How To Disable Opportunistic TLS For Outbound SendMail Connections

Update (1/5/2011): Since writing this article, I found an alternate method. It’s detailed below.

This issue nearly drove me crazy today so I figured I’d at least document it and make it easier for the next guy. There appears to be virtually no mention of it online or in any of the SendMail documentation. 

By default, SendMail servers will always check for TLS support when sending an outbound message.  Normally this is a good thing — I mean, if the recipient MTA on the other side supports additional security, why not? There’s just one small problem: If SendMail tries to use TLS and something goes wrong with the initial TLS handshake, it does not fallback to using unencrypted delivery.  Instead, SendMail considers the entire delivery attempt to be a 400 class issue and temporarily defers the message for another try later.  This can result in a stuck message that stays stuck. 

Now, if this is a one-off situation with a specific mail server or domain, administrators can add the following to /etc/mail/access

Try_TLS:<partial or full destination hostname / mx record>     NO

That’s fine and dandy for a single domain, but what if this is happening for a larger subset of messages?  Or what if there’s a sender-side issue interfering with TLS and an admin needs to (temporarily) disable opportunistic TLS for all outbound messages?

Solution #1: Add Try_TLS:   NO    Simple enough.

Solution #2: Add an advanced client options parameter to the sendmail.mc file.

(This is the part of the blog post where I warn readers to proceed with caution.  If you’re not comfortable making changes or don’t have a roll-back plan, check with an IT professional first.  Your mileage may vary.  Yadda yadda yadda).

1) Open your respective sendmail.mc file (probably under /etc/mail/ depending on your Linux distribution)

2) Locate CLIENT_OPTIONS section. It probably looks something like:

CLIENT_OPTIONS(`Family=inet, Addr=1.2.3.4’)dnl

3) Add M=S, as an option.  So in keeping with our example above, it would now look like:

CLIENT_OPTIONS(`Family=inet, M=S, Addr=1.2.3.4’)dnl

4) Save changes and exit to the shell.
5) Restart sendmail services. 

All done.  The M=S option forces the SendMail client (used for outbound connections) to NOT use TLS regardless of whether or not the recipient MTA advertises support for it.

To reiterate, there are only a few rare scenarios where you might even want to consider doing this (and even then, it would/should be for temporary purposes).  But at least now you know. 

“And knowing is half the battle.”

23 Notes/ Hide

  1. mikeberggren posted this

Recent comments

Blog comments powered by Disqus