Support for Running SMTP With TLS in Version
8.13 of sendmail
Communications between SMTP servers and clients are not usually
controlled or trusted on either end. This lack of security might allow
a third party to monitor and even alter a communication between a
server and a client. SMTP can use Transport Layer Security (TLS) in
version 8.13 of sendmail to resolve this problem.
This extended service to SMTP servers and clients provides the following:
Private, authenticated communications over the Internet
Protection from eavesdroppers and attackers
Note - The implementation of TLS is based on the Secure Sockets
Layer (SSL) protocol.
STARTTLS is the SMTP keyword that initiates
a secure SMTP connection by using TLS. This secure connection might
be between two servers or between a server and a client. A secure
connection is defined as follows:
The source email address and the destination address
are encrypted.
The content of the email message is encrypted.
When the client issues the STARTTLS command,
the server responds with one of the following:
220 Ready to start TLS
501 Syntax error (no parameters allowed)
454 TLS not available due to temporary reason
The 220 response requires the client to start
the TLS negotiation. The 501 response notes that
the client incorrectly issued the STARTTLS command.
STARTTLS is issued with no parameters. The 454 response necessitates that the client apply rule set values
to determine whether to accept or maintain the connection.
Note that to maintain the Internet's SMTP infrastructure, publicly
used servers must not require a TLS negotiation. However, a server
that is used privately might require the client to perform a TLS negotiation.
In such instances, the server returns this response:
530 Must issue a STARTTLS command first
The 530 response instructs the client to
issue the STARTTLS command to establish a connection.
The server or client can refuse a connection if the level of
authentication and privacy is not satisfactory. Alternately, because
most SMTP connections are not secure, the server and client might
maintain an unsecure connection. Whether to maintain or refuse a connection
is determined by the configuration of the server and the client.
Support for running SMTP with TLS is not enabled by default.
TLS is enabled when the SMTP client issues the STARTTLS command.
Before the SMTP client can issue this command, you must set up the
certificates that enable sendmail to use TLS. See How to Set SMTP to Use TLS. Note that this
procedure includes defining new configuration file options and rebuilding
your sendmail.cf file.
Configuration File Options for Running SMTP
With TLS
The following table describes the configuration file options
that are used to run SMTP with TLS. If you declare any of these options,
use one of the following syntaxes:
O OptionName=argument # for the configuration file
-O OptionName=argument # for the command line
define(`m4Name',argument) # for m4 configuration
Table 3-11 Configuration
File Options for Running SMTP With TLS | |
–CACertFile
| m4 name: –confCACERT Argument: filename Default value: undefined Identifies the file that contains one CA certificate.
|
–CACertPath
| m4 name: –confCACERT_PATH Argument: path Default value: undefined Identifies the path to the directory that contains certificates
of CAs.
|
–ClientCertFile
| m4 name: –confCLIENT_CERT Argument: filename Default value: undefined Identifies the file that contains the certificate of the client.
Note that this certificate is used when sendmail acts
as a client.
|
–ClientKeyFile
| m4 name: –confCLIENT_KEY Argument: filename Default value: undefined Identifies the file that contains the private key that belongs
to the client certificate.
|
–CRLFile
| m4 name: –confCRL Argument: filename Default value: undefined Identifies the file that contains the certificate revocation
status, which is used for X.509v3 authentication.
|
–DHParameters
| m4 name: –confDH_PARAMETERS Argument: filename Default value: undefined Identifies the file that contains the Diffie-Hellman (DH) parameters.
|
–RandFile
| m4 name: –confRAND_FILE Argument: file:filename or egd:UNIX socket Default value: undefined Uses the file: prefix to identify the file
that contains random data or uses the egd: prefix
to identify the UNIX socket. Note that because the Oracle Solaris OS supports
the random number generator device, this option
does not need to be specified. See the random(7D) man page.
|
–ServerCertFile
| m4 name: –confSERVER_CERT Argument: filename Default value: undefined Identifies the file that contains the server's certificate.
This certificate is used when sendmail acts as
a server.
|
–Timeout.starttls
| m4 name: –confTO_STARTTLS Argument: amount of time Default value: 1h Sets the amount of time the SMTP client waits for a response
to the STARTTLS command.
|
–TLSSrvOptions
| m4 name: –confTLS_SRV_OPTIONS Argument: V Default value: undefined Determines whether the server asks for a certificate from the
client. If this option is set to V, no client verification
is performed.
|
|
For sendmail to support SMTP's use of TLS,
the following options must be defined:
–CACertPath
–CACertFile
–ServerCertFile
–ClientKeyFile
Other options are not required.
Macros for Running SMTP With TLS
The following table describes the macros that are used by the STARTTLS command.
Table 3-12 Macros for Running
SMTP With TLS | |
${cert_issuer}
| Holds the distinguished name (DN) of the certification authority
(CA), which is the certificate issuer.
|
${cert_subject}
| Holds the DN of the certificate that is called the cert subject.
|
${cn_issuer}
| Holds the common name (CN) of the CA, which is the cert issuer.
|
${cn_subject}
| Holds the CN of the certificate that is called the cert subject.
|
${tls_version}
| Holds the version of TLS that is used for the connection.
|
${cipher}
| Holds a set of cryptographic algorithms (known as a cipher suite) that is used for the connection.
|
${cipher_bits}
| Holds in bits the key length of the symmetric encryption algorithm
that is used for the connection.
|
${verify}
| Holds the result of the verification of the certificate that
was presented. Possible values are as follows: OK – The verification succeeded.
NO – No certificate was presented.
NOT – No certificate was
requested.
FAIL – The certificate that
was presented could not be verified.
NONE – STARTTLS has
not been performed.
TEMP – Temporary error occurred.
PROTOCOL – SMTP error occurred.
SOFTWARE – STARTTLS handshake
failed.
|
${server_name}
| Holds the name of the server with the current outgoing SMTP
connection.
|
${server_addr}
| Holds the address of the server with the current outgoing SMTP
connection.
|
|
Rule Sets for Running SMTP With TLS
The following table describes rule sets that determine whether
an SMTP connection that uses TLS should be accepted, continued, or
refused.
Table 3-13 Rule Sets for
Running SMTP With TLS | |
tls_server
| Acting as a client, sendmail uses this rule
set to determine whether the server is currently supported by TLS.
|
tls_client
| Acting as a server, sendmail uses this rule
set to determine whether the client is currently supported by TLS.
|
tls_rcpt
| This rule set requires verification of the recipient's MTA.
This recipient restriction makes attacks such as DNS spoofing impossible.
|
TLS_connection
| This rule set checks the requirement that is specified by the
RHS of the access map against the actual parameters of the current
TLS connection.
|
try_tls
| sendmail uses this rule set to determine
the feasibility of using STARTTLS when connecting
to another MTA. If the MTA cannot properly implement STARTTLS,
then STARTTLS is not used.
|
|
For more information, see http://www.sendmail.org/m4/starttls.htmlhttp://www.sendmail.org/m4/starttls.html.
Security Considerations Related to Running
SMTP With TLS
As a standard mail protocol that defines mailers that run over
the Internet, SMTP is not an end-to-end mechanism. Because of this
protocol limitation, TLS security through SMTP does not include mail
user agents. Mail user agents act as an interface between users and
a mail transfer agent such as sendmail.
Also, mail might be routed through multiple servers. For complete
SMTP security the entire chain of SMTP connections must have TLS support.
Finally, the level of negotiated authentication and privacy between each pair of servers or a
client and server pair must be considered. For more information, see Chapter 1, Using Secure Shell (Tasks), in Managing Secure Shell Access in Oracle Solaris 11.2
.