TLS Enable

From Roaring Penguin
Revision as of 10:36, 24 August 2017 by Admin (talk | contribs) (Remove extraneous material)

Jump to: navigation, search

To enable TLS for communications to and from a domain you need to add the TLS info to CanIt for that domain. It requires editing /etc/mail/access on all machines and running "make -C /etc/mail" to update the binary database.

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:


in /etc/mail/ somewhere before the MAILER(`local')dnl line.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts. To make sure it's working, telnet to your machine on port 25 and type:

   EHLO test

If it is working, you should see "250-STARTTLS" in the server's response.

The details are here:

Testing TLS in CanIt

If you see log lines similar to this:

  2014-05-26T00:00:00.588066-04:00 colo10 sm-mta[14920]:
  STARTTLS=server, [],
  version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA,

Note: STARTTLS=server means CanIt is acting as the server.

It means that an encrypted connection has been negotiated. The verify=NOT means that we didn't ask the connecting server for a certificate. The cipher=DHE-RSA-AES256-SHA indicates the chosen cipher, and the bits=256/256 indicates that an encryption key of 256 bits was negotiated out of the strongest possible 256 bits.

If you see something like this:

  2014-05-26T00:00:01.974059-04:00 colo10 sm-mta[14924]:
  version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128

STARTTLS=client means CanIt is acting as the client. It means that we succesfully negotated a 128-bit encrypted connection using the AES128-SHA cipher to, but we failed to validate its SSL certificate. (We still encrypt anyway... that's opportunistic encryption.)

It should be safe to enable STARTTLS on all your cluster members.