Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)

ManualsBrandsHP ManualsSoftwareTru64 UNIX 5.1B

271

272

273

274

275

276

277

278

279

280

A Sendmail Supplemental Information

This appendix includes the following Sendmail information:

• How to create a certificate of authority (Section A.1: Creating a Certificate of Authority)

• Background on OpenSSL certificate creation (Section A.2: Background - OpenSSL Certificate

Creation)

• A sample mail filter (Section A.3: Mail Filter Example)

A.1 Creating a Certificate of Authority

Local SSL certificates can be created using the security software included in the Sendmail subset

of Internet Express. To create a local Certificate Authority, use the CA.pl command and fill in

the required fields. The Perl script will ask for your site information for creating the Authority

and the public and private keys.

# alias openssl=/usr/internet/bin/openssl

# /usr/internet/openssl/misc/CA.pl

Executed in the /var/adm/sendmail directory, the default created directory for this command

is demoCA. Using the demoCA directory allows key creation without interfering with the live

system resources. The public key is created in cacert.pem and the private key is in

private/cakey.pem. The private key is used to sign other SSL certs.

A.2 Background - OpenSSL Certificate Creation

OpenSSL is part of the sendmail kit and the command openssl is installed in

/usr/internet/ssl/bin directory.

There are two ways to create a certificate authority. One is to follow the command list below.

The other is to run the CA.pl command included in the /usr/internet/ssl/misc directory.

The CA.pl command steps through the same procedure as listed here.

1. Create Certificate Authority (CA)

# mkdir certs crl newcerts private

# chmod 0700 private

# echo "01" > serial

# cp /dev/null index.txt

# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem

2. Create certificates

# umask 0066

# openssl req -nodes -new -x509 -keyout key.pem -out newcert.pem

3. Sign new certificates using CA

# openssl x509 -x509toreq -in newcert.pem -signkey key.pem -out csr.pem

# openssl ca -policy policy_anything -out cert.pem -infiles csr.pem

# rm -f csr.pem

A.3 Mail Filter Example

This sample code is taken from the sendmail.org distribution, the sendmail/milter/README

file:

Note that this filter may not be thread safe on some operating systems. You should check your

system man pages for the functions used below to verify the functions are thread safe.

/* A trivial filter that logs all email to a file. */

#include <sts/types.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sysexits.h>

#include <unistd.h>

A.1 Creating a Certificate of Authority 271