L'uso di questo sito
autorizza anche l'uso dei cookie
necessari al suo funzionamento.
(Altre informazioni)

Wednesday, March 27, 2013

Turning off opportunistic client TLS in sendmail

It appears that sendmail, during mail delivery, tries TLS if the receiving server offers it. Fair enough, I can perhaps send over an encrypted channel, so I am going to try. Sounds harmless, right? Wrong.

See the follwoing SMTP dialog:


... Connecting to mail.snafu.com. via esmtp...
220 mhnicosi-unix.fubar.it ESMTP
>>> EHLO mx1.example.it
250-mhnicosi-unix.fubar.it
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME

>>>; STARTTLS
220 2.0.0 Ready to start TLS
EHLO mx1.example.it
... Deferred: Connection reset by mail.snafu.com.
Closing connection to mail.snafu.com.
 
See the problem here? The receiving server shuts down the connection - possibly because it's not prepared to negotiate TLS with our server, sendmail queues the message and, on the next delivery, will go through the same motions in perpetuum.

I got the solution from this post of Mike Berggren. Basically, either stick

  • Try_TLS: No 
(global) or
  • Try_TLS:[host designation] NO
(per host) in /etc/mail/access.
Mike points out that adding the M=S flag to the CLIENT_OPTIONS macro in sendmail.mc has the same (global)) effect:

  • CLIENT_OPTIONS(`Family=inet, M=S, Addr=1.2.3.4’)dnl
I did not try that though, as the first solution warks well enough, and my sendmail.mc does not use the client_options macro anyway.

No comments: