Enabling Transport Layer Security encryption for sendmemo

The sendmemo component is responsible with submitting emails from the InfoPrint Manager server, either as Email Notifications or through an Email actual destination. If you want to enable encrypted communication between the InfoPrint Manager server and your email server, you must configure the sendmemo SSL/TLS configuration file. The configuration file, like smtp-server-port and smtp-server-host server attributes, is configured per server. Therefore, the location of the configuration file is the server working directory: /var/pd/<your-server-name>, where <your-server-name> is the name of the server that you want to have an encrypted communication with your email server.

    Note:
  • Your email server must also have SSL/TLS configured and functional. You can choose between STARTTLS or SMTPS. By default, STARTTLS can be used with port 25/tcp (smtp) and 587/tcp (submission). By default, SMTPS can be used with port 465/tcp (smtps). However, you can use any other TCP port as long as your email server is configured as such.
  • Authentication over STARTTLS or SMTPS is not supported.

By default, sendmemo uses TLS to encrypt the connection to the email server. It negotiates the highest available cipher shared with the email server. By default, SSLv3 encryption is disabled. If your server is very old and needs Secure Sockets Layer (SSL) version 3 for encrypted connections to it, you can set the environment variable IPM_ENABLE_SSL_V3 to a non-empty value.

Important: SSLv2 is disabled and cannot be enabled.

If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

To enable TLS encryption for sendmemo, you must follow these steps:

  1. Copy the provided sample configuration file sendmemo-ssl.cfg from /usr/lpp/pd/cfg-samples/ssl/sendmemo directory into the working directory of the server.
  2. If you are using your own CA, copy the CA certificate file (the public part) to the InfoPrint Manager server.
  3. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
  4. Edit the sendmemo-ssl.cfg file using a text editor. Uncomment and change the following keywords values (where available):
    1. Uncomment the EnableTLS keyword and the desired value as follows:
      • 0: SMTP session encryption disabled
      • 1: use STARTTLS
      • 2: use SMTPS
        Note: The correct SMTP port number must be set using the specific InfoPrint Manager server attribute smtp-server-port.
    2. Optional: uncomment the CAFile keyword and specify the file name for the CA certificate if you are using a custom CA.
    3. Optional: uncomment CrlFile keyword and specify the file name for the CRL certificate if you have one available.
    4. Optional: uncomment the Hostname keyword and specify the host name that sendmemo uses to identify itself (EHLO) to the email server. This is useful when you are behind NAT and sendmemo needs to send email to the SMTP servers that are outside of your LAN or when autodetect fails. Some email servers might ignore an invalid host name passed to EHLO, others might not.

      The format must be one of the following (RFC 2821):

      FQDN host name:
      example: host.example.com
      Brackets enclosed IPv4 address:
      example: [1.2.3.4]
      Brackets enclosed IPv6 address:
      example: [IPv6:fc00::1]

The last two optional keywords are commonly used if errors occur during TLS handshake:

  • CertValidationIgnoreHostName can help if the server host name from the DNS is different from the value set in the certificate presented by the server during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents validation of the host name. This table shows how validation is made in case the Subject field from the certificate contains a wildcard:
    Host name Certificate Subject or Certificate Subject Alternative Name Validation
    host.example.com host.example.com OK
    host.example.com *.example.com OK
    host.subdomain.example.com *.subdomain.example.com OK
    host.example.com host.another-example.com FAIL
    host.subdomain.example.com host.another-subdomain.example.com FAIL
    host.example.com host*.example.com FAIL
    host.example.com *host.example.com FAIL
    host.subdomain.example.com host*.subdomain.example.com FAIL
    host.subdomain.example.com *host.subdomain.example.com FAIL
    Note: To be valid, a host name in the certificate must have at least 2 (two) dots.
  • IgnoreCertificateErrors ignores any errors related to the server certificate (invalid value presented in the certificate Subject or SAN fields, certificate expired, and so on.)

Sample sendmemo-ssl.cfg configuration file:

#
# sendmemo SSL/TLS configuration file
#

#############################################################################
#
# Empty lines and whitespace-only lines are ignored, as are lines whose
# first non-whitespace character is a semicolon (;) or a hash (#). This
# file uses hashes to denote commentary and semicolons for options you
# might want to configure.
# Every comment applies to the following section or option. The defaults
# refer to IPM's built-in values, not anything set in this file.
#
# Uncomment the lines where you want to do a change and enter the desired
# value. Option names are case-sensitive.
#
# If a full path is required, but only a file name is provided (i.e., no
# '/' or '\' in file name), the lookup for the file is done only in the
# directory where this configuration file is located. Apply to: CAFile,
# CrlFile, CertFile, KeyFile.
#
#############################################################################

#
# Enable/disable SMTP session encryption. Available options:
#   0: SMTP session encryption disabled
#   1: use STARTTLS
#   2: use smtps
# Note that the correct SMTP port number must be set using the specific
# IPM server attribute (smtp-server-port).
#
# Default: 0
#
;EnableTLS = 0

#
# Path to a file containing one or more Certificate Authority (CA).
# Required if _server_ certificate is not signed by a globally known CA.
# Default: <empty>
#
;CAFile =

#
# Path to a file containing one or more Certificate Revocation List (CRL).
# Default: <empty> 
#
;CrlFile =

#
# When enabled, it prevents comparing _server_ name with the name in
# certificate subject. It also applies to Subject Alternative Name (SAN).
# Ignored if IgnoreCertificateErrors is enabled.
# (0 = disabled, 1 = enabled).
# Default: 0
#
;CertValidationIgnoreHostName = 0
#

# Ignore any errors related to certificate validation (0 = disabled, 1 =
# enabled).
# Default: 0
#
;IgnoreCertificateErrors = 0

# Specify the hostname that sendmemo uses to identify itself (EHLO).
# The format must be one of the following (RFC 2821):
#    * FQDN hostname:
#        host.example.com
#    * Brackets enclosed IPv4 address:
#        [1.2.3.4]
#    * Brackets enclosed IPv6 address:
#        [IPv6:fc00::1]
# Anything else is invalid. Some email servers might ignore an invalid
# hostname passed to EHLO, other will not.
#
# Useful when you are behind NAT and sendmemo needs to send email to SMTP
# servers that are outside of your LAN or when autodetect fails.
# Default: sendmemo will autodetect hostname.
;Hostname =