Recipe 8.8 Requiring Inbound Encryption

Problem

You have been asked to configure sendmail to require that the connection is satisfactorily encrypted before accepting mail from specified hosts .

Solution

All configurations require OpenSSL, as described in Introduction. If your system does not have a basic setup, begin there.

Specify the level of encryption required for inbound connections using a TLS_Clt : entry in the access database. The key field of each entry is the tag TLS_Clt : followed by the domain name or IP address of the remote TLS client that will initiate the connection. The return value should contain the keyword ENCR : followed by the number of bits of encryption required before accepting a connection from the specified remote host.

Add the STARTTLS defines and the access_db feature to the sendmail configuration. Here are sample additions to the configuration:

 dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db') 

Follow the example in Recipe 1.8 to build the new sendmail.cf file, install it, and restart sendmail.

Discussion

The TLS_Clt : access database entry uses the same format as the TLS_Srv : entry covered in the Discussion of Recipe 8.7. All of the fields described for the TLS_Srv : entry ” name , requirement , TEMP+ , and PERM+ ”are used in exactly the same way for the TLS_CLT : entry. The difference is that the TLS_Clt : entry is used by the server to check for any special requirements before accepting mail from the client. The name field of the TLS_Clt : entry defines the domain name or IP address of the remote TLS client. When the name or address of a client matches a TLS_Clt : entry, the requirement field of the entry is used to define the conditions imposed on the client before mail is accepted. A sample TLS_Clt : entry is:

 TLS_Clt:rodent.wrotethebook.com     ENCR:168 

This entry tells sendmail that a connection from rodent.wrotethebook.com must be encrypted with at least 168-bit encryption. If it isn't, mail from the client is rejected, as this test from the client rodent shows:

 #  sendmail -Am -v -t   To: craig@chef.wrotethebook.com   From: craig@rodent.wrotethebook.com   Subject: Test the TLS_Clt: entry   Ctrl-D  craig@chef.wrotethebook.com... Connecting to chef.wrotethebook.com. via esmtp... 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 >>> EHLO rodent.wrotethebook.com 250-chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP >>> STARTTLS 220 2.0.0 Ready to start TLS >>> EHLO rodent.wrotethebook.com 250-chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you 250 ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP >>> MAIL From:<craig@rodent.wrotethebook.com> 403 4.7.0 encryption too weak 56 less than 168 craig@chef.wrotethebook.com... Deferred: 403 4.7.0 encryption too weak 56 less than  168 Closing connection to chef.wrotethebook.com. >>> QUIT 221 2.0.0 chef.wrotethebook.com closing connection 

In this test, the error message "encryption too weak" is in response to the client's MAIL From : command. The server checks the access database TLS_Clt : entries in the tls_client ruleset. That ruleset is called at two different points in the SMTP protocol exchange. First, it is called when the STARTTLS command is received, and it is called again when the MAIL From command is received. When the tls_client ruleset is called, it is passed the value returned by ${verify} , the literal $ , and either of the keywords STARTTLS or MAIL .

The tls_client ruleset is very similar to the tls_server ruleset described in Recipe 8.7. tls_client first uses ruleset D to look for a TLS_Clt : entry that matches the value found in ${client_name} . If no match is found, it uses ruleset A to look for a TLS_Clt : entry that matches the address in the ${client_addr} macro. If still no match is found, tls_client looks for a TLS_Clt : entry with a blank name field. tls_client would do the following lookups for a connection from a client named foo.bar.example.com that had the IP address 192.168.23.45, until a match was found:

 TLS_Clt:foo.bar.example.com TLS_Clt:bar.example.com TLS_Clt:example.com TLS_Clt:com TLS_Clt:192.168.23.45 TLS_Clt:192.168.23 TLS_Clt:192.168 TLS_Clt:192 TLS_Clt: 

tls_client then calls TLS_connection and passes that ruleset anything it has obtained from the access database. The TLS_connection ruleset checks to see if the connection meets the requirements defined by the TLS_Clt : record.

The m4 macro LOCAL_TLS_CLIENT provides a hook into the tls_client ruleset. Use the macro to add custom sendmail.cf rewrite rules to the beginning of the tls_client process.

See Also

Recipe 8.7 and Recipe 8.9 cover related access database entries. In particular, VERIFY : is an alternative action keyword that can be used to implement this recipe. See Recipe 8.9 for details on the VERIFY : keyword. Recipe 8.5 and Recipe 8.6 also describe how the access database is used with STARTTLS. The STARTTLS recipe upon which this recipe is built is covered in Recipe 8.4. The sendmail book covers the use of the access database with STARTTLS in Section 10.10.8.