Red Hat Bugzilla – Bug 68677
STARTTLS, keys and encryption
Last modified: 2007-04-18 12:44:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020606
Description of problem:
This is a request that in future versions of Red Hat the following things be
done at install time for server configurations:
1. Sendmail is installed with TLSSTART configured
2. A self-signed key is generated
3. The .mc is configured to find the key and enable TLSSTART
This does not accomplish truely secure communication, and the documentation
should reflect that, but having Red Hat install out of the box with a sendmail
that is capable of encryption would go a long way. It would also be a great
enterprise sales tie-in (if you and your client/vendor/whatever are both running
Red Hat for your mail servers, your traffic will automatically be encrypted, and
authentication simply requires buying and installing a key).
I'm recommending that you not only do this for future releases but that you
release an enhancement update for all of the 7.x platforms that turns this
feature on. Q/A will tell, but it turning this on by default should not affect
any existing installations unless they enable it in their configuration, and
since rpm preserves your old config, updates should not have any impact unless
the customer wants to take advantage of it.
Version-Release number of selected component (if applicable):
Created attachment 65904 [details]
spec file and redhat.config.m4 patches for STARTTLS
I've uploaded patches against the rawhide sendmail (8.12.5) SRPM to include
STARTTLS support in sendmail. I haven't added the logic to the specfile to
create certificates yet, but that wouldn't be terribly difficult. I happen to
agree with ajs. :-) Hopefully, this will make it easier on y'all.
These modifications compile on my alpha, but I haven't tested on intel -- yet.
The config files in the newest rpm are prepared for this, but you will still
have to enable it in the configuration before using TLS.
Florian La Roche