Setting up sendmail to use a client certificate

Friday, November 19, 2010

MTAs like sendmail and postfix act as both clients and servers. This page is about setting up sendmail to present a client certificate, not a server certificate. If you're trying to use your desktop email client to send email over encrypted SMTP, for example, this is probably not the right place to be looking.

One use case is this: I have a few machines that need to send email: a mail server on a static IP, and a few random machines at home on a dynamic IP. The ones at home can't send email directly because, due to spam, most email services don't accept emails directly from residential IPs. So for my machines to use sendmail, they have to relay through the mail server.

The problem is authentication. For the server to not become a spam-spewing open relay, it needs to know who is trying to use it as a relay. There are basically three reasonable ways for a client MTA to authenticate to a server MTA for relaying: the client's IP/hostname, a username/password, or a client certificate. I can't use my IP or hostname since it keeps changing, and using a username/password is too logical for me. So here's how to set up a client certificate.

First, either get an actual client certificate signed by a real CA, or sign your own. Note, if you buy one, it needs to be a client certificate and not some other type, i.e. it needs to pass this check:

$ openssl verify -purpose sslclient sendmail.crt

If you generated it using my instructions, the certificate can be used for any purpose and will be fine.

Now, copy the certificate and private key somewhere on your client machine. /etc/pki/tls/ is a good place to put these. Then add these two lines to /etc/mail/

define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/private/sendmail.key')dnl

You may have to install sendmail-cf before proceeding, so do that first. Then run make and restart sendmail:

# make -C /etc/mail
# /etc/init.d/sendmail restart

Now sendmail is correctly configured to present a client certificate when asked by a server. Note that the server must ask for a client certificate before one will be presented, and most servers don't do that by default. Also, for the certificate verification to succeed, the server needs to be configured to trust the certificate authority. That means if you signed the certificate yourself, the server needs to trust the certificate file of the CA that you signed the client certificate with.

Tags: certificate, email, encryption, sendmail | Posted at 20:35 | Comments (4)


sachin on Friday, May 10, 2013 at 15:31


Thanks for posting this article.

However, i have a scenario which needs help :(

The setup is the same in your case, but in my the org does not want to issue client certificates to client MTA as these could be large in numbers.

So i have been asked to find out if there is a server certificate authentication.

I have prepared a local setup where there are two sendmails installed on seperate machines.
One acts as a client relayiing mails to the other sendmail and other is the server which needs to send mails to the internet.

Now when client sendmail communicates with the server, client needs to somehow confirm that this is the correct server to which i am relaying!!!

How to achieve this? Please guide.

David on Friday, May 10, 2013 at 17:20

@Sachin: It sounds like you are trying to set up the Sendmail server with a server certificate (not client cert, described here) so that clients can be sure who they're connecting to and avoid connecting to some rogue mail server. Part of this post describes how to do it with Postfix, but I don't have instructions for Sendmail. There are lots of guides elsewhere online for doing this with Sendmail, though.

sachin on Friday, May 10, 2013 at 19:42

Correct. I need to do server authentication. Havent been able to find a crisp doc on how to do that :( maybe because there is mostly on using SMTP AUTH and STARTTLS with client auth.
Please do let me know in case you come across anything.

David on Monday, May 13, 2013 at 09:37

@Sachin: There are lots of relevant-looking pages from a quick internet search, but this one looks nice and succinct:

Add a comment

Email: (optional, not displayed to public)
URL: (do not fill this in — leave blank!)