[plug] disabling STARTTLS in sendmail for port 25 only

Craig Ringer craig at postnewspapers.com.au
Wed Dec 3 20:57:14 WST 2003


Just in case anybody runs into this later, here's some archive food.

I've spent quite a bit of time just now looking for a way to get 
sendmail to offer STARTLS and require AUTH on a special mail-submission 
only port, but not offer STARTTLS at all on port 25 (smtp). In other 
words, supress STARTTLS for normal delivery, while allowing it for 
special clients on a different port.

The reason for this is that the CA certificate is self-signed, and won't 
be accepted by other MTAs or by SMTP-capable MUAs unless there is user 
intervention. As a result, we don't want them to even see TLS 
capability. OTOH, our external users _must_ be able to use TLS and 
authenticate - these users will have our CA cert installed, so they'll 
be happy with it.

The trick was simple in the end, but took a bit of finding. The usual 
commands to enable SSL in general (all in sendmail.mc):

define(`confCACERT_PATH',`')
define(`confCACERT',`/ca/cert/path/cacert.pem')
define(`confSERVER_CERT',`/cert/path/cert.pem')
define(`confSERVER_KEY', `/key/path/key.pem')

Then we allow auth methods that'll work here (LDAP auth via PAM, so 
DIGEST-MD5 is out):

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

Now this was the bit that took a bit of looking. We need to set a few 
options on the main smtp listener, most importantly the "S" flag:

DAEMON_OPTIONS(`Port=smtp, Name=MTA, M=ES')dnl

(E = disable ETRN, S = don't offer / disable STARTTLS)

and then run another listener:

DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

that requires authentication (a).

It took _far_ too long to find that little 'M=S', so I thought I'd post 
here in the hopes of improving google's future results. I ended up 
finding it somewhere in the sendmail.cf docs. Of course, now somebody 
will pop up with a link to the "sendmail made easy - somehow" HOWTO...

Anyway, now my little external mail & http access system is complete. 
HTTPS (client cert required), IMAP (TLS w client cert + 
username/password required), SMTP (TLS w username/password required). If 
only it hadn't taken me /quite/ so long.

Craig Ringer




More information about the plug mailing list