Recipe 8.12 Selectively Advertising STARTTLS

Previous page
Table of content
Next page

Problem

You have configured STARTTLS but do not want to encrypt the link for every remote host that is also configured for STARTTLS. You want to configure sendmail to only offer STARTTLS to selected hosts .

Solution

Make sure the system meets the basic OpenSSL and STARTTLS configuration requirements described in Introduction and in Chapter 1.

Create Srv_Features : access database entries for all hosts to which STARTTLS should be advertised. The key field of each entry begins with the tag Srv_Features :, which is followed by the domain name , hostname, or IP address that identifies the connecting host. The return value of each entry is the letter s .

Add the access_db feature to the STARTTLS sendmail configuration. Here is the required FEATURE macro and sample defines: 

 dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db')

Following the instructions in Recipe 1.8, rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail.

Discussion

Use the Srv_Features : access database entry to control the extended SMTP features offered to connecting hosts. The return value of a Srv_Features : entry is one or more single character flags, some of which indicate whether an extended service should be advertised. (When more than one flag is used, the individual flags are separated by whitespace.) Lowercase flags enable SMTP extensions and uppercase flags disable extensions. The s flag selectively advertises STARTTLS, and the S flag selectively blocks advertising STARTTLS. These are the flags of particular interest for this recipe. [5]

[5] All of the flags are described in Table 7-2, which is shown in the Discussion section of Recipe 7.9.

Assume that you want to limit advertising STARTTLS to only those hosts in the wrotethebook.com domain. You could do that by adding the following two entries to the access database: 

 Srv_Features:wrotethebook.com             s Srv_Features:                             S

In this case, STARTTLS is advertised to the hosts in the wrotethebook.com domain as directed by the s flag. The S flag in the second entry prevents STARTTLS from being advertised to any other host. A blank name field in a Srv_Features : entry indicates that the entry applies to every host for which there is not a more specific Srv_Features : entry. In effect, the second entry creates a default policy for advertising STARTTLS. This second entry is necessary because the normal default is for sendmail to advertise STARTTLS when STARTTLS is configured. In the absence of an applicable Srv_Features : entry, the default sendmail behavior applies.

Alternatives

Changing the default sendmail behavior with a DAEMON_OPTIONS macro is an alternative to using the second Srv_Features : entry described above. You could add a DAEMON_OPTIONS macro that specifies the M=S modifier to the sendmail configuration. For example, adding the following lines to the configuration prevents sendmail from advertising STARTTLS to any connecting host: 

 dnl Do not advertise STARTTLS DAEMON_OPTIONS(`Name=MTA, M=S')

After changing the default, you could then override the default for the hosts in the wrotethebook.com using a single Srv_Features : entry: 

 Srv_Features:wrotethebook.com             s

This alternative approach works, but I prefer the first approach of putting both policies in the access database. I think that putting both policies in one place makes it easier for others to understand exactly what the configuration is doing.

The examples in this section assume that you want to limit advertising to selected hosts. The opposite may be true. You may wish to advertise STARTTLS to most hosts and only block advertising to specific hosts with which you are having trouble. In that case, the specific Srv_Features : entries would use the S flag. No default Srv_Features : entry would be required because the normal sendmail default is to advertise STARTTLS.

See Also

Recipe 8.4 describes the basic STARTTLS configuration that needs to be done before this recipe is implemented. Recipe 7.9 and Recipe Recipe 8.13 provide other examples of using the Srv_Features : record. Recipe 8.5 through Recipe 8.13 show how the access database is used with STARTTLS. The sendmail book covers the Srv_Features : entry in Section 19.9.4.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
CISSP Exam Cram 2
The .NET Developers Guide to Directory Services Programming
Snort Cookbook
Developing Tablet PC Applications (Charles River Media Programming)
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy