Ady Wicaksono Daily Activities

Sendmail STARTTLS, how to force email relay to use TLS

with 2 comments

Sendmail STARTTLS Issue
=======================

The idea of this paper is how to force email relay/end SMTP destination to retrieve our
email securely using TSL (Transport Security Layer). If the relay or mail destination 
doesn't support TLS, email will not be delivered to it.

Such scenario is simply given in this diagram:

                      (1)                         (2)                        
[ mail client ] === send email ===> [ MTA1 ] === relay to 
                                                   |
+==================================================V
| (3)                     (4)
+======> [ MTA2 ] === delivery to ===> [ mail server (SMTP destination) ]

I assume:
=========
MTA1: 10.254.80.31
MTA2: 10.254.70.8

Our purpose now is to make MTA1 - MTA2 communication is secured using TLS.

I) What happened if MTA2 doesn't support TLS? Let us try by following this scenario below:

Step 1. (to be done on MTA2)
   - disable STARTTLS 
   - Edit /etc/mail/access append this line:
   
	Connect:10.254.80.31                    RELAY

     After append that line above, please run this command (as root)

	makemap hash /etc/mail/access.db = 128 bits. If not, then MTA1 
     will not relay email to MTA2.
     
     After append that line above, please run this command (as root)

	     makemap hash /etc/mail/access.db < /etc/mail/access

Step 3. (to be done on email client)
Try to send email now using MTA1, now monitor MTA1, wait and check mail queue there:

- Using mailq command you get like this

-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
m675MXpo001370      536 Mon Jul  7 05:22 
                 (Deferred: 403 4.7.0 encryption too weak 0 less than 128)
                                         

Message is deferred, since based on our rule, message send through 10.254.70.8 (MTA2) 
which is our relay must be encrypted, but we didn't configure MTA2 to be TLS enabled. 
Error message:

        403 4.7.0 encryption too weak 0 less than 128
 
there describe that we want encryption but relay mail server doesn't support it.

II) What happened if MTA2 support TLS? Simply enable TLS on MTA2 and see what happened :)
    Email should be delivered normally now  

FAQ:
* How to check if the SMTP support TLS? 
  Try to connect (using telnet) to port 25, say hello and you will see "250-STARTTLS" there.
  E.g:
	# telnet localhost 25
	Trying 127.0.0.1...
	Connected to CM (127.0.0.1).
	Escape character is '^]'.
	220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.11; 
	EHLO localhost
	250-localhost.localdomain Hello CM [127.0.0.1], pleased to meet you
	250-ENHANCEDSTATUSCODES
	250-PIPELINING
	250-8BITMIME
	250-SIZE
	250-DSN
	250-ETRN
	250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
	250-STARTTLS
	250-DELIVERBY
	250 HELP

* How to enable/disable TLS feature on sendmail?
  See: http://www.sendmail.org/~ca/email/starttls.html#starttlssetup

Link related:
 1. www.sendmail.org
     	     



Written by adywicaksono

July 7, 2008 at 5:53 am

Posted in Linux, networking

2 Responses

Subscribe to comments with RSS.

  1. Boss, i”m sorry, coz my question is not related to the topic😀.
    i wanna ask ’bout living cost in singapore.
    how much is monthly living cost there ? ..
    included everyting😀

    thx a lot

    abe IF'ers

    August 5, 2008 at 8:55 am

  2. Maaf juga, komen ngga sesuai topik.

    Denger-denger mau pindah ke UAE?🙂🙂

    IndraPr

    August 20, 2008 at 9:01 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: