Difference between revisions of "TLS Disable"
(Update to correct for server name NOT domain name and to provide more detail, including client vs. server and links to external documentation.) |
|||
| (6 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | == Disabling TLS == | |
| − | + | You can force Sendmail to avoid using TLS. | |
| − | + | First consider whether Sendmail is acting as a client or server. When Sendmail is receiving an incoming connection from a Mail Transport Agent, it answers as a server. When Sendmail is sending a message to a Mail Transport Agent (e.g. an outbound email) it connects as a client. | |
| − | Then: | + | === Disabling as a client === |
| + | |||
| + | Sendmail uses TLS opportunistically. When Sendmail connects to a server that advertises TLS (<code>250-STARTTLS</code> in the '''E'''xtended '''H'''el'''LO''') it will use TLS. | ||
| + | |||
| + | To force Sendmail to avoid using TLS (e.g. if there is a problem with TLS handshake negotiation), follow these steps: | ||
| + | |||
| + | In <code>/etc/mail/access</code>, add a line using the server name: | ||
| + | |||
| + | Try_TLS:example.server NO | ||
| + | |||
| + | NOTE: example.server will be the server name, NOT the domain name. Consider this log entry: | ||
| + | |||
| + | 2018-02-15T14:28:09.293840-06:00 mailserver sendmail[24164]: w1FJpcv5021072: to=<someone@exampledomain.com <mailto:someone@exampledomain.com>>, delay=00:36:30, xdelay=00:00:01, mailer=esmtp, pri=572428, relay=luna.bagoona.com <http://luna.bagoona.com/>. [123.45.67.89], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed. | ||
| + | |||
| + | In this example the recipient domain name is <code>exampledomain.com</code> but the server name is <code>luna.bagoona.com</code>. <code>Try_TLS:bagoona.com</code> will work for <code>luna.bagoona.com</code> and any other hostname in the <code>bagoona.com</code> domain. | ||
| + | |||
| + | Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages <code>/etc/mail/access</code>, it keeps its changes at the end. Anything following this line: | ||
| + | |||
| + | # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE | ||
| + | |||
| + | ... will be removed the next time CanIt updates this file. | ||
| + | |||
| + | Then run the following command as root: | ||
| + | |||
| + | make -C /etc/mail | ||
| + | |||
| + | ... and afterward, reload or restart sendmail: | ||
| + | |||
| + | /etc/init.d/sendmail restart | ||
| + | |||
| + | === Disabling as a server === | ||
| + | |||
| + | When Sendmail answers an incoming connection, if TLS has been properly configured then Sendmail will advertise STARTTLS to the client. | ||
| + | |||
| + | To force Sendmail to avoid advertising TLS for certain clients (e.g. if there are handshake negotiation problems), follow these steps: | ||
| + | |||
| + | In <code>/etc/mail/access</code>, add a line using the server name: | ||
| + | |||
| + | Srv_Features:example.server S | ||
| + | |||
| + | NOTE: <code>example.server</code> will be the client's hostname, NOT the sender's domain name. As an example, an email from <code>someone@thebigcheese.com</code> may come from a client with hostname <code>outbound.cheddar.com</code>. <code>Srv_Features:cheddar.com S</code> will work for <code>outbound.cheddar.com</code> and any other hostname in the <code>cheddar.com</code> domain. | ||
| + | |||
| + | Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages <code>/etc/mail/access</code>, it keeps its changes at the end. Anything following this line: | ||
| + | |||
| + | # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE | ||
| + | |||
| + | ... will be removed the next time CanIt updates this file. | ||
| + | |||
| + | Then run the following command as root: | ||
| + | |||
| + | make -C /etc/mail | ||
| + | |||
| + | ... and afterward, reload or restart sendmail: | ||
| + | |||
| + | /etc/init.d/sendmail restart | ||
| + | |||
| + | == Further Reading == | ||
| + | |||
| + | For more information, see: | ||
| + | |||
| + | https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html | ||
| + | |||
| + | ... and/or ... | ||
| + | |||
| + | http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+19.+The+S+Rule+Sets+Configuration+Command/srv_features/ | ||
| − | |||
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div> | <div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div> | ||
[[category:All]][[category:Security]] | [[category:All]][[category:Security]] | ||
Latest revision as of 09:48, 16 February 2018
Disabling TLS
You can force Sendmail to avoid using TLS.
First consider whether Sendmail is acting as a client or server. When Sendmail is receiving an incoming connection from a Mail Transport Agent, it answers as a server. When Sendmail is sending a message to a Mail Transport Agent (e.g. an outbound email) it connects as a client.
Disabling as a client
Sendmail uses TLS opportunistically. When Sendmail connects to a server that advertises TLS (250-STARTTLS in the Extended HelLO) it will use TLS.
To force Sendmail to avoid using TLS (e.g. if there is a problem with TLS handshake negotiation), follow these steps:
In /etc/mail/access, add a line using the server name:
Try_TLS:example.server NO
NOTE: example.server will be the server name, NOT the domain name. Consider this log entry:
2018-02-15T14:28:09.293840-06:00 mailserver sendmail[24164]: w1FJpcv5021072: to=<someone@exampledomain.com <mailto:someone@exampledomain.com>>, delay=00:36:30, xdelay=00:00:01, mailer=esmtp, pri=572428, relay=luna.bagoona.com <http://luna.bagoona.com/>. [123.45.67.89], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.
In this example the recipient domain name is exampledomain.com but the server name is luna.bagoona.com. Try_TLS:bagoona.com will work for luna.bagoona.com and any other hostname in the bagoona.com domain.
Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages /etc/mail/access, it keeps its changes at the end. Anything following this line:
# DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE
... will be removed the next time CanIt updates this file.
Then run the following command as root:
make -C /etc/mail
... and afterward, reload or restart sendmail:
/etc/init.d/sendmail restart
Disabling as a server
When Sendmail answers an incoming connection, if TLS has been properly configured then Sendmail will advertise STARTTLS to the client.
To force Sendmail to avoid advertising TLS for certain clients (e.g. if there are handshake negotiation problems), follow these steps:
In /etc/mail/access, add a line using the server name:
Srv_Features:example.server S
NOTE: example.server will be the client's hostname, NOT the sender's domain name. As an example, an email from someone@thebigcheese.com may come from a client with hostname outbound.cheddar.com. Srv_Features:cheddar.com S will work for outbound.cheddar.com and any other hostname in the cheddar.com domain.
Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages /etc/mail/access, it keeps its changes at the end. Anything following this line:
# DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE
... will be removed the next time CanIt updates this file.
Then run the following command as root:
make -C /etc/mail
... and afterward, reload or restart sendmail:
/etc/init.d/sendmail restart
Further Reading
For more information, see:
https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html
... and/or ...
http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+19.+The+S+Rule+Sets+Configuration+Command/srv_features/
