Enabling Transport Layer Security encryption for sendmemo
The sendmemo
component is responsible with submitting emails from InfoPrint Manager server, either
as Email Notifications or through an EMail actual destination. If you want to enable
encrypted communication between InfoPrint Manager server and your email server, you
must configure the sendmemo SSL/TLS configuration file. The configuration file, like
smtp-server-port
and smtp-server-host
server attributes are configured per server. Because of this, the location of the
configuration file is the server working directory: /var/pd/<your-server-name>
where <your-server-name> is the name of the server that you want to have an encrypted communication with your
email server.
- Note:
- Your email server must also have SSL/TLS configured and functional. You can choose
between
STARTTLS
orSMTPS
. By default,STARTTLS
can be used with port 25/tcp (smtp) and 587/tcp (submission). By default,SMTPS
can be used with port 465/tcp (smtps). However, you can use any other TCP port as long your email server is configured as such. - Authentication over
STARTTLS
orSMTPS
is not supported.
By default, sendmemo uses TLS to encrypt the connection to the email server. It negotiates
the highest available cipher shared with the email server. By default, SSLv3 encryption
is disabled. If your server is very old and needs Secure Sockets Layer (SSL) version
3 for encrypted connections to it, you can set the environment variable IPM_ENABLE_SSL_V3
to a non-empty value.
If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.
To enable TLS encryption for sendmemo, you must complete these steps:
- Copy the provided sample configuration file
sendmemo-ssl.cfg
from/usr/lpp/pd/cfg-samples/ssl/sendmemo
directory into working directory of the server. - If you are using your own CA, copy CA certificate file (the public part) to the InfoPrint Manager server.
- If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
- Edit
sendmemo-ssl.cfg
file using a text editor. Uncomment and change the following keywords value (where available):- Uncomment
EnableTLS
keyword and the desired value as follows:- 0: SMTP session encryption disabled
- 1: use STARTTLS
- 2: use SMTPS
Note: The correct SMTP port number must be set using the specific InfoPrint Manager server attribute (
smtp-server-port
).
- Optional: uncomment
CAFile
keyword and specify the filename for CA certificate if you are using a custom CA. - Optional: uncomment
CrlFile
keyword and specify the filename for CRL certificate if you have one available. - Optional: uncomment
Hostname
keyword and specify the hostname that sendmemo uses to identify itself (EHLO) to the email server. This is useful when you are behind NAT and sendmemo needs to send email to SMTP servers that are outside of your LAN or when autodetect fails. Some email servers might ignore an invalid host name passed to EHLO, other might not.The format must be one of these (RFC 2821):
- FQDN host name:
- example: host.example.com
- Brackets enclosed IPv4 address:
- example: [1.2.3.4]
- Brackets enclosed IPv6 address:
- example: [IPv6:fc00::1]
- Uncomment
The last two optional keywords are usually used if errors occur during TLS handshake:
CertValidationIgnoreHostName
can help if server host name from the DNS is different from the value set in the certificate presented by server during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents validation of host name. This table shows how validation is made in case if the Subject field from the certif