Different banner/certificate per domain
Charles
present a different banner and use a different certificate for STARTTLS
per domain?
Regards, Charles.
peter pilsl
> I have several domains on my server. Is it possible to have sendmail
> present a different banner and use a different certificate for STARTTLS
> per domain?
>
you can run several sendmail-daemons and bind em to different ip's and/or
ports. But its impossible to have different certificates for one
ip/port-kombination. The SSL-Stuff comes into play *before* the server
knows which domain he is talking about.
best,
peter
--
peter pilsl
pilsl_...@goldfisch.at
http://www.goldfisch.at
Charles
> Charles wrote:
>
>> I have several domains on my server. Is it possible to have sendmail
>> present a different banner and use a different certificate for STARTTLS
>> per domain?
> you can run several sendmail-daemons and bind em to different ip's and/or
> ports. But its impossible to have different certificates for one
Right. Is there a place where I can find more information on doing that? I
don't know where to look for the binding of the daemon to a specific IP
address. Is that something to configure in sendmail or do I need to look
in another newsgroup?
Regards, Charles.
G. Roderick Singleton
You need separate sendmail.mc files for each. And you can use .mc
commands such as DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
to set the ip address. Don't know about setting ports though.
And remember with 8.12.x you have two .mc files to configure.
Claus Aßmann
> Right. Is there a place where I can find more information on doing that? I
doc/op/op.* in your sendmail distribution. Look for
DaemonPortOptions.
> don't know where to look for the binding of the daemon to a specific IP
> address. Is that something to configure in sendmail or do I need to look
> in another newsgroup?
DaemonPortOptions=options
[O] Set server SMTP options. Each instance
of DaemonPortOptions leads to an additional
incoming socket. The options are key=value
pairs. Known keys are:
Name User-definable name for the daemon (defaults to "Daemon#")
Port Name/number of listening port (defaults to "smtp")
-> Addr Address mask (defaults INADDR_ANY)
--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Charles M. Gerungan
If I interpret his comment correctly, it _is_ possible for me to use a
different certificate when daemon 1 is listening on 1.1.1.1:25 and daemon two
is listening on 2.2.2.2:25
Op Fri, 10 Oct 2003 16:37:14 +0000, schreef Claus Aßmann:
> doc/op/op.* in your sendmail distribution. Look for
> DaemonPortOptions.
Found it. Now, if I understand it correctly, I need two sendmail.cf's, two
submit.cf's and fire up sendmail twice using a different -Csendmail.cf.
So far, I've come up with the following using sendmail 8.12.10 (lines beginning with an asterisk
should be modified in the second sendmail.cf):
---[begin sendmail.cf]--------------------------------------------------------------
divert(-1)
#
# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983 Eric P. Allman. All rights reserved.
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#
#
# This is a generic configuration file for Linux.
# It has support for local and SMTP mail only. If you want to
# customize it, copy it to a name appropriate for your environment
# and do the modifications there.
#
VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro Exp $')
OSTYPE(linux)dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`HELP_FILE', `/etc/mail/helpfile')dnl
define(`QUEUE_DIR', `/var/spool/mqueue')dnl
define(`MSP_QUEUE_DIR', `/var/spool/clientmqueue')dnl
define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`STATUS_FILE', `/etc/mail/statistics')dnl
DOMAIN(generic)dnl
*FEATURE(use_cw_file)dnl
*FEATURE(use_ct_file)dnl
FEATURE(redirect)dnl
*FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(always_add_domain)dnl
*FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
*FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`delay_checks')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confDEF_USER_ID',`smmsp:smmsp')dnl
define(`confLOG_LEVEL',`14')dnl
*DAEMON_OPTIONS(`Family=inet, Addr=1.1.1.1, Port=smtp, Name=sm-mta-domain1')dnl
define(`confAUTH_OPTIONS', `A p y')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/usr/share/ssl/certs')dnl
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')dnl
*define(`confSERVER_CERT',`/usr/share/ssl/certs/domain1.pem')dnl
*define(`confSERVER_KEY',`/usr/share/ssl/certs/domain1.pem')dnl
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
---[end sendmail.cf]----------------------------------------------------------------
Now, will I also need a different /var/mqueue and /var/clientmqueue per
daemon?
Regards, Charles.
Per Hedeland
M. Gerungan" <cha...@nednieuws.com> writes:
>Additional question after rereading Peter Pilsl's message:
>
>If I interpret his comment correctly, it _is_ possible for me to use a
>different certificate when daemon 1 is listening on 1.1.1.1:25 and daemon two
>is listening on 2.2.2.2:25
>
>Op Fri, 10 Oct 2003 16:37:14 +0000, schreef Claus Aßmann:
>
>> doc/op/op.* in your sendmail distribution. Look for
>> DaemonPortOptions.
>
>Found it. Now, if I understand it correctly, I need two sendmail.cf's, two
>submit.cf's and fire up sendmail twice using a different -Csendmail.cf.
Why would you need two submit.cf's - i.e. what would be different
between them? That doesn't really work anyway, since by definition
submit.cf is the file used when programs invoke sendmail directly to
send mail - they won't specify a -C option, and wouldn't be allowed to
do it if they tried (sendmail would drop privileges and be unable to
write to the clientmqueue).
>So far, I've come up with the following using sendmail 8.12.10 (lines
>beginning with an asterisk
>should be modified in the second sendmail.cf):
I can't see any reason to modify anything but the DAEMON_OPTIONS() and
the confSERVER_{CERT,KEY} for this purpose. And you *can* give those on
the commandline with -O, allowing for a single sendmail.cf, but it may
not be any real advantage.
Well, one other thing that you propably want to have different is the
confPID_FILE, (also settable via -O), so the two daemons don't stomp on
each others files. That can be done via macro expansion though, e.g have
${daemon_addr} (not tested) be part of the file name.
And, if you actually care about the "banner" (there isn't much reason to
do that), you need to have different confSMTP_LOGIN_MSG definitions - or
again, make it macro-expanded (there's an example of precisely this in
doc/op/op.*).
>Now, will I also need a different /var/mqueue and /var/clientmqueue per
>daemon?
Again, not for *this* purpose.
--Per Hedeland
p...@hedeland.org