Don Levey
2010-Apr-14 19:47 UTC
[CentOS] Getting Domainkeys, dkim, and SMTP-AUTH/TLS to play nicely together in sendmail
A while back I struggled to get Domainkeys and DKIM to work properly on my little home server. While I'm sure they weren't necessary in a strict sense, it not only enabled me to learn about the technology but allowed for more of a verification of the email coming from my server. And so this week I figured: "Hey, this has been working without a problem for a while; it must be time to screw with something else." Hence my effort to enable SMTP submissions over port 587. At the very least, with some ISPs blocking traffic to port 25, this seemed to be a good idea (as well as providing a better method for sending email using my server from outside my home LAN). I've read a number of write-ups of SMTP AUTH, including the information at sendmail.org. I've run into a snag, however, with the .pem certificate that is used for the DK stuff. The conventional wisdom seems to be to run domainkeys/dkim as a user other than root, and a .pem certificate is required. Therefore, to get this to run properly, the permissions on the certificate need to me 600 or 400, owned by this user. All well and good so far, except that STARTTLS doesn't like this: STARTTLS=server: file /var/db/domainkeys/mail.key.pem unsafe: permission denied When I telnet to the server, port 587, and issue an EHLO, I see neither AUTH nor TLS in the response. The sendmail.mc file contains the line: define(`localCERT',`/ver/db/domainkeys/mail.key.pem')dnl So if there's a different line I can add to indicate to TLS/AUTH that it should use a different cert (or, rather, the same one copied to a different location with different permissions...) I don't know it. Anyone ever run into this before? -Don Levey