Sendmail and AIX - part 2 PDF Print E-mail
User Rating: / 1
Written by Michael Felt   

Part 2: Configure STARTTLS

This is part 2 of a series of - as yet unknown - articles on configuring SENDMAIL on AIX.

The basics

Again, I said this was something I looked at from time to time - over the years - but did not get to something really basic - that the EHLO greeting would include "STARTTLS".

"Everywhere" they said how easy that was - just include the certificate information, set an option, and voila - you would have STARTTLS as an option.

Step 2: Modify

Step 2? What happened to Step 1? Step 1 I am not covering here, not right now in any case. From memory I have it written down somewhere already - maybe even saved in my article database, but unpublished. Believe me, that can be simple starting with a self-signed certificate, for example. A self-signed certificate is fine for Proof of Concept of the right settings in

So, Step 2 - here I am just providing, literally, strings you could add to your file to get it working after you have your certificates.

root@x063:[/etc/mail]diff -u
---   2015-03-16 22:21:39.000000000 +0000
+++  2019-04-16 19:27:22.000000000 +0000
@@ -561,7 +561,7 @@
  #O AuthMaxBits

  # SMTP STARTTLS server options
- #O TLSSrvOptions
+ O TLSSrvOptions

  # Input mail filters
@@ -569,6 +569,11 @@

  # CA directory
+ O CACertPATH=/etc/mail/CA
+ O CACertFile=/etc/mail/CA/cacert.pem
+ O ServerCertFile=/etc/mail/CA/sendmail_certificate.pem
+ O ServerKeyFile=/etc/mail/CA/private/sendmail_key.pem
  #O CACertPath
  # CA file
  #O CACertFile

Step 3: "Magic"

I always thought I needed to change the SRC system definition of sendmail so that /usr/sbin/sendmail_ssl would get started, rather than /usr/sbin/sendmail. Well, the thought was right, but the execution was wrong.

What I did - and failed!

# chssys -s sendmail -p /usr/sbin/sendmail_ssl

What I should have done!

First of all, I should have looked at the original SRC setup. Then I might have seen what my assumption was - and, sadly, this assumption blinded me for years!

Look first

root@x065:[/]odmget -q subsysname=sendmail SRCsubsys

        subsysname = "sendmail"
        synonym = ""
        cmdargs = ""
        path = "/usr/lib/sendmail"
        uid = 0
        auditid = 0
        standin = "/dev/console"
        standout = "/dev/console"
        standerr = "/dev/console"
        action = 2
        multi = 0
        contact = 3
        svrkey = 0
        svrmtype = 0
        priority = 20
        signorm = 0
        sigforce = 0
        display = 1
        waittime = 20
        grpname = "mail"
 Do you see it? The path attribute is not /usr/sbin/sendmail - but /usr/lib/sendmail. And, what is /usr/lib/sendmail by default?

root@x064:[/home/root]ls -l /usr/lib/sendmail
lrwxrwxrwx    1 root     system           18 Aug 02 2018  /usr/lib/sendmail -> /usr/sbin/sendmail

The path attribute is a symbolic link to what I had always assummed was the the value of the path attribute (and during my testing I kept setting it, incorrectly, to /usr/sbin/sendmail - so I never saw the real default until I started all over again on a test system.)

The final touch!

# ln -sf /usr/sbin/sendmail_ssl /usr/lib/sendmail

In other words, do not change the sendmail SRC definition! Instead, change the symbolic link to point at /usr/sbin/sendmail_ssl

Hope this Helps! (HtH)

< Prev   Next >