Bug 101174 - enable starttls in config
Summary: enable starttls in config
Alias: None
Product: Red Hat Linux Beta
Classification: Retired
Component: sendmail (Show other bugs)
(Show other bugs)
Version: beta1
Hardware: i386 Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: David Lawrence
Depends On:
Blocks: CambridgeTarget
TreeView+ depends on / blocked
Reported: 2003-07-29 19:55 UTC by Christopher McCrory
Modified: 2005-10-31 22:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-14 12:42:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Christopher McCrory 2003-07-29 19:55:17 UTC
Description of problem:

sendmail has starttls crypto support, yea!
not enabled , nay!

Version-Release number of selected component (if applicable):

How reproducible:
anytime sendmail talks to another tls enabled mail server

Steps to Reproduce:
1. install sendmail
2. send mail to tls enabled mail server
Actual results:
 echo test| /usr/sbin/sendmail teststarttl@clemson.edu

Jul 29 12:49:18 morticia sendmail[23793]: h6TJnHbS023793:
to=teststarttl@clemson.edu, ctladdr=chrismcc (500/500), delay=00:00:01,
xdelay=00:00:01, mailer=relay, pri=30005, relay=[] [],
dsn=2.0.0, stat=Sent (h6TJnHsd023794
Message accepted for delivery)
Jul 29 12:49:19 morticia sendmail[23796]: STARTTLS=client,
relay=mail.clemson.edu., version=TLSv1/SSLv3, verify=FAIL,
cipher=DHE-RSA-AES256-SHA, bits=256/256

Expected results:

[chrismcc@morticia mail]$ diff sendmail.mc.redhat sendmail.mc -u
--- sendmail.mc.redhat  2003-07-29 12:50:10.000000000 -0700
+++ sendmail.mc 2003-07-29 12:50:23.000000000 -0700
@@ -46,8 +46,8 @@
 dnl # Rudimentary information on creating certificates for sendmail TLS:
 dnl #     make -C /usr/share/ssl/certs usage
 dnl #
-dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
-dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
 dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
 dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
 dnl #

[chrismcc@morticia mail]$ sudo make sendmail.cf

[chrismcc@morticia mail]$ sudo /sbin/service sendmail restart

echo test| /usr/sbin/sendmail teststarttl@clemson.edu

Jul 29 12:51:48 morticia sendmail[23896]: STARTTLS=client,
relay=mail.clemson.edu., version=TLSv1/SSLv3, verify=OK,
cipher=DHE-RSA-AES256-SHA, bits=256/256

Additional info:

note the 'verify=OK'

sendmail will _always_ try tls if the other server supports it. it will try to
verify the cert, but it has no CA data to use (ca-bundle.crt) so it will always

make sense?

same for taroon, should I make another bug?

Comment 1 Chris Ricker 2003-07-31 20:47:06 UTC
I'm as eager as anyone to see STARTTLS adopted universally, but I'm not sure
enabling this by default is a good idea yet. There are a lot of broken ESMTP
servers out there, and this does cause problems with some of them....

For example, MS Exchange 5.5 (still widely used, unfortunately) out of the box
as a server advertises STARTTLS support, even when TLS is not configured /
enabled. When the sendmail client connects, it will naturally try to negotiate,
fail, and go boom.

I enable STARTTLS both client-side and server-side on all my SMTP servers, but I
know to monitor the logs and to whitelist (or blacklist, depending on your point
of view ;-) the servers which advertise STARTTLS even though they don't actually
support it. I don't know that it's reasonable to expect everyone using RH to
have to do the same, or even to know to do the same....

Comment 2 Aleksey Nogin 2003-07-31 20:53:44 UTC
Is it possible to have sendmail just be tolerant of such broken servers? E.g.
give up on TLS when things go wrong, but not give up on transmission?

Comment 3 Christopher McCrory 2003-07-31 21:15:41 UTC
Chris,  can you supply an example of a broken Exchange server ( off bugzilla if
need be ).  The only problems I've seen are FAIL with fallback to non TLS.

Comment 4 Florian La Roche 2003-12-11 14:04:09 UTC
We need a better infrastructure to setup certs within Red Hat.
Newest rpm at http://people.redhat.com/laroche/sendmail* has some
script, but we need more of this.


Florian La Roche

Comment 6 Thomas Woerner 2004-06-14 12:42:21 UTC
Fixed since 8.12.10-3.

Note You need to log in before you can comment on or make changes to this bug.