Recipe 8.11 Refusing STARTTLS Service

Previous page
Table of content
Next page

Problem

By default, a sendmail system configured to run STARTTLS issues the STARTTLS command to any remote host that advertises STARTTLS in its response to the EHLO command. You have been asked to prevent sendmail from using the STARTTLS protocol extension when communicating with selected remote hosts .

Solution

Make sure your system meets the basic OpenSSL and STARTTLS configuration requirements described in this chapter's Introduction and in Chapter 1.

Add Try_TLS : entries to the access database to identify the remote sites for which STARTTLS should be disabled. The format of the Try_TLS : record is: 

 Try_TLS:   name   NO

Try_TLS : is the required tag value. name is the hostname, domain name, or IP address of the remote site. NO is the required return value.

Add the access_db feature and the STARTTLS defines to the sendmail configuration: 

 dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db')

Using the guidance in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail.

Discussion

Here are sample Try_TLS : entries that prevent STARTTLS from being used with two different remote hosts: 

  Try_TLS:example.com                 NO   Try_TLS:server.wrotethebook.org     NO

Given these Try_TLS : entries, TLS is not used when connecting to the TLS server server.wrotethebook.org or when connecting to any STARTTLS server in the example.com domain.

Try_TLS : records are processed by the try_tls ruleset, which is called by the client just before the client issues the STARTTLS command. try_tls first uses ruleset D to look for a Try_TLS : record that contains the hostname or the domain name returned by ${server_name} . If no match is found, it uses the A ruleset to look for a Try_TLS : record that contains the IP address returned by ${server_addr} . If still no match is found, the STARTTLS command is issued. If a match is found that returns the value NO , the connection is terminated with a permanent failure.

The LOCAL_TRY_TLS macro provides a hook into the try_tls ruleset for your own custom rewrite rules.

Try_TLS : entries only apply to outbound connections, which are a client function. See Recipe 8.12 for an example of using the SRV_Features : entry to control the TLS server functions offered on inbound connections.

See Also

Recipe 8.4 explains the STARTTLS defines used in this configuration. Recipe 8.5 to Recipe 8.10 show examples of using the access database with STARTTLS. The sendmail book covers ${server_addr} in Section 21.9.83, ${server_name} in 21.9.84, and Try_TLS : records in 10.10.8.4.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Project Management JumpStart
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy