TLS Disable

From Roaring Penguin
Jump to: navigation, search

Disabling TLS

You can force Sendmail to avoid using TLS.

First consider whether Sendmail is acting as a client or server. When Sendmail is receiving an incoming connection from a Mail Transport Agent, it answers as a server. When Sendmail is sending a message to a Mail Transport Agent (e.g. an outbound email) it connects as a client.

Disabling as a client

Sendmail uses TLS opportunistically. When Sendmail connects to a server that advertises TLS (250-STARTTLS in the Extended HelLO) it will use TLS.

To force Sendmail to avoid using TLS (e.g. if there is a problem with TLS handshake negotiation), follow these steps:

In /etc/mail/access, add a line using the server name:

  Try_TLS:example.server    NO

NOTE: example.server will be the server name, NOT the domain name. Consider this log entry:

  2018-02-15T14:28:09.293840-06:00 mailserver sendmail[24164]: w1FJpcv5021072: to=<someone@exampledomain.com <mailto:someone@exampledomain.com>>, delay=00:36:30, xdelay=00:00:01, mailer=esmtp, pri=572428, relay=luna.bagoona.com <http://luna.bagoona.com/>. [123.45.67.89], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.

In this example the recipient domain name is exampledomain.com but the server name is luna.bagoona.com. Try_TLS:bagoona.com will work for luna.bagoona.com and any other hostname in the bagoona.com domain.

Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages /etc/mail/access, it keeps its changes at the end. Anything following this line:

  # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE

... will be removed the next time CanIt updates this file.

Then run the following command as root:

  make -C /etc/mail

... and afterward, reload or restart sendmail:

  /etc/init.d/sendmail restart

Disabling as a server

When Sendmail answers an incoming connection, if TLS has been properly configured then Sendmail will advertise STARTTLS to the client.

To force Sendmail to avoid advertising TLS for certain clients (e.g. if there are handshake negotiation problems), follow these steps:

In /etc/mail/access, add a line using the server name:

  Srv_Features:example.server   S

NOTE: example.server will be the client's hostname, NOT the sender's domain name. As an example, an email from someone@thebigcheese.com may come from a client with hostname outbound.cheddar.com. Srv_Features:cheddar.com S will work for outbound.cheddar.com and any other hostname in the cheddar.com domain.

Make sure you do not put this in the section of the access file controlled by CanIt. When CanIt manages /etc/mail/access, it keeps its changes at the end. Anything following this line:

  # DO NOT EDIT BELOW THIS LINE: CANIT MAY DELETE CHANGES BELOW THIS LINE

... will be removed the next time CanIt updates this file.

Then run the following command as root:

  make -C /etc/mail

... and afterward, reload or restart sendmail:

  /etc/init.d/sendmail restart

Further Reading

For more information, see:

  https://www.sendmail.org/~ca/email/doc8.12/cf/m4/starttls.html

... and/or ...

  http://etutorials.org/Server+Administration/Sendmail/Part+III+The+Configuration+File/Chapter+19.+The+S+Rule+Sets+Configuration+Command/srv_features/