Setup secure ProFTPd

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:

<IfModule mod_tls.c>
TLSEngine   &nbsp;    &nbsp;    &nbsp;    &nbsp;    on
TLSRequired   ;     ;     ;     ;   off
TLSRSACertificateFile &nbsp;    &nbsp;    /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile&nbsp;    &nbsp;  /etc/pki/tls/proftpd/server.key.pem
TLSVerifyClient  &nbsp;    &nbsp;    &nbsp;    off
TLSRenegotiate  &nbsp;    &nbsp;    &nbsp;     required off
TLSLog   &nbsp;    &nbsp;    &nbsp;    &nbsp;    &nbsp;  /var/log/proftpd/tls.log

chroot and bindsocket to listen to single IP:

SocketBindTight  &nbsp;    &nbsp;    &nbsp;    on
DefaultRoot   ;     ;     ;     ;   ~

Setup passive ftp ports:

PassivePorts 50000 51000

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

auth    required   &nbsp;   &nbsp; nullok
account required   &nbsp;
session required   &nbsp;

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>


When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from, add the below option in and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget

Add the below line to "/etc/mail/" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.