Enabling Transport Layer Security encryption for sendmemo

The sendmemo component is responsible with submitting emails from InfoPrint Manager server, either as Email Notifications or through an EMail actual destination. If you want to enable encrypted communication between InfoPrint Manager server and your email server, you must configure the sendmemo SSL/TLS configuration file. The configuration file, like smtp-server-port and smtp-server-host server attributes are configured per server. Because of this, the location of the configuration file is the server working directory: /var/pd/<your-server-name> where <your-server-name> is the name of the server that you want to have an encrypted communication with your email server.

    Note:
  • Your email server must also have SSL/TLS configured and functional. You can choose between STARTTLS or SMTPS. By default, STARTTLS can be used with port 25/tcp (smtp) and 587/tcp (submission). By default, SMTPS can be used with port 465/tcp (smtps). However, you can use any other TCP port as long your email server is configured as such.
  • Authentication over STARTTLS or SMTPS is not supported.

By default, sendmemo uses TLS to encrypt the connection to the email server. It negotiates the highest available cipher shared with the email server. By default, SSLv3 encryption is disabled. If your server is very old and needs Secure Sockets Layer (SSL) version 3 for encrypted connections to it, you can set the environment variable IPM_ENABLE_SSL_V3 to a non-empty value.

Important: SSLv2 is disabled and cannot be enabled.

If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

To enable TLS encryption for sendmemo, you must complete these steps:

  1. Copy the provided sample configuration file sendmemo-ssl.cfg from /usr/lpp/pd/cfg-samples/ssl/sendmemo directory into working directory of the server.
  2. If you are using your own CA, copy CA certificate file (the public part) to the InfoPrint Manager server.
  3. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
  4. Edit sendmemo-ssl.cfg file using a text editor. Uncomment and change the following keywords value (where available):
    1. Uncomment EnableTLS keyword and the desired value as follows:
      • 0: SMTP session encryption disabled
      • 1: use STARTTLS
      • 2: use SMTPS
        Note: The correct SMTP port number must be set using the specific InfoPrint Manager server attribute (smtp-server-port).
    2. Optional: uncomment CAFile keyword and specify the filename for CA certificate if you are using a custom CA.
    3. Optional: uncomment CrlFile keyword and specify the filename for CRL certificate if you have one available.
    4. Optional: uncomment Hostname keyword and specify the hostname that sendmemo uses to identify itself (EHLO) to the email server. This is useful when you are behind NAT and sendmemo needs to send email to SMTP servers that are outside of your LAN or when autodetect fails. Some email servers might ignore an invalid host name passed to EHLO, other might not.

      The format must be one of these (RFC 2821):

      FQDN host name:
      example: host.example.com
      Brackets enclosed IPv4 address:
      example: [1.2.3.4]
      Brackets enclosed IPv6 address:
      example: [IPv6:fc00::1]

The last two optional keywords are usually used if errors occur during TLS handshake:

  • CertValidationIgnoreHostName can help if server host name from the DNS is different from the value set in the certificate presented by server during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents validation of host name. This table shows how validation is made in case if the Subject field from the certificate contains a wildcard:
    Host name Certificate Subject or certificate Subject Alternative Name Validation
    host.example.com host.example.com OK
    host.example.com *.example.com