
  • 2
3 Comments
 
LVL 19

Accepted Solution

by:
xterm earned 300 total points
ID: 39812136
You will want to replace both the cert and the key as described by the following directives in your sendmail config:

ServerCertFile=
ServerKeyFile=

If you are using different keys for clients, then you will also want to locate/renew the files referenced by the settings ClientCertFile and ClientKeyFile.

But yes, all you have to do is replace your key and cert and then restart sendmail.  BTW, if it's RHEL 6, by definition is really not an "older" system - that is the latest stable version of RHEL at this time.
0
 

Author Closing Comment

by:binovpd
ID: 39813634
Thanks for the help xterm I appreciate it.
0
 

Author Comment

by:binovpd
ID: 39879171
Had to add this bit of info because it stumped me for quite some time. I backed up all my cert files and put in the new, restarted sendmail. After that when I attempted to verify SSL was working over smtp I was getting fails.

Running openssl to test
openssl s_client -connect mail.server.com587 -starttls smtp

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140031671953224:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 315 bytes and written 147 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Open in new window


This drove me crazy. I finally stumbled upon a blog mentioning the fact that the mail.key and sendmail.pem (SSL cert file) must have permissions of 600. Once I did that everything started working.
0

Featured Post

Are your end users making ugly email signatures?

Have you left it up to your end users to create their own email signatures? Are they forgetting to add the company logo or using garish font colors? Take control and ensure all users have the same email signature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now