Sendmail Installation and Operation Guide
SMM:08-97
6.5.1.1. Example
Since examples usually help clarify, here is an example which uses all four of the new
types:
O LDAPDefaultSpec=-h ldap.example.com -b dc=example,dc=com
Ke xample ldap
-z,
-k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAKey=%0))
-v sendmailMTAAliasValue,mail:NORMAL:inetOrgPerson,
uniqueMember:DN:groupOfUniqueNames,
sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,
sendmailMTAAliasURL:URL:sendmailMTAAliasObject
That definition specifies that:
· Any value in a
sendmailMTAAliasValue
attribute will be added to the result string regard-
less of object class.
· The
mail
attribute will be added to the result string if the LDAP record is a member of the
inetOrgPerson
object class.
· The
uniqueMember
attribute is a recursive attribute, used only in
groupOfUniqueNames
records, and should contain an LDAP DN pointing to another LDAP record. The desire
here is to return the
mail
attribute from those DNs.
· The
sendmailMTAAliasSearch
attribute and
sendmailMTAAliasURL
are both used only if
referenced in a
sendmailMTAAliasObject
. They are both recursive, the first for a new
LDAP search string and the latter for an LDAP URL.
6.6. STARTTLS
In this section we assume that sendmail has been compiled with support for STARTTLS. To
properly understand the use of STARTTLS in sendmail, it is necessary to understand at least some
basics about X.509 certificates and public key cryptography. This information can be found in
books about SSL/TLS or on WWW sites, e.g., "http://www.OpenSSL.org/".
6.6.1. Certificates for STARTTLS
When acting as a server, sendmail requires X.509 certificates to support STARTTLS: one
as certificate for the server (ServerCertFile and corresponding private ServerKeyFile) at least
one root CA (CACertFile), i.e., a certificate that is used to sign other certificates, and a path to a
directory which contains other CAs (CACertPath). The file specified via CACertFile can con-
tain several certificates of CAs. The DNs of these certificates are sent to the client during the
TLS handshake (as part of the CertificateRequest) as the list of acceptable CAs. However, do
not list too many root CAs in that file, otherwise the TLS handshake may fail; e.g.,
error:14094417:SSL routines:SSL3_READ_BYTES:
sslv3 alert illegal parameter:s3_pkt.c:964:SSL alert number 47
You should probably put only the CA cert into that file that signed your own cert(s), or at least
only those you trust. The CACertPath directory must contain the hashes of each CA certificate
as filenames (or as links to them). Symbolic links can be generated with the following two
(Bourne) shell commands:
C=FileName_of_CA_Certificate
ln -s $C `openssl x509 -noout -hash < $C`.0
An X.509 certificate is also required for authentication in client mode (ClientCertFile and corre-
sponding private ClientKeyFile), however, sendmail will always use STARTTLS when offered
by a server. The client and server certificates can be identical. Certificates can be obtained from