egd is a Perl-based persistent daemon that gathers and then sources to Sendmail a flow of pseudorandom information. This information is used for encryption actions.

In addition to access of random information, the system administrator must have a set of digital certificates that defines the authority (local or remote), server and client identification. Certificates follow a hierarchical model, the X.509 Certificate Authority.

Server certificates are used for incoming connections, and client certificates are used for outbound connections. A single certificate can be shared for both functions.

Certificates contain identity information. Here is an example:

/C=US /ST=New Hampshire /L=Nashua /O=OurCompany.org /CN=OurCompany CA

[additional abbreviated information]

Table 10 Certificate Defaults

Certicate Authority

Abbreviation

 

Certificate Authority

Certificate Authority (signs certificates)

CA

Certificate Issuer

One that issues certificates (a CA)

CI

Certificate

The public part of the key pair (identity

cert

 

information)

 

Key

Private part of the key pair

key

Distinguished name

unique name

DN

Common name

Common (not necessarily unique)

CN

 

Hostname, or user's full name

 

 

 

 

A TLS certificate can be bought from a certification authority, or it can be created locally for use. Commercial companies such as VeriSign, Equivax and Thawte provide certification related functions. Once the commercial transaction has taken place, store the certificate information in the /var/ adm/sendmail/certs/cacert.pem.

If you have commercial certificates or has created his own Certificate Authority, review the Certificate Authority section in Appendix A.

The following fields in the Sendmail TLS menu must be completed to allow proper functioning of the TLS between server and server, or server and client.

Servers and clients have certificate and key files. The Certificate Authority Certificate is the top level identifier that ties the machines identity to a well known (trusted) authority. The server certificate is used for inbound connections and identifies the server to the connector. The client certificate identifies connecting client to the remote mail server. The client certificate can be the same as the server certificate. The server and client keys are the private keys used in the security transaction.

Table 11 TLS Certificate Values

Field Name

Default

Certificate Authority Certificate Directory (CA)

/var/adm/sendmail/certs

Certificate Authority Certificate

$CA/CA.cert.pem

Server Certificate File

$CA/server.cert.pem

Server Key File

$CA/server.key.pem

Client Certificate File

$CA/client.cert.pem

Client Key File

$CA/client.cert.pem

 

 

To configure the values for TLS, follow these steps:

Sendmail Server Administration 115