Ady Wicaksono Daily Activities

Sendmail STARTTLS, how to force email relay to use TLS

with 2 comments

Sendmail STARTTLS Issue

The idea of this paper is how to force email relay/end SMTP destination to retrieve our
email securely using TSL (Transport Security Layer). If the relay or mail destination 
doesn't support TLS, email will not be delivered to it.

Such scenario is simply given in this diagram:

                      (1)                         (2)                        
[ mail client ] === send email ===> [ MTA1 ] === relay to 
| (3)                     (4)
+======> [ MTA2 ] === delivery to ===> [ mail server (SMTP destination) ]

I assume:

Our purpose now is to make MTA1 - MTA2 communication is secured using TLS.

I) What happened if MTA2 doesn't support TLS? Let us try by following this scenario below:

Step 1. (to be done on MTA2)
   - disable STARTTLS 
   - Edit /etc/mail/access append this line:
	Connect:                    RELAY

     After append that line above, please run this command (as root)

	makemap hash /etc/mail/access.db = 128 bits. If not, then MTA1 
     will not relay email to MTA2.
     After append that line above, please run this command (as root)

	     makemap hash /etc/mail/access.db < /etc/mail/access

Step 3. (to be done on email client)
Try to send email now using MTA1, now monitor MTA1, wait and check mail queue there:

- Using mailq command you get like this

-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
m675MXpo001370      536 Mon Jul  7 05:22 
                 (Deferred: 403 4.7.0 encryption too weak 0 less than 128)

Message is deferred, since based on our rule, message send through (MTA2) 
which is our relay must be encrypted, but we didn't configure MTA2 to be TLS enabled. 
Error message:

        403 4.7.0 encryption too weak 0 less than 128
there describe that we want encryption but relay mail server doesn't support it.

II) What happened if MTA2 support TLS? Simply enable TLS on MTA2 and see what happened :)
    Email should be delivered normally now  

* How to check if the SMTP support TLS? 
  Try to connect (using telnet) to port 25, say hello and you will see "250-STARTTLS" there.
	# telnet localhost 25
	Connected to CM (
	Escape character is '^]'.
	220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.11; 
	EHLO localhost
	250-localhost.localdomain Hello CM [], pleased to meet you
	250 HELP

* How to enable/disable TLS feature on sendmail?

Link related:

Written by adywicaksono

July 7, 2008 at 5:53 am

Posted in Linux, networking

2 Responses

Subscribe to comments with RSS.

  1. Boss, i”m sorry, coz my question is not related to the topic :D.
    i wanna ask ’bout living cost in singapore.
    how much is monthly living cost there ? ..
    included everyting 😀

    thx a lot

    abe IF'ers

    August 5, 2008 at 8:55 am

  2. Maaf juga, komen ngga sesuai topik.

    Denger-denger mau pindah ke UAE? 🙂 🙂


    August 20, 2008 at 9:01 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: