Difference between revisions of "TLS Enable"

From Roaring Penguin
Jump to: navigation, search
(Update: back ticks are not shift-tilde. Tildes are shift-backticks. Clarified.)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
== Installing Certificates ==
 +
 +
Most visitors to this page are probably aiming to get their CanIt server to offer STARTTLS.  If that is the case, please visit this page:
 +
 +
[[Install_Certificate_in_CanIt]]
 +
 +
NOTE: After following the page above, you may still need to follow the steps to add the <code>/etc/mail/tls/starttls.m4</code> include line to your <code>/etc/mail/sendmail.mc</code> file.  (those steps are on this page but are also included on the above page)
 +
 +
== TLS settings for specific domains ==
 +
 
To enable TLS for communications to and from a domain you need to add the TLS info to CanIt for that domain. It requires editing /etc/mail/access on all machines and running "make -C /etc/mail" to update the binary database.  
 
To enable TLS for communications to and from a domain you need to add the TLS info to CanIt for that domain. It requires editing /etc/mail/access on all machines and running "make -C /etc/mail" to update the binary database.  
 +
 +
== Enabling TLS in sendmail.mc ==
  
 
This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:
 
This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:
Line 6: Line 18:
  
 
in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.  
 
in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.  
 +
 +
 +
'''NOTE:''' Look closely at the beginning: <code>include(`</code>.  Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts).  '''This is important'''.  Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote.  '''Watch out for this'''.
  
 
Then type:
 
Then type:
Line 17: Line 32:
 
If it is working, you should see "250-STARTTLS" in the server's response.
 
If it is working, you should see "250-STARTTLS" in the server's response.
  
Next: To force Sendmail to use TLS for a specific domain, edit/etc/mail/access (on all hosts) and add these lines:
+
The details are here: http://www.sendmail.org/~ca/email/starttls.html
 
 
    TLS_Srv:example.com    ENCR:168
 
    TLS_Clt:example.com    ENCR:168
 
 
 
and type:
 
    make -C /etc/mail && /etc/init.d/sendmail restart
 
 
 
 
 
This means that all connections to example.com must be encrypted with at least 168 bits of key.  You might need to check with example.com to find out what key length they want or need.  The TLS_Srv is for outbound mail and TLS_Clt is for inbound email.
 
 
 
NOTE: If Sendmail cannot negotiate an encrypted session with example.com, all mail to or from that domain will bounce.  So be sure to get the required key length correct by asking example.com what it should be!
 
 
 
The details are here: http://www.sendmail.com/sm/open_source/docs/m4/starttls.html
 
  
 
----
 
----

Latest revision as of 14:36, 7 December 2017

Installing Certificates

Most visitors to this page are probably aiming to get their CanIt server to offer STARTTLS. If that is the case, please visit this page:

Install_Certificate_in_CanIt

NOTE: After following the page above, you may still need to follow the steps to add the /etc/mail/tls/starttls.m4 include line to your /etc/mail/sendmail.mc file. (those steps are on this page but are also included on the above page)

TLS settings for specific domains

To enable TLS for communications to and from a domain you need to add the TLS info to CanIt for that domain. It requires editing /etc/mail/access on all machines and running "make -C /etc/mail" to update the binary database.

Enabling TLS in sendmail.mc

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:

   include(`/etc/mail/tls/starttls.m4')dnl

in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.


NOTE: Look closely at the beginning: include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts. To make sure it's working, telnet to your machine on port 25 and type:

   EHLO test

If it is working, you should see "250-STARTTLS" in the server's response.

The details are here: http://www.sendmail.org/~ca/email/starttls.html


Testing TLS in CanIt

If you see log lines similar to this:

  2014-05-26T00:00:00.588066-04:00 colo10 sm-mta[14920]:
  STARTTLS=server, relay=mail.example.com [192.168.1.1],
  version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA,
  bits=256/256

Note: STARTTLS=server means CanIt is acting as the server.

It means that an encrypted connection has been negotiated. The verify=NOT means that we didn't ask the connecting server for a certificate. The cipher=DHE-RSA-AES256-SHA indicates the chosen cipher, and the bits=256/256 indicates that an encryption key of 256 bits was negotiated out of the strongest possible 256 bits.

If you see something like this:

  2014-05-26T00:00:01.974059-04:00 colo10 sm-mta[14924]:
  STARTTLS=client, relay=mail.example.com.,
  version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128

STARTTLS=client means CanIt is acting as the client. It means that we succesfully negotated a 128-bit encrypted connection using the AES128-SHA cipher to mail.example.com, but we failed to validate its SSL certificate. (We still encrypt anyway... that's opportunistic encryption.)

It should be safe to enable STARTTLS on all your cluster members.