Difference between revisions of "TLS Disable"

From Roaring Penguin
Jump to: navigation, search
(Update to correct for server name NOT domain name and to provide more detail, including client vs. server and links to external documentation.)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
In /etc/mail/access, add a line using the actual domain name: 
+
== Disabling TLS ==
  
  Try_TLS:example.tld    NO
+
You can force Sendmail to avoid using TLS.
  
Make sure you do not put this in the sections of the access file controlled by CanIt.
+
First consider whether Sendmail is acting as a client or server.  When Sendmail is receiving an incoming connection from a Mail Transport Agent, it answers as a server.  When Sendmail is sending a message to a Mail Transport Agent (e.g. an outbound email) it connects as a client.
 +
 
 +
=== Disabling as a client ===
 +
 
 +
Sendmail uses TLS opportunistically.  When Sendmail connects to a server that advertises TLS (<code>250-STARTTLS</code> in the '''E'''xtended '''H'''el'''LO''') it will use TLS.
 +
 
 +
To force Sendmail to avoid using TLS (e.g. if there is a problem with TLS handshake negotiation), follow these steps:
 +
 
 +
In <code>/etc/mail/access</code>, add a line using the server name: 
 +
 
 +
  Try_TLS:example.server    NO
 +
 
 +
NOTE: example.server will be the server name, NOT the domain name.  Consider this log entry:
 +
 
 +
  2018-02-15T14:28:09.293840-06:00 mailserver sendmail[24164]: w1FJpcv5021072: to=<someone@exampledomain.com <mailto:someone@exampledomain.com>>, delay=00:36:30, xdelay=00:00:01, mailer=esmtp, pri=572428, relay=luna.bagoona.com <http://luna.bagoona.com/>. [123.45.67.89], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.
 +
 
 +
In this example the recipient domain name is <code>exampledomain.com</code> but the server name is <code>luna.bagoona.com</code>.  <code>Try_TLS:bagoona.com</code> will work for <code>luna.bagoona.com</code> and any other hostname in the <code>bagoona.com</code> domain.
 +
 
 +
Make sure you do not put this in the section of the access file controlled by CanIt.  When CanIt manages <code>/etc/mail/access</code>, it keeps its changes at the end.  Anything following this line:
 +
 
 +
  # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE
 +
 
 +
... will be removed the next time CanIt updates this file.
  
 
Then run the following command as root:
 
Then run the following command as root:
  
   make -C /etc/mail && /etc/init.d/sendmail restart
+
   make -C /etc/mail
 +
 
 +
... and afterward, reload or restart sendmail:
 +
 
 +
  /etc/init.d/sendmail restart
 +
 
 +
=== Disabling as a server ===
 +
 
 +
When Sendmail answers an incoming connection, if TLS has been properly configured then Sendmail will advertise STARTTLS to the client.
 +
 
 +
To force Sendmail to avoid advertising TLS for certain clients (e.g. if there are handshake negotiation problems), follow these steps:
 +
 
 +
In <code>/etc/mail/access</code>, add a line using the server name:
 +
 
 +
  Srv_Features:example.server  S
 +
 
 +
NOTE: <code>example.server</code> will be the client's hostname, NOT the sender's domain name.  As an example, an email from <code>someone@thebigcheese.com</code> may come from a client with hostname <code>outbound.cheddar.com</code>.  <code>Srv_Features:cheddar.com  S</code> will work for <code>outbound.cheddar.com</code> and any other hostname in the <code>cheddar.com</code> domain.
 +
 
 +
Make sure you do not put this in the section of the access file controlled by CanIt.  When CanIt manages <code>/etc/mail/access</code>, it keeps its changes at the end.  Anything following this line:
 +
 
 +
  # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE
 +
 
 +
... will be removed the next time CanIt updates this file.
 +
 
 +
Then run the following command as root:
 +
 
 +
  make -C /etc/mail
 +
 
 +
... and afterward, reload or restart sendmail:
 +
 
 +
  /etc/init.d/sendmail restart
 +
 
 +
== Further Reading ==
 +
 
 +
For more information, see:
 +
 
 +
  https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html
 +
 
 +
... and/or ...
 +
 
 +
  http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+19.+The+S+Rule+Sets+Configuration+Command/srv_features/
 +
 
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Security]]
 
[[category:All]][[category:Security]]

Latest revision as of 10:48, 16 February 2018

Disabling TLS

You can force Sendmail to avoid using TLS.

First consider whether Sendmail is acting as a client or server. When Sendmail is receiving an incoming connection from a Mail Transport Agent, it answers as a server. When Sendmail is sending a message to a Mail Transport Agent (e.g. an outbound email) it connects as a client.

Disabling as a client

Sendmail uses TLS opportunistically. When Sendmail connects to a server that advertises TLS (250-STARTTLS in the Extended HelLO) it will use TLS.

To force Sendmail to avoid using TLS (e.g. if there is a problem with TLS handshake negotiation), follow these steps:

In /etc/mail/access, add a line using the server name:

  Try_TLS:example.server    NO

NOTE: example.server will be the server name, NOT the domain name. Consider this log entry:

  2018-02-15T14:28:09.293840-06:00 mailserver sendmail[24164]: w1FJpcv5021072: to=<someone@exampledomain.com <mailto:someone@exampledomain.com>>, delay=00:36:30, xdelay=00:00:01, mailer=esmtp, pri=572428, relay=luna.bagoona.com <http://luna.bagoona.com/>. [123.45.67.89], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.

In this example the recipient domain name is exampledomain.com but the server name is luna.bagoona.com. Try_TLS:bagoona.com will work for luna.bagoona.com and any other hostname in the bagoona.com domain.

Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages /etc/mail/access, it keeps its changes at the end. Anything following this line:

  # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE

... will be removed the next time CanIt updates this file.

Then run the following command as root:

  make -C /etc/mail

... and afterward, reload or restart sendmail:

  /etc/init.d/sendmail restart

Disabling as a server

When Sendmail answers an incoming connection, if TLS has been properly configured then Sendmail will advertise STARTTLS to the client.

To force Sendmail to avoid advertising TLS for certain clients (e.g. if there are handshake negotiation problems), follow these steps:

In /etc/mail/access, add a line using the server name:

  Srv_Features:example.server   S

NOTE: example.server will be the client's hostname, NOT the sender's domain name. As an example, an email from someone@thebigcheese.com may come from a client with hostname outbound.cheddar.com. Srv_Features:cheddar.com S will work for outbound.cheddar.com and any other hostname in the cheddar.com domain.

Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages /etc/mail/access, it keeps its changes at the end. Anything following this line:

  # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE

... will be removed the next time CanIt updates this file.

Then run the following command as root:

  make -C /etc/mail

... and afterward, reload or restart sendmail:

  /etc/init.d/sendmail restart

Further Reading

For more information, see:

  https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html

... and/or ...

  http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+19.+The+S+Rule+Sets+Configuration+Command/srv_features/