ProblemBy default, a sendmail system configured to run STARTTLS issues the STARTTLS command to any remote host that advertises STARTTLS in its response to the EHLO command. You have been asked to prevent sendmail from using the STARTTLS protocol extension when communicating with selected remote hosts . SolutionMake sure your system meets the basic OpenSSL and STARTTLS configuration requirements described in this chapter's Introduction and in Chapter 1. Add Try_TLS : entries to the access database to identify the remote sites for which STARTTLS should be disabled. The format of the Try_TLS : record is: Try_TLS: name NO Try_TLS : is the required tag value. name is the hostname, domain name, or IP address of the remote site. NO is the required return value. Add the access_db feature and the STARTTLS defines to the sendmail configuration: dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db') Using the guidance in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail. DiscussionHere are sample Try_TLS : entries that prevent STARTTLS from being used with two different remote hosts: Try_TLS:example.com NO Try_TLS:server.wrotethebook.org NO Given these Try_TLS : entries, TLS is not used when connecting to the TLS server server.wrotethebook.org or when connecting to any STARTTLS server in the example.com domain. Try_TLS : records are processed by the try_tls ruleset, which is called by the client just before the client issues the STARTTLS command. try_tls first uses ruleset D to look for a Try_TLS : record that contains the hostname or the domain name returned by ${server_name} . If no match is found, it uses the A ruleset to look for a Try_TLS : record that contains the IP address returned by ${server_addr} . If still no match is found, the STARTTLS command is issued. If a match is found that returns the value NO , the connection is terminated with a permanent failure. The LOCAL_TRY_TLS macro provides a hook into the try_tls ruleset for your own custom rewrite rules. Try_TLS : entries only apply to outbound connections, which are a client function. See Recipe 8.12 for an example of using the SRV_Features : entry to control the TLS server functions offered on inbound connections. See AlsoRecipe 8.4 explains the STARTTLS defines used in this configuration. Recipe 8.5 to Recipe 8.10 show examples of using the access database with STARTTLS. The sendmail book covers ${server_addr} in Section 21.9.83, ${server_name} in 21.9.84, and Try_TLS : records in 10.10.8.4. |