Configure Sendmail for SMTP over TLS
SMTP over TLS/SSL
We want Sendmail to transfer mail through SMTP
over TLS whenever possible for multiple
security reasons.
The obvious advantage is confidentiality.
The less obvious advantage for most people is
authentication, ideally mutual authentication.
You also get integrity, protection against
malicious modification of the data stream.
Yes, TLS and not SSL
We might use "SSL" as a generic term,
but the actual protocol we want to use is TLS
and not literally SSL.
Why the concern?
A series of vulnerability discoveries dating back to
2011 through 2014 clearly showed that all versions
of SSL have fundamental insecurities that cannot be fixed
by patching or configuring workarounds.
Do not use SSL, use TLS.
I have quite a bit of background on my dedicated
SSL/TLS Security
page, have a look at that to find links to the research
papers and vulnerability announcements explaining all
this in detail.
SSL/TLS Background, Vulnerabilities and Updates
Using TLS With Sendmail
Above are the reasons for using TLS, and being
careful in precisely how you use it.
Now, as for using TLS with Sendmail...
Many of my web pages have started as my notes.
I like figuring out how to do things.
But I do not like having to do that a second time!
So, I have found web pages to be convenient ways of
organizing my how-to notes.
Great news:
There are now some fantastic how-to documents with far more
detail, and far more vetting by the community at large.
I no longer need to maintain this page as my notes on
how to generate key pairs, generate digital certificates
if appropriate, and modify the sendmail.mc
or sendmail.cf
configuration files.
See this page:
Sendmail-SMTP-AUTH-TLS Howto
That page describes building and installing
openssl
,
cyrus-sasl
,
and
sendmail
from source, with specific older versions explicitly coded
into the commands.
Use the packages included with your operating
system distribution.
Skip the compiling and installing steps,
jumping ahead to where it has you creating certificates
with the openssl
command.
Then configure sendmail
through the
sendmail.mc
macro file.
Enable it as a service, for the past several years with
systemctl
on Linux rather than the manual
creation of symbolic links that page describes.
Then configure and enable saslauthd
,
the SASL authentication daemon.
Now, back to something I can contribute!
Testing Your Server
SMTP/S or SMTP over TLS uses TCP port 465,
rather than SMTP's port 25.
TCP/465 is another port you may need to open on one
or more firewalls.
The following is about to get into command-line testing
and analysis.
Maybe that's what you want!
But maybe you want an easy to use web page,
a testing dashboard.
Testing STARTTLS Support Within SMTP
This first test will very likely fail if you are
trying to test your work server from home.
Many Internet service providers block TCP/25 traffic from
customers, because almost all of that would be spam
sent from infected Windows computers in peoples' homes
and small businesses.
But within your organization,
or on the server itself,
you could try using telnet
to connect
to TCP port 25 on the server.
Send over ehlo
, the "extended HELO",
and see if Authentication and STARTTLS are announced.
Look for something like the following,
where my typing is in bold.
This server supports STARTTLS but not AUTH over SMTP.
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 www.c.cromwell-intl.com ESMTP Sendmail 8.15.2/8.15.2; Wed, 22 Jan 2025 06:50:55 UTC
ehlo localhost
250-www.c.cromwell-intl.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 www.c.cromwell-intl.com closing connection
Connection closed by foreign host.
$
Testing SMTPS Connections To Your Server
You can use the openssl
command to connect
to your server with SMTP over TLS.
The following asks for a TLS v1.2 connection
to my ISP's outbound SMTP server.
Change the final option to -tls1
or
-tls1_1
to test connection with TLS v1.0
or 1.1, respectively:
$ openssl s_client -connect smtp.comcast.net:465 -tls1_2
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/postalCode=19103/ST=PA/L=Philadelphia/street=1 Comcast Center/O=Comcast Corporation/OU=Business Center/OU=Hosted by Comcast Corporation/OU=Unified Communications/CN=smtp.comcast.net
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGCTCCBPGgAwIBAgIRAPCZ141YzdE5509dOjtN1TcwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTYxMDEwMDAwMDAwWhcNMTgxMDEwMjM1OTU5WjCB+DELMAkG
A1UEBhMCVVMxDjAMBgNVBBETBTE5MTAzMQswCQYDVQQIEwJQQTEVMBMGA1UEBxMM
UGhpbGFkZWxwaGlhMRkwFwYDVQQJExAxIENvbWNhc3QgQ2VudGVyMRwwGgYDVQQK
ExNDb21jYXN0IENvcnBvcmF0aW9uMRgwFgYDVQQLEw9CdXNpbmVzcyBDZW50ZXIx
JjAkBgNVBAsTHUhvc3RlZCBieSBDb21jYXN0IENvcnBvcmF0aW9uMR8wHQYDVQQL
ExZVbmlmaWVkIENvbW11bmljYXRpb25zMRkwFwYDVQQDExBzbXRwLmNvbWNhc3Qu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoLkgKQUqw4MylCOb
wwzTyFkIoMN/NRNl6EY0zS+sjlYMFPplSULdfqs1tEcWZhCs+u1EkJN9+/juCtze
Z9c73yx8nTph0/KZ5ri9t55yu5xhtuDv2WsMJmqcTOHPXRSZt7abpsvNfxCb6IG2
YdPrBNqPyZPEJ6jnh3CY3qBbsreL4iR+UEGunSJAg2mRXHhx0/aYN3CTUetOcSBz
IwoFXPklptWCcm5VknK+BWqFtKlyt6nHW/o2qK74nLDgKNUgxR9pG/Bw48ZER1em
GsNlN2RVyOBtoAAG15x4vD2iFBVEe9A0q9HOJc9bGSNb6zuU4ZpCb+RpNq3kkqJC
pS6aJwIDAQABo4IB7DCCAegwHwYDVR0jBBgwFoAUmvMr2s+tT7YvuypISCoStxtC
wSQwHQYDVR0OBBYEFHz0nGUjqJ0rg0OQFz/hLkJ581OVMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBQ
BgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczov
L3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgIwWgYDVR0fBFMwUTBPoE2g
S4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBT3JnYW5pemF0aW9u
VmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUG
CCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FPcmdh
bml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wLQYDVR0RBCYwJIIQc210cC5jb21j
YXN0Lm5ldIIQc210cC54ZmluaXR5LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAFgSX
ls7EPDQkV8l4I2V/U+7NCXeqhQyaXzE9cwM9+LnbmXe6ABfpyNrMdVNJGQ2Y24Uq
pGGx56ouV/ppi8ZWyLs5C6HlXp/J8MZObwSdAT6ku3zeOikC6sehm7oA2taQvgJT
Hrw07eo11y4sJBnh0ZHL66fL87CdQYNSEEWKLmDAAbX2pIn7XQ/PleBJX3kcebWy
Zb4iJqXQfidU5MIsijtsdRmT0B3mHo5HaPUMvdM3wl63E0zpXrKa4ildfxS8zIZY
S1BkCzS6+RTRIJBLbhzbjZEUfQTt+ZTJizSmkF1xlkPOmSLK4Jy89RBWWqMM9GE3
4frXg/OP1EIlJyMgpw==
-----END CERTIFICATE-----
subject=/C=US/postalCode=19103/ST=PA/L=Philadelphia/street=1 Comcast Center/O=Comcast Corporation/OU=Business Center/OU=Hosted by Comcast Corporation/OU=Unified Communications/CN=smtp.comcast.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5168 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E58A1CD1AA5AE14A9BAE01579008EEF71198200AB8D0B717A99A1DC89CC8B3A5
Session-ID-ctx:
Master-Key: F2F20C79893EB486A01AC14A147F3E7DA3AEF93D67304EFCAD461CDF8C6FA6F4C41737125682DCFCD24E7E733A1FFC8F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fb 22 6b 8f f5 7c e2 c1-1c e6 83 a3 28 3e bb 51 ."k..|......(>.Q
0010 - d5 c3 5c 94 e6 99 ba bf-96 73 ef fb db 8c be 32 ..\......s.....2
0020 - 1c c5 96 b9 c7 cd 05 47-2a ec 9c 9b db 8b f3 4b .......G*......K
0030 - 4e 05 51 a3 eb 12 75 b2-ca 1a 5c f6 99 d4 ce 2b N.Q...u...\....+
0040 - 69 d1 39 df bc af e9 8c-88 4b 6c e6 be 54 55 cb i.9......Kl..TU.
0050 - 0f 9b 06 f7 da fb 99 b7-50 5a 11 09 6b d7 f5 6e ........PZ..k..n
0060 - af bd 5a 35 d5 11 6c 1f-47 cd 7c 45 bb 0f 5b af ..Z5..l.G.|E..[.
0070 - 71 7c ce 77 69 87 d4 30-79 0b 0c ee ad e6 b3 7e q|.wi..0y......~
0080 - ae fe e6 44 27 97 b2 45-6f 61 d0 c9 30 1c b9 b6 ...D'..Eoa..0...
0090 - 30 ac b4 4e ca 24 5f 49-eb 52 99 eb 2f f4 ce 75 0..N.$_I.R../..u
Start Time: 1530227522
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
220 resomta-ch2-07v.sys.comcast.net resomta-ch2-07v.sys.comcast.net ESMTP server ready
^D
DONE
$
We see that the connection used ECDHE-RSA-AES256-GCM-SHA384.
That is:
Key exchange uses
Elliptic Curve Diffie-Hellman Ephemeral.
Authentication uses
RSA.
Encryption uses
AES in Galois Counter Mode with a 256-bit key.
MAC or Message Authentication Code
(for sender authentication plus message integrity) uses
SHA-2-384.
Interpreting The Server's Certificate
Save the output in a file and then ask openssl
to decode and display the certificate details.
For this example, we see that the mail server has a 2048-bit
RSA key, wrapped in a digital certificate signed by Comodo
with SHA-2-256 and RSA.
$ openssl s_client -connect smtp.comcast.net:465 -tls1_2 > /tmp/smtps
$ openssl x509 -in /tmp/smtps -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f0:99:d7:8d:58:cd:d1:39:e7:4f:5d:3a:3b:4d:d5:37
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA
Validity
Not Before: Oct 10 00:00:00 2016 GMT
Not After : Oct 10 23:59:59 2018 GMT
Subject: C=US/postalCode=19103, ST=PA, L=Philadelphia/street=1 Comcast Center, O=Comcast Corporation, OU=Business Center, OU=Hosted by Comcast Corporation, OU=Unified Communications, CN=smtp.comcast.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a0:b9:20:29:05:2a:c3:83:32:94:23:9b:c3:0c:
d3:c8:59:08:a0:c3:7f:35:13:65:e8:46:34:cd:2f:
ac:8e:56:0c:14:fa:65:49:42:dd:7e:ab:35:b4:47:
16:66:10:ac:fa:ed:44:90:93:7d:fb:f8:ee:0a:dc:
de:67:d7:3b:df:2c:7c:9d:3a:61:d3:f2:99:e6:b8:
bd:b7:9e:72:bb:9c:61:b6:e0:ef:d9:6b:0c:26:6a:
9c:4c:e1:cf:5d:14:99:b7:b6:9b:a6:cb:cd:7f:10:
9b:e8:81:b6:61:d3:eb:04:da:8f:c9:93:c4:27:a8:
e7:87:70:98:de:a0:5b:b2:b7:8b:e2:24:7e:50:41:
ae:9d:22:40:83:69:91:5c:78:71:d3:f6:98:37:70:
93:51:eb:4e:71:20:73:23:0a:05:5c:f9:25:a6:d5:
82:72:6e:55:92:72:be:05:6a:85:b4:a9:72:b7:a9:
c7:5b:fa:36:a8:ae:f8:9c:b0:e0:28:d5:20:c5:1f:
69:1b:f0:70:e3:c6:44:47:57:a6:1a:c3:65:37:64:
55:c8:e0:6d:a0:00:06:d7:9c:78:bc:3d:a2:14:15:
44:7b:d0:34:ab:d1:ce:25:cf:5b:19:23:5b:eb:3b:
94:e1:9a:42:6f:e4:69:36:ad:e4:92:a2:42:a5:2e:
9a:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9A:F3:2B:DA:CF:AD:4F:B6:2F:BB:2A:48:48:2A:12:B7:1B:42:C1:24
X509v3 Subject Key Identifier:
7C:F4:9C:65:23:A8:9D:2B:83:43:90:17:3F:E1:2E:42:79:F3:53:95
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:smtp.comcast.net, DNS:smtp.xfinity.com
Signature Algorithm: sha256WithRSAEncryption
16:04:97:96:ce:c4:3c:34:24:57:c9:78:23:65:7f:53:ee:cd:
09:77:aa:85:0c:9a:5f:31:3d:73:03:3d:f8:b9:db:99:77:ba:
00:17:e9:c8:da:cc:75:53:49:19:0d:98:db:85:2a:a4:61:b1:
e7:aa:2e:57:fa:69:8b:c6:56:c8:bb:39:0b:a1:e5:5e:9f:c9:
f0:c6:4e:6f:04:9d:01:3e:a4:bb:7c:de:3a:29:02:ea:c7:a1:
9b:ba:00:da:d6:90:be:02:53:1e:bc:34:ed:ea:35:d7:2e:2c:
24:19:e1:d1:91:cb:eb:a7:cb:f3:b0:9d:41:83:52:10:45:8a:
2e:60:c0:01:b5:f6:a4:89:fb:5d:0f:cf:95:e0:49:5f:79:1c:
79:b5:b2:65:be:22:26:a5:d0:7e:27:54:e4:c2:2c:8a:3b:6c:
75:19:93:d0:1d:e6:1e:8e:47:68:f5:0c:bd:d3:37:c2:5e:b7:
13:4c:e9:5e:b2:9a:e2:29:5d:7f:14:bc:cc:86:58:4b:50:64:
0b:34:ba:f9:14:d1:20:90:4b:6e:1c:db:8d:91:14:7d:04:ed:
f9:94:c9:8b:34:a6:90:5d:71:96:43:ce:99:22:ca:e0:9c:bc:
f5:10:56:5a:a3:0c:f4:61:37:e1:fa:d7:83:f3:8f:d4:42:25:
27:23:20:a7
-----BEGIN CERTIFICATE-----
MIIGCTCCBPGgAwIBAgIRAPCZ141YzdE5509dOjtN1TcwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTYxMDEwMDAwMDAwWhcNMTgxMDEwMjM1OTU5WjCB+DELMAkG
A1UEBhMCVVMxDjAMBgNVBBETBTE5MTAzMQswCQYDVQQIEwJQQTEVMBMGA1UEBxMM
UGhpbGFkZWxwaGlhMRkwFwYDVQQJExAxIENvbWNhc3QgQ2VudGVyMRwwGgYDVQQK
ExNDb21jYXN0IENvcnBvcmF0aW9uMRgwFgYDVQQLEw9CdXNpbmVzcyBDZW50ZXIx
JjAkBgNVBAsTHUhvc3RlZCBieSBDb21jYXN0IENvcnBvcmF0aW9uMR8wHQYDVQQL
ExZVbmlmaWVkIENvbW11bmljYXRpb25zMRkwFwYDVQQDExBzbXRwLmNvbWNhc3Qu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoLkgKQUqw4MylCOb
wwzTyFkIoMN/NRNl6EY0zS+sjlYMFPplSULdfqs1tEcWZhCs+u1EkJN9+/juCtze
Z9c73yx8nTph0/KZ5ri9t55yu5xhtuDv2WsMJmqcTOHPXRSZt7abpsvNfxCb6IG2
YdPrBNqPyZPEJ6jnh3CY3qBbsreL4iR+UEGunSJAg2mRXHhx0/aYN3CTUetOcSBz
IwoFXPklptWCcm5VknK+BWqFtKlyt6nHW/o2qK74nLDgKNUgxR9pG/Bw48ZER1em
GsNlN2RVyOBtoAAG15x4vD2iFBVEe9A0q9HOJc9bGSNb6zuU4ZpCb+RpNq3kkqJC
pS6aJwIDAQABo4IB7DCCAegwHwYDVR0jBBgwFoAUmvMr2s+tT7YvuypISCoStxtC
wSQwHQYDVR0OBBYEFHz0nGUjqJ0rg0OQFz/hLkJ581OVMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBQ
BgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczov
L3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgIwWgYDVR0fBFMwUTBPoE2g
S4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBT3JnYW5pemF0aW9u
VmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUG
CCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FPcmdh
bml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wLQYDVR0RBCYwJIIQc210cC5jb21j
YXN0Lm5ldIIQc210cC54ZmluaXR5LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAFgSX
ls7EPDQkV8l4I2V/U+7NCXeqhQyaXzE9cwM9+LnbmXe6ABfpyNrMdVNJGQ2Y24Uq
pGGx56ouV/ppi8ZWyLs5C6HlXp/J8MZObwSdAT6ku3zeOikC6sehm7oA2taQvgJT
Hrw07eo11y4sJBnh0ZHL66fL87CdQYNSEEWKLmDAAbX2pIn7XQ/PleBJX3kcebWy
Zb4iJqXQfidU5MIsijtsdRmT0B3mHo5HaPUMvdM3wl63E0zpXrKa4ildfxS8zIZY
S1BkCzS6+RTRIJBLbhzbjZEUfQTt+ZTJizSmkF1xlkPOmSLK4Jy89RBWWqMM9GE3
4frXg/OP1EIlJyMgpw==
-----END CERTIFICATE-----
And yes, you could do that as a single command pipeline:
$ openssl s_client -connect smtp.comcast.net:465 -tls1_2 |
openssl x509 -in /dev/stdin -text
[... duplicate output not shown ...]
Back to the Linux/ Unix page