TLS Enable

From Roaring Penguin
Revision as of 14:36, 7 December 2017 by JAudette (talk | contribs) (Update: back ticks are not shift-tilde. Tildes are shift-backticks. Clarified.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Installing Certificates

Most visitors to this page are probably aiming to get their CanIt server to offer STARTTLS. If that is the case, please visit this page:


NOTE: After following the page above, you may still need to follow the steps to add the /etc/mail/tls/starttls.m4 include line to your /etc/mail/ file. (those steps are on this page but are also included on the above page)

TLS settings for specific domains

To enable TLS for communications to and from a domain you need to add the TLS info to CanIt for that domain. It requires editing /etc/mail/access on all machines and running "make -C /etc/mail" to update the binary database.

Enabling TLS in

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:


in /etc/mail/ somewhere before the MAILER(`local')dnl line.

NOTE: Look closely at the beginning: include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts. To make sure it's working, telnet to your machine on port 25 and type:

   EHLO test

If it is working, you should see "250-STARTTLS" in the server's response.

The details are here:

Testing TLS in CanIt

If you see log lines similar to this:

  2014-05-26T00:00:00.588066-04:00 colo10 sm-mta[14920]:
  STARTTLS=server, [],
  version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA,

Note: STARTTLS=server means CanIt is acting as the server.

It means that an encrypted connection has been negotiated. The verify=NOT means that we didn't ask the connecting server for a certificate. The cipher=DHE-RSA-AES256-SHA indicates the chosen cipher, and the bits=256/256 indicates that an encryption key of 256 bits was negotiated out of the strongest possible 256 bits.

If you see something like this:

  2014-05-26T00:00:01.974059-04:00 colo10 sm-mta[14924]:
  version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128

STARTTLS=client means CanIt is acting as the client. It means that we succesfully negotated a 128-bit encrypted connection using the AES128-SHA cipher to, but we failed to validate its SSL certificate. (We still encrypt anyway... that's opportunistic encryption.)

It should be safe to enable STARTTLS on all your cluster members.