Ady Wicaksono Daily Activities

Sendmail STARTTLS Issue
=======================

The idea of this paper is how to force email relay/end SMTP destination to retrieve our
email securely using TSL (Transport Security Layer). If the relay or mail destination
doesn't support TLS, email will not be delivered to it.

Such scenario is simply given in this diagram:

                      (1)                         (2)
[ mail client ] === send email ===> [ MTA1 ] === relay to
                                                   |
+==================================================V
| (3)                     (4)
+======> [ MTA2 ] === delivery to ===> [ mail server (SMTP destination) ]

I assume:
=========
MTA1: 10.254.80.31
MTA2: 10.254.70.8

Our purpose now is to make MTA1 - MTA2 communication is secured using TLS.

I) What happened if MTA2 doesn't support TLS? Let us try by following this scenario below:

Step 1. (to be done on MTA2)
   - disable STARTTLS
   - Edit /etc/mail/access append this line:

	Connect:10.254.80.31                    RELAY

     After append that line above, please run this command (as root)

	makemap hash /etc/mail/access.db = 128 bits. If not, then MTA1
     will not relay email to MTA2.

     After append that line above, please run this command (as root)

	     makemap hash /etc/mail/access.db < /etc/mail/access

Step 3. (to be done on email client)
Try to send email now using MTA1, now monitor MTA1, wait and check mail queue there:

- Using mailq command you get like this

-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
m675MXpo001370      536 Mon Jul  7 05:22
                 (Deferred: 403 4.7.0 encryption too weak 0 less than 128)

Message is deferred, since based on our rule, message send through 10.254.70.8 (MTA2)
which is our relay must be encrypted, but we didn't configure MTA2 to be TLS enabled.
Error message:

        403 4.7.0 encryption too weak 0 less than 128

there describe that we want encryption but relay mail server doesn't support it.

II) What happened if MTA2 support TLS? Simply enable TLS on MTA2 and see what happened 
    Email should be delivered normally now  

FAQ:
* How to check if the SMTP support TLS?
  Try to connect (using telnet) to port 25, say hello and you will see "250-STARTTLS" there.
  E.g:
	# telnet localhost 25
	Trying 127.0.0.1...
	Connected to CM (127.0.0.1).
	Escape character is '^]'.
	220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.11;
	EHLO localhost
	250-localhost.localdomain Hello CM [127.0.0.1], pleased to meet you
	250-ENHANCEDSTATUSCODES
	250-PIPELINING
	250-8BITMIME
	250-SIZE
	250-DSN
	250-ETRN
	250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
	250-STARTTLS
	250-DELIVERBY
	250 HELP

* How to enable/disable TLS feature on sendmail?
  See: http://www.sendmail.org/~ca/email/starttls.html#starttlssetup

Link related:
 1. www.sendmail.org