TLS ENCR between 2 domains

[krn]

Hi,

I need to set up TLS between mail servers of a.com and b.com domain.
b.com is the client.

These are the directives that I will be adding in access.map file:

TLS_Srv:b.com ENCR:112
TLS_Clt:b.com ENCR:112
TLS_Rcpt:b.com ENCR:112

Can I set the ENCR bits to 256 or more for stronger encryption?
Can I set the cipher that I want from the list that openssl supports
instead of what server and client negotiate during TLS session
negotiation?

Thanks

[Claus Aßmann]

krn wrote:

> I need to set up TLS between mail servers of a.com and b.com domain.
> b.com is the client.

> These are the directives that I will be adding in access.map file:

> TLS_Srv:b.com ENCR:112
> TLS_Clt:b.com ENCR:112
> TLS_Rcpt:b.com ENCR:112

> Can I set the ENCR bits to 256 or more for stronger encryption?

256. Check your logs and the output of
openssl ciphers -v

> Can I set the cipher that I want from the list that openssl supports
> instead of what server and client negotiate during TLS session
> negotiation?

Why? Isn't a cipher with 256 keylength for the symmetric encryption
strong enought?

BTW: see the source code, look for _FFR_TLS_1 and CipherList.


Anyway, you have to use VERIFY instead of ENCR if you actually
want to make sure your mail isn't read by someone else; see
the docs about the difference between the two.

[krn]

On Jan 23, 8:05 pm, Claus Aßmann <ca+sendmail(-no-copies-

Hi,

Thanks for the reply.

I searched for _FFR_TLS_1 and Cipher and did not find it in the source
code which means the sendmail running does not support _FFR_TLS_1
feature.

I did openssl ciphers -v and found many ciphers with max cipher
strength of 256.

[krn]

Can SASL be used to secure mail connection between 2 different domains
or is it being used only to secure email communication between all
users of one domain who are local or mobile ?

> strength of 256.- Hide quoted text -
>
> - Show quoted text -

[krn]

> > - Show quoted text -- Hide quoted text -

>
> - Show quoted text -

When I issue command sendmail -bt -d0.8 i see STARTTLS listed in
compiled with: section but when I issue telnet hostname 25 I do not
see 250 STARTTLS

[root@mail]# sendmail -bt -d0.8
Version 8.14.4
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET
NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP
STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT

#telnet mail 25
ehlo mail

220 mail ESMTP Sendmail 8.14.4/8.14.4; Thu, 1 Feb 2012 10:31:12 +05
30
ehlo mail
250-mail.xyz.com Hello [219.90.106.146], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 mail.xyz.com closing connection

Isnt starttls enabled on my mail server?

[Claus Aßmann]

krn wrote:

> When I issue command sendmail -bt -d0.8 i see STARTTLS listed in
> compiled with: section but when I issue telnet hostname 25 I do not
> see 250 STARTTLS

Please see the instructions (e.g., doc/op/op.*) about setting up
certs. Certs are required for server side TLS, client side will
work without them (just send mail to a server that offers STARTTLS
and check your log).

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.