[plug] disabling STARTTLS in sendmail for port 25 only

Craig Ringer craig at postnewspapers.com.au
Thu Dec 4 00:04:18 WST 2003 

>> The reason for this is that the CA certificate is self-signed, and 
>> won't be accepted by other MTAs or by SMTP-capable MUAs unless there 
>> is user intervention.
> 
> Not in my experience.
> 
> Other MTAs (seem to) don't care about the authenticity of the server 
> they are connected to, the certificate/key exchange is used in STARTTLS 
> as a basis to encrypt the body of the email.

Urk. I must admit, that was a bit of an assumption (I'd observed the 
problem with one MTA, a bit of an odd one, and assumed it was the norm - 
I wasn't going to leave the server running "broken" to check).

Unfortunately, that doesn't solve the MUA problem. Some MUAs (Eudora, in 
particular) do check for STARTTLS and try to use it if present, then 
fail (instead of falling back to no TLS) if the cert isn't recognised. 
This behaviour is probably correct, as it makes man-in-the-middle 
attacks harder, but can be a bit irritating in situations like that on 
the POST LAN.

Mozilla doesn't seem to work like this - it appears to want explicit 
instructions to use TLS, and seems to ignore advertised STARTTLS. As we 
have Eudora clients on the LAN, TLS must still be disabled for normal 
mail delivery, even if it won't cause issues with Mozilla (the other 
main client in use).

Also, I couldn't find a way to make sendmail use one cert for 
connections on one ip/port, and another cert for another ip/port pair. 
This was required to let it function as both an internal mail server 
(with one hostname) and a remote-access secure mail server (with an 
entirely different name and IP). At least some programs do check that 
the hostname on the cert matches, and this would've caused problems.

> This could be wrong/non-standard but this is the observed behaviour on 1 
> medium and 1 small volume exim 3/4 servers with TLS support enabled with 
> self-signed certificates.

Interesting. I like the way that makes the use of self-signed certs for 
mail servers practical, but it also opens up the way to 
man-in-the-middle attacks (/suuuure/, I'm bob.somewhere.com - just look 
at my shiny new cerficate!).

Craig Ringer

More information about the plug mailing list