OpenBSD Journal

Encrypting Your Sendmail Traffic

Contributed by jose on from the your-land-security dept.

I don't think we've run this before, but it's something many of you may be interested in. RFC 2487 describes how an ESMTP extension allows for inter-MTA server traffic to be encrypted using TLS. OpenBSD has had this option for over a year on by default. It provides a handy way to authenticate another mail server and even for authentication for a user when they're on the road to allow for controlled relaying. Privacy can also be enhanced through the encryption of the session using the TLS method. If you're interested in setting this up in OpenBSD, there are two things you may want to read. The first is the starttls(8) manpage which takes you through STARTTLS basics and setup, and the second is a page put together by Niels Provos describing how to authenticate another server using STARTTLS. Of course, this can also be done in Qmail and Postfix, and most other modern MTAs you will have to integrate with.

(Comments are closed)

  1. By Michael Anuzis () on

    now enabling this will enable encryption between any other MTA on the net that also supports TLS encryption?

    do many general e-mail servers support this (would it really make a difference?)?

    or is there more to it than that? --Michael

    1. By tomd () on

      From what I understand, it will enable encryption with any other MTA which supports the STARTTLS command. Can be _very_ useful. You can use it for authentication for relaying, among other things.

    2. By jose () on

      i thought i covered this in the starttls(8) manpage ... basically, you can enable STARTTLS if possible (ie its presented as an ESMTP option when you say EHLO) or force it if you see it or even force it to specific hosts. "if you can't use STARTTLS, die." so, you can control it (along with various options, like algorithms and key sizes) on a per server basis. i think that by default enabling it will have it try and use it if available (and your certs can be verified to the right CAs).

  2. By schubert () on

    to get qmail grokking tls, you need to get the patch for it, which also comes bundled with the auth-before-smtp patch if you google for it. Big thing to make sure you do besides reading the installation 3 times over, is to make sure you make your server cert right. Make sure the hostname in the cert matches the MX record from where you claim to be coming from. Otherwise your MTA might want to talk to another MTA and when you 2 try to start TLS and the other end doesn't like your cert he'll end discussion and your mail gets deferred in the queue.

    So in otherwords... don't do this on a friday afternoon :-)

    1. By Anonymous Coward () on

      Works perfectly with starttls, smtp_auth and ldap here.

    2. By Michal Ludvig () michal-at-logix-dot-cz on mailto:michal-at-logix-dot-cz

      Here is the STARTTLS patch itself, not bundled with other patches. Usefull for those who already have some patches in their Qmail...

  3. By Alex () on


    I've enbaled that on my OpenBSD 3.2-stable PC and
    can see STARTTLS when sending EHLO to localhost.

    But when I use it from Outlook Express for
    Win XP HE, I get this in the maillog:

    Mar 16 11:56:33 pref sm-mta[7326]: STARTTLS=server, error: accept failed=0, SSL_error=5, timedout=0
    Mar 16 11:56:33 pref sm-mta[7326]: h2GAuXOS007326: newhope [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    Can't Outlook Express use it?


    1. By Anonymous Coward () on

      You need to click on certificate warnings in outlook express few times..

    2. By David Whitehouse () on

      Did you ever figure this out?

      We have exactly the same problem in Outlook 2003 and I've not found any help!


Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]