How do I disable TLS?

How do I disable TLS?

am 29.12.2004 02:31:16 von Takahiro Horie

Hello,

I can't figure out how to disable TLS for sendmail. In my log files, I
am getting error messages like the following:

Dec 28 16:59:46 inc_wall sm-mta[18968]: ruleset=try_tls,
arg1=[172.17.5.4], relay=[172.17.5.4], reject=550 5.7.1
... do not try TLS with [172.17.5.4] [172.17.5.4]

There are no lines that contain STARTTLS in the same /etc/maillog
file, and no other kinds of reject messages.

I am using sendmail as a firewall-mail-relay for the internal
protected mail server which is at 172.17.5.4.

How can I fix this problem? How do I stop sendmail from attempting to
establish a secure connection with my internal mail server?

Thanks,
Tak

Re: How do I disable TLS?

am 29.12.2004 03:06:13 von ca+sendmail(-no-copies-please)

Takahiro Horie wrote:

> I can't figure out how to disable TLS for sendmail. In my log files, I

Why do you want to do that?

> am getting error messages like the following:

> Dec 28 16:59:46 inc_wall sm-mta[18968]: ruleset=try_tls,
> arg1=[172.17.5.4], relay=[172.17.5.4], reject=550 5.7.1
> ... do not try TLS with [172.17.5.4] [172.17.5.4]

That means you disabled STARTTLS for that host.

See cf/README.

--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: How do I disable TLS?

am 29.12.2004 17:38:37 von Takahiro Horie

On Wed, 29 Dec 2004 02:06:13 +0000 (UTC), Claus Aßmann
wrote:

>Takahiro Horie wrote:
>
>> I can't figure out how to disable TLS for sendmail. In my log files, I
>
>Why do you want to do that?

I want to do that because my internal mail server at 172.17.5.4 is
unable to do TLS.

>
>> am getting error messages like the following:
>
>> Dec 28 16:59:46 inc_wall sm-mta[18968]: ruleset=try_tls,
>> arg1=[172.17.5.4], relay=[172.17.5.4], reject=550 5.7.1
>> ... do not try TLS with [172.17.5.4] [172.17.5.4]
>
>That means you disabled STARTTLS for that host.

I assume you mean for the host running sendmail since 172.17.5.4 is
running a different mail server.

>
>See cf/README.

According to the cf/README, the steps to disabling TLS are modifying
the access map with:

Try_TLS:172.17.5.4 NO

Unfortunately, this doesn't seem to have any affect as I am still
getting hundreds of those error messages as above.

Why does it continue to try TLS and how can I stop it from doing so?

Re: How do I disable TLS?

am 29.12.2004 18:24:59 von ca+sendmail(-no-copies-please)

Takahiro Horie wrote:
> On Wed, 29 Dec 2004 02:06:13 +0000 (UTC), Claus Aßmann

> >Takahiro Horie wrote:

> >> I can't figure out how to disable TLS for sendmail. In my log files, I

> >Why do you want to do that?

> I want to do that because my internal mail server at 172.17.5.4 is
> unable to do TLS.

It it isn't offered by the server, then it isn't used.
There's nothing you need to configure.

> >> am getting error messages like the following:

It's not an error message.

> >> Dec 28 16:59:46 inc_wall sm-mta[18968]: ruleset=try_tls,
> >> arg1=[172.17.5.4], relay=[172.17.5.4], reject=550 5.7.1
> >> ... do not try TLS with [172.17.5.4] [172.17.5.4]

> >That means you disabled STARTTLS for that host.

> I assume you mean for the host running sendmail since 172.17.5.4 is
> running a different mail server.


> >See cf/README.

> According to the cf/README, the steps to disabling TLS are modifying
> the access map with:

> Try_TLS:172.17.5.4 NO

As cf/README clearly states:

! By default STARTTLS is used whenever possible. However, there are
! some broken MTAs that don't properly implement STARTTLS. To be able
! to send to (or receive from) those MTAs, the ruleset try_tls
! (srv_features) can be used that work together with the access map.

Hence you need this only if an MTA has a broken STARTTLS
implementation, not if it doesn't have STARTTLS at all.

> Unfortunately, this doesn't seem to have any affect as I am still
> getting hundreds of those error messages as above.

Those are just the result of the ruleset. You can
- ignore it
- remove the access entry and let the default behavior occur.

The latter is usually the best...

> Why does it continue to try TLS and how can I stop it from doing so?

It does NOT try TLS. That's what the message says...

--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: How do I disable TLS?

am 05.01.2005 17:59:16 von Takahiro Horie

On Wed, 29 Dec 2004 17:24:59 +0000 (UTC), Claus Aßmann
wrote:

>Takahiro Horie wrote:
>> On Wed, 29 Dec 2004 02:06:13 +0000 (UTC), Claus Aßmann
>
>> >Takahiro Horie wrote:
>
>> >> I can't figure out how to disable TLS for sendmail. In my log files, I
>
>> >Why do you want to do that?
>
>> I want to do that because my internal mail server at 172.17.5.4 is
>> unable to do TLS.
>
>It it isn't offered by the server, then it isn't used.
>There's nothing you need to configure.

Which server are you talking about? The sendmail server or the
internal mail server? I don't want either of them to deal with any
kind of TLS-related activity.

>
>> >> am getting error messages like the following:
>
>It's not an error message.
>
>> >> Dec 28 16:59:46 inc_wall sm-mta[18968]: ruleset=try_tls,
>> >> arg1=[172.17.5.4], relay=[172.17.5.4], reject=550 5.7.1
>> >> ... do not try TLS with [172.17.5.4] [172.17.5.4]
>
>> >That means you disabled STARTTLS for that host.
>
>> I assume you mean for the host running sendmail since 172.17.5.4 is
>> running a different mail server.
>
>
>> >See cf/README.
>
>> According to the cf/README, the steps to disabling TLS are modifying
>> the access map with:
>
>> Try_TLS:172.17.5.4 NO
>
>As cf/README clearly states:
>
>! By default STARTTLS is used whenever possible. However, there are
>! some broken MTAs that don't properly implement STARTTLS. To be able
>! to send to (or receive from) those MTAs, the ruleset try_tls
>! (srv_features) can be used that work together with the access map.
>
>Hence you need this only if an MTA has a broken STARTTLS
>implementation, not if it doesn't have STARTTLS at all.

So what do I need to do to disable TLS for the sendmail server?

>
>> Unfortunately, this doesn't seem to have any affect as I am still
>> getting hundreds of those error messages as above.
>
>Those are just the result of the ruleset. You can
>- ignore it
>- remove the access entry and let the default behavior occur.
>
>The latter is usually the best...
>
>> Why does it continue to try TLS and how can I stop it from doing so?
>
>It does NOT try TLS. That's what the message says...

I don't understand what the message is saying. Is it warning me? Is it
an error? Why is it reporting what it is reporting? Should TLS
normally work, and it is indicating that it is not? Is it just
indicating that TLS won't work, so it's falling back to a normal
connection?

Please assist.
Thanks,
Tak

Re: How do I disable TLS?

am 12.01.2005 16:48:06 von ca+sendmail(-no-copies-please)

Takahiro Horie wrote:

Sorry, I give up. Obviously you don't understand what I'm trying
to say, it seems my explanation skills in English aren't good
enough...

Maybe someone else can help? (or you could re-read my postings and
the documentation)

--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?