Linux / FreeBSD keyboard.

Configure Sendmail for SMTP over TLS


We want Sendmail to transfer mail through SMTP over TLS whenever possible for multiple security reasons. The obvious advantage is confidentiality.

The less obvious advantage for most people is authentication, ideally mutual authentication.

You also get integrity, protection against malicious modification of the data stream.

Yes, TLS and not SSL

We might use "SSL" as a generic term, but the actual protocol we want to use is TLS and not literally SSL.

Why the concern? A series of vulnerability discoveries dating back to 2011 through 2014 clearly showed that all versions of SSL have fundamental insecurities that cannot be fixed by patching or configuring workarounds.

Do not use SSL, use TLS.

I have quite a bit of background on my dedicated SSL/TLS Security page, have a look at that to find links to the research papers and vulnerability announcements explaining all this in detail.

SSL/TLS Background, Vulnerabilities and Updates

Using TLS With Sendmail

Above are the reasons for using TLS, and being careful in precisely how you use it. Now, as for using TLS with Sendmail...

Many of my web pages have started as my notes. I like figuring out how to do things. But I do not like having to do that a second time! So, I have found web pages to be convenient ways of organizing my how-to notes.

Great news: There are now some fantastic how-to documents with far more detail, and far more vetting by the community at large. I no longer need to maintain this page as my notes on how to generate key pairs, generate digital certificates if appropriate, and modify the or configuration files. See this page:

Sendmail-SMTP-AUTH-TLS Howto

That page describes building and installing openssl, cyrus-sasl, and sendmail from source, with specific older versions explicitly coded into the commands.

Use the packages included with your operating system distribution. Skip the compiling and installing steps, jumping ahead to where it has you creating certificates with the openssl command.

Then configure sendmail through the macro file.

Enable it as a service, for the past several years with systemctl on Linux rather than the manual creation of symbolic links that page describes.

Then configure and enable saslauthd, the SASL authentication daemon.

Now, back to something I can contribute!

Testing Your Server

SMTP/S or SMTP over TLS uses TCP port 465, rather than SMTP's port 25. TCP/465 is another port you may need to open on one or more firewalls.

The following is about to get into command-line testing and analysis. Maybe that's what you want! But maybe you want an easy to use web page, a testing dashboard.

Testing STARTTLS Support Within SMTP

This first test will very likely fail if you are trying to test your work server from home. Many Internet service providers block TCP/25 traffic from customers, because almost all of that would be spam sent from infected Windows computers in peoples' homes and small businesses.

But within your organization, or on the server itself, you could try using telnet to connect to TCP port 25 on the server. Send over ehlo, the "extended HELO", and see if Authentication and STARTTLS are announced. Look for something like the following, where my typing is in bold. This server supports STARTTLS but not AUTH over SMTP.

Testing SMTPS Connections To Your Server

You can use the openssl command to connect to your server with SMTP over TLS. The following asks for a TLS v1.2 connection to my ISP's outbound SMTP server. Change the final option to -tls1 or -tls1_1 to test connection with TLS v1.0 or 1.1, respectively:

We see that the connection used ECDHE-RSA-AES256-GCM-SHA384. That is:

Key exchange uses Elliptic Curve Diffie-Hellman Ephemeral.

Authentication uses RSA.

Encryption uses AES in Galois Counter Mode with a 256-bit key.

MAC or Message Authentication Code (for sender authentication plus message integrity) uses SHA-2-384.

Interpreting The Server's Certificate

Save the output in a file and then ask openssl to decode and display the certificate details.

For this example, we see that the mail server has a 2048-bit RSA key, wrapped in a digital certificate signed by Comodo with SHA-2-256 and RSA.

And yes, you could do that as a single command pipeline:

$ openssl s_client -connect -tls1_2 |
	openssl x509 -in /dev/stdin -text
[... duplicate output not shown ...] 

STARTTLS Everywhere

Check out the STARTTLS Everywhere project using Let's Encrypt free TLS digital certificates.

STARTTLS Everywhere Let's Encrypt

Going Deeper

Opportunistic TLS is an extension to plaintext protocols including SMTP, IMAP, and POP3. It's defined by RFC 3207. Other RFCs define TLS v1.1 and TLS v1.2, and TLS v1.2.

Opportunistic TLS
RFC 3207: SMTP Service Extension
for Secure SMTP over TLS
RFC 4346:
TLS version 1.1
RFC 5246:
TLS version 1.2
TLS version 1.3

Back to the Linux/ Unix page