Set Up TLS-Enabled SMTP

Protect your users’ in-transit email from eavesdroppers.

If you have set up encrypted POP and IMAP services [Hack #47] , your users’ incoming email is protected from others once it reaches your servers, but what about their outgoing email? You can protect outgoing email quickly and easily by setting up your MTA to use Transport Layer Security (TLS) encryption. Virtually all modern email clients support TLS—enable it by simply checking a box in the email account preferences.

If you’re using Sendmail, you can check to see if it has TLS support compiled-in by running this command:

$ sendmail -bt -d0.1

This will print out the options that your sendmail binary was compiled with. If you see a line that says STARTTLS, then all you need to do is supply some additional configuration information to get TLS support working. However, if you don’t see this line, you’ll need to recompile sendmail.

Before recompiling sendmail, you will need to go into the directory containing sendmail’s source code and add the following lines to devtools/Site/site.config.m4:

APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') 
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')

If this file doesn’t exist, simply create it. The build process will automatically include the file once you create it. The first line in the example will cause TLS support to be compiled into the sendmail binary, and the second line will link the binary with libssl.so and libcrypto.so.

After adding these lines, you can recompile ...

Get Network Security Hacks now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.