How to make Sendmail MTA use SSL/TLS whenever possible

1. Create a certificate directory and go there:

# mkdir /etc/mail/cert
# cd /etc/mail/cert 

2. Create a key for the server, giving a new pass phrase when prompted:

# openssl genrsa -des3 -out server.key 1024
# openssl rsa -in server.key -out 

3. Create a clear-text copy of the key (so it is not pass-phrase-protected), giving the pass phrase when asked:

# openssl req -new -x509 -days 3650 -key -out server.crt 

4. Answer the X.509v3 questions appropriately.

5. Make the files root-read-only:

# chmod 600 server.* 

6. Edit /etc/mail/ and add these lines. You should find commented-out versions of these settings in the file, maybe about a third of the way through it.

O CACertPath=/etc/mail/cert
O CACertFile=/etc/mail/cert/server.crt
O ServerCertFile=/etc/mail/cert/server.crt
O ServerKeyFile=/etc/mail/cert/
O ClientKeyFile=/etc/mail/cert/server.crt 

7. Restart sendmail:

# /etc/init.d/sendmail restart 

Alternative method, using

You can modify instead of and have your changes persist through make runs. Thanks to Dave Miller for pointing this out:

dnl #
define(`confCACERT_PATH', `/etc/mail/cert')dnl
define(`confCACERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_CERT', `/etc/mail/cert/server.crt')dnl
define(`confSERVER_KEY', `/etc/mail/cert/')dnl
define(`confCLIENT_KEY', `/etc/mail/cert/server.crt')dnl