TLS Enable

From Roaring Penguin
Revision as of 10:36, 24 August 2017 by Admin (talk | contribs) (Remove extraneous material)

Jump to: navigation, search

To enable TLS for communications to and from a domain you need to add the TLS info to CanIt for that domain. It requires editing /etc/mail/access on all machines and running "make -C /etc/mail" to update the binary database.

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:

   include(`/etc/mail/tls/starttls.m4')dnl

in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts. To make sure it's working, telnet to your machine on port 25 and type:

   EHLO test

If it is working, you should see "250-STARTTLS" in the server's response.

The details are here: http://www.sendmail.org/~ca/email/starttls.html


Testing TLS in CanIt

If you see log lines similar to this:

  2014-05-26T00:00:00.588066-04:00 colo10 sm-mta[14920]:
  STARTTLS=server, relay=mail.example.com [192.168.1.1],
  version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA,
  bits=256/256

Note: STARTTLS=server means CanIt is acting as the server.

It means that an encrypted connection has been negotiated. The verify=NOT means that we didn't ask the connecting server for a certificate. The cipher=DHE-RSA-AES256-SHA indicates the chosen cipher, and the bits=256/256 indicates that an encryption key of 256 bits was negotiated out of the strongest possible 256 bits.

If you see something like this:

  2014-05-26T00:00:01.974059-04:00 colo10 sm-mta[14924]:
  STARTTLS=client, relay=mail.example.com.,
  version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128

STARTTLS=client means CanIt is acting as the client. It means that we succesfully negotated a 128-bit encrypted connection using the AES128-SHA cipher to mail.example.com, but we failed to validate its SSL certificate. (We still encrypt anyway... that's opportunistic encryption.)

It should be safe to enable STARTTLS on all your cluster members.