Encrypting Your Sendmail Traffic

Contributed by jose on 2003-03-16 from the your-land-security dept.

I don't think we've run this before, but it's something many of you may be interested in. RFC 2487 describes how an ESMTP extension allows for inter-MTA server traffic to be encrypted using TLS. OpenBSD has had this option for over a year on by default. It provides a handy way to authenticate another mail server and even for authentication for a user when they're on the road to allow for controlled relaying. Privacy can also be enhanced through the encryption of the session using the TLS method. If you're interested in setting this up in OpenBSD, there are two things you may want to read. The first is the starttls(8) manpage which takes you through STARTTLS basics and setup, and the second is a page put together by Niels Provos describing how to authenticate another server using STARTTLS. Of course, this can also be done in Qmail and Postfix, and most other modern MTAs you will have to integrate with.

(Comments are closed)

Comments

By Michael Anuzis () on 2003-03-16 01:21

now enabling this will enable encryption between any other MTA on the net that also supports TLS encryption?

do many general e-mail servers support this (would it really make a difference?)?

or is there more to it than that? --Michael
Comments
1. By tomd () on 2003-03-16 04:05
  
  From what I understand, it will enable encryption with any other MTA which supports the STARTTLS command. Can be _very_ useful. You can use it for authentication for relaying, among other things.
2. By jose () on 2003-03-16 04:35 http://monkey.org/~jose/
  
  i thought i covered this in the starttls(8) manpage ... basically, you can enable STARTTLS if possible (ie its presented as an ESMTP option when you say EHLO) or force it if you see it or even force it to specific hosts. "if you can't use STARTTLS, die." so, you can control it (along with various options, like algorithms and key sizes) on a per server basis. i think that by default enabling it will have it try and use it if available (and your certs can be verified to the right CAs).
By schubert () on 2003-03-16 09:11

to get qmail grokking tls, you need to get the patch for it, which also comes bundled with the auth-before-smtp patch if you google for it. Big thing to make sure you do besides reading the installation 3 times over, is to make sure you make your server cert right. Make sure the hostname in the cert matches the MX record from where you claim to be coming from. Otherwise your MTA might want to talk to another MTA and when you 2 try to start TLS and the other end doesn't like your cert he'll end discussion and your mail gets deferred in the queue.

So in otherwords... don't do this on a friday afternoon :-)
Comments
1. By Anonymous Coward () on 2003-03-16 13:35
  
  Works perfectly with starttls, smtp_auth and ldap here.
  
  http://students.imsa.edu/~ngroot/qmail-1.03-starttls-smtp-auth.patch
  http://qmail.bayour.com/patches_ldap/qmail-patches-20030306.tgz
2. By Michal Ludvig () michal-at-logix-dot-cz on 2003-03-19 16:34 mailto:michal-at-logix-dot-cz
  
  Here is the STARTTLS patch itself, not bundled with other patches. Usefull for those who already have some patches in their Qmail...
  
  http://www.logix.cz/~mic/devel/qmail/qmail-tls.patch
3. By Michal Ludvig () michal-at-logix-dot-cz on 2003-03-19 16:35 mailto:michal-at-logix-dot-cz
  
  Here is the STARTTLS patch itself, not bundled with other patches. Usefull for those who already have some patches in their Qmail...
  http://www.logix.cz/~mic/devel/qmail/qmail-tls.patch
  (Once again with active URL...)
By Alex () Alexander.Farber@t-online.de on 2003-03-16 11:01 mailto:Alexander.Farber@t-online.de

Hi,

I've enbaled that on my OpenBSD 3.2-stable PC and
can see STARTTLS when sending EHLO to localhost.

But when I use it from Outlook Express for
Win XP HE, I get this in the maillog:

Mar 16 11:56:33 pref sm-mta[7326]: STARTTLS=server, error: accept failed=0, SSL_error=5, timedout=0
Mar 16 11:56:33 pref sm-mta[7326]: h2GAuXOS007326: newhope [192.168.1.32] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Can't Outlook Express use it?

Regards
Alex
Comments
1. By Anonymous Coward () on 2003-03-16 11:41
  
  You need to click on certificate warnings in outlook express few times..
2. By David Whitehouse () dww@whiteware.com on 2003-01-11 14:53 whiteware.com
  
  Did you ever figure this out?
  
  We have exactly the same problem in Outlook 2003 and I've not found any help!
  
  Thanks

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]