Enabling Transport Layer Security encryption for sendmemo

The sendmemo component is responsible with submitting emails from the InfoPrint Manager server, either as Email Notifications or through an Email actual destination. If you want to enable encrypted communication between the InfoPrint Manager server and your email server, you must configure the sendmemo SSL/TLS configuration file. The configuration file, like smtp-server-port and smtp-server-host server attributes, is configured per server. Therefore, the location of the configuration file is the server working directory: /var/pd/<your-server-name> , where <your-server-name> is the name of the server that you want to have an encrypted communication with your email server.

  • Your email server must also have SSL/TLS configured and functional. You can choose between STARTTLS or SMTPS. By default, STARTTLS can be used with port 25/tcp (smtp) and 587/tcp (submission). By default, SMTPS can be used with port 465/tcp (smtps). However, you can use any other TCP port as long as your email server is configured as such.
  • Authentication over STARTTLS or SMTPS is not supported.

By default, sendmemo uses TLS to encrypt the connection to the email server. It negotiates the highest available cipher shared with the email server. By default, SSLv3 encryption is disabled. If your server is very old and needs Secure Sockets Layer (SSL) version 3 for encrypted connections to it, you can set the environment variable IPM_ENABLE_SSL_V3 to a non-empty value.

Important: SSLv2 is disabled and cannot be enabled.

If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

To enable TLS encryption for sendmemo, you must follow these steps:

  1. Copy the provided sample configuration file sendmemo-ssl.cfg from /usr/lpp/pd/cfg-samples/ssl/sendmemo directory into the working directory of the server.
  2. If you are using your own CA, copy the CA certificate file (the public part) to the InfoPrint Manager server.
  3. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
  4. Edit the sendmemo-ssl.cfg file using a text editor. Uncomment and change the following keywords values (where available):
    1. Uncomment the EnableTLS keyword and the desired value as follows:
      • 0: SMTP session encryption disabled
      • 1: use STARTTLS
      • 2: use SMTPS
        Note: The correct SMTP port number must be set using the specific InfoPrint Manager server attribute smtp-server-port.
    2. Optional: uncomment the CAFile keyword and specify the file name for the CA certificate if you are using a custom CA.
    3. Optional: uncomment CrlFile keyword and specify the file name for the CRL certificate if you have one available.
    4. Optional: uncomment the Hostname keyword and specify the host name that sendmemo uses to identify itself (EHLO) to the email server. This is useful when you are behind NAT and sendmemo needs to send email to the SMTP servers that are outside of your LAN or when autodetect fails. Some email servers might ignore an invalid host name passed to EHLO, others might not.

      The format must be one of the following (RFC 2821):

      FQDN host name:
      example: host.example.com
      Brackets enclosed IPv4 address:
      example: []
      Brackets enclosed IPv6 address:
      example: [IPv6:fc00::1]

The last two optional keywords are commonly used if errors occur during TLS handshake:

  • CertValidationIgnoreHostName can help if the server host name from the DNS is different from the value set in the certificate presented by the server during TLS handshake (Subjec