How do lovers use tech to connect?

Posted on February 8, 2013 by Barry Shurtz

Today, Sendmail released a cool infographic entitled, “Communicating Love in the Modern Era.”

Based on a survey of more than 200 people, the infographic shows how spouses, romantic partners and love interests prefer to communicate across a wide range of technologies, including the phone, email, social media, and texting.

It turns out, despite all the new avenues available to check in and hook up, people still prefer hooking up and checking in the “old fashioned” way, with the telephone, texting and email in a virtual tie for first place. Facebook factors in somewhat at 11%, but the biggest surprise was in instant messaging and video chat. Despite the real-time, conversational flow of IM and the face time made possible by video, only 5% of respondents chose either of these as the tool of choice for romantic connections. Meanwhile, Instagram, Google+ and Twitter proved to be romantic wastelands, attracting 1% or less of the vote.

Respondents demonstrated overwhelming concern around privacy, with 75% saying they’re worried about prying eyes at least some of the time. This would explain why only 3% turn to corporate email vs. personal email to discuss matters of the heart.

While allowing loved ones to connect, technology also proves to be a bit of a mischief maker, with 16% admitting they accidentally sent an intimate message to the wrong contact. Texting and email were the biggest culprits at 68% and 15%, respectively.

When comparing the responses of men and women, we found both genders shared the same preferences all across the board. People also for the most part felt the same regardless of age, though we observed an interesting relationship between age and the use of email and video chat: younger people tend to prefer video chat over email while the opposite tends to ring true for the older set.

What do you think of the findings? How do your preferences compare?

Posted in Email Fun Fact | Leave a comment

Is Email Dying?

Posted on February 5, 2013 by Glen D. Vondrick

The articles continue to pile up; all suggesting that e-mail is either dying or dead.

It reminds me of a bit comedian Bill Cosby used to do: I keep overhearing my teen daughters telling my wife: ‘Mother, it’s my life. Your life is over.’ The first time I heard that, I went upstairs and packed. I don’t want to live with no woman whose life is over.”

And packing is exactly what some companies like the LAC Group and Atos are doing. Both have launched very public missions to completely rid their organizations of e-mail. No sense in living with a tool that’s doomed for failure.

Except, it’s not.

When it comes to getting the job done, Facebook, Twitter, Salesforce Chatter, and Yammer—just to name a few—certainly play an important role. But so does the 140 year-old telephone. Sure, today’s phones have evolved to meet modern day needs just as e-mail has and will continue to evolve. Social networks aren’t replacing the telephone, IM, texting, e-mail or in-person conversations. They’re growing alongside these communication methods.

In fact, as the use of social media and other technologies—particularly mobile—grow, e-mail too will grow. The Radicati Group expects the number of worldwide e-mail accounts to jump from 3.3 billion in 2012 to 4.3 billion in 2016. And for all the talk of Twitter, Facebook, and Google+ replacing e-mail, they all include e-mail-like messaging capabilities.

What happens when the phones go down for a day? Business lives on. Take away social media, business continues on. But what about when we can’t send or receive e-mails? Business grinds to a halt. Departments are paralyzed. The entire enterprise stops, because e-mail is more than spam and a bunch of water cooler missives. Take it away, and not only are you impeding person-to-person communication, you’re completely shutting down system-to-system and system-to-person communication. E-mail is even used to control both government and commercial satellite repositioning. You can’t replace this with Twitter.

Of course, e-mail isn’t without its faults. Reduction of clutter, for one, is a good thing. Not just in terms of spam and frivolous e-mail, but on all platforms. Social media platforms also generate a lot of noise, and there is a fatigue associated with its post-to-all mentality. Keeping up with all the ideas—some good, some not so good—takes time. And enterprise tools such as Salesforce Chatter are commonly experiencing drop-off as a result.

As Altimeter Group analyst Charlene Li wrote in a recent report, “Some organizations have deployed social networking features with an initial enthusiastic reception, only to see these early efforts wither to just a few stalwart participants.”

E-mail isn’t dying. It’s bigger than ever. Does e-mail—rather, the 25-year-old infrastructure most organizations rely on to handle it—need to be modernized? Yes. Fortunately, this is already happening within the largest organizations, and other businesses are sure to follow—not out of some noble desire to save it, but because in reality business’ reliance on it is growing, not shrinking.

Posted in Glen D. Vondrick | Leave a comment

2013: Year of the Hybrid Cloud?

Posted on January 22, 2013 by Barry Shurtz

Last month, Network World predicted 2013 would be the year of the hybrid cloud. I think they’re right on.

We talked about the hybrid cloud at last year’s Sendmail EMEA User Symposium, and at our User Summit in Washington DC, where major financial, telco and other organizations presented their case for combining hybrid cloud architecture with our Sentrion platform for on-premises and in-cloud email management.

But while 2013 may be the year of the hybrid cloud, not everyone seems to have caught on. While 83% of organizations expect to move email to the cloud by 2014, only 22% plan to adopt the hybrid approach that Gartner Research, other analysts, and even the cloud providers themselves say is today’s simple reality. Only 22%.

Emails do a lot more than people think. More than half of them are now generated by machines—not people. They’re sent by airlines to confirm flights. They’re sent by copiers when low on toner. They even position satellites.

Managing this so-called machine-generated email in the cloud simply can’t be done without compromising security, compliance, system functionality, or even the entire messaging infrastructure. Heavily regulated organizations are at particular risk, because they have so many systems generating sensitive information.

To make it even easier for these organizations to adopt hybrid-cloud email, we partnered with Mimecast to provide a one-stop shop for hybrid-cloud email management solutions.

In fact, in looking back, I have to say Network World was not exactly right. The year of the hybrid cloud—for Sendmail, at least—started in 2012!

But don’t worry; we agree that it will explode in 2013, especially for email. And that 22% number–we expect that to increase significantly as enterprises begin to realize that a hybrid email architecture is the only viable way to reap the benefits of the cloud.

What are your cloud email migration plans?

Posted in Cloud, Glen D. Vondrick | Leave a comment

Sendmail and Mimecast Join Forces

Posted on December 3, 2012 by Barry Shurtz

This morning Sendmail announced a new strategic partnership with Mimecast that we think our customers will be really excited about as they consider different options for moving certain email functions to the cloud.

After discussions with many of our customers at our various User Summit’s and in our regular on-going interactions, we set out to find the best cloud email application provider that we felt could stand up to the complex email requirements of large businesses like theirs.

After much due diligence Sendmail chose to enter into a strategic partnership with Mimecast.

Why Mimecast?

Because we know large global businesses with complex messaging environments all have different needs, different ideas, and will make different choices about how they’ll deploy email and email management applications in the future–some of them will choose to move mailboxes to the cloud, some of them will not.  Some will move AV/AS hygiene, archiving, or other email applications to the cloud while others of them will leave them on-premises.

What is clear is that it is unlikely going to be one or the other for most large companies. They know that Sendmail Sentrion’s are needed on-premises to manage and route email generated by on-premises applications and machines and to handle policy enforcement, among the many other things they rely on Sentrion to handle.

This means that you need a cloud application provider that can integrate and work hand-in-hand with Sentrion, and that is why we chose Mimecast as our cloud email application partner.  Mimecast takes the same approach to email as Sentrion. Mimecast was built from the ground up, as a cloud platform with API’s to make integration with on-premises Sentrion’s seamless and secure.

We believe it made perfect sense to partner with Mimecast–Sendmail can now provide enterprises a full spectrum of in-cloud and on-premises email applications and the flexible choices required to meet their unique hybrid email architecture requirements.

Sentrion Cloud Apps Powered by Mimecast

Email Security

Sentrion Email Security Powered by Mimecast provides the most comprehensive, cloud-based email risk mitigation available in the market today and they have been critically acclaimed by Gartner and named CRN Security Vendor of the Year.

Email Archiving

Sentrion Email Archiving Powered by Mimecast cuts the cost and complexity of secure, accessible email archiving. It gives your users instant access to every email they’ve ever sent or received and it gives you central control of email retention policies. As much storage as you need, whenever you need it. No more email backups. The Sentrion Email Archiving Powered by Mimecast cloud-based platform stores all your email—internal and external— in a highly secure and resilient archive, giving you as much space as you need.

Email Continuity

Sentrion Email Continuity Powered by Mimecast delivers always-on, seamless email availability through automatic service failover and failback in near real-time during an email outage. It integrates so seamlessly with Microsoft Outlook that your employees will just continue using email safely and securely — whether the email outage is planned or not.

Learn more about Sentrion Cloud Apps Powered by Mimecast here on Sendmail.com and read the press release here.

Posted in Barry Shurtz, Cloud, Email Backbone, Email Security, Sentrion Cloud Apps Powered by Mimecast | Leave a comment

Recap of Sendmail’s Annual Messaging Infrastructure Summit

Posted on November 19, 2012 by Barry Shurtz

To all Sendmail customers who could not attend this year–we’re sorry that you missed this year’s annual International Messaging Infrastructure Summit held in Washington DC on election week.  You missed out on some excellent discussions ranging from cloud email to managing machine-generated mail with the new Sentrion REAC product.

I wanted to recap some of the great material that was presented and to also encourage Sendmail customers to contact your local Sendmail Sales Manager or Systems Engineer to have them give you your own “guided tour” of the presentations. For Sendmail propsective customers, send us an email at info(AT)sendmail.com and request a tour of the presentations.

Sentrion Rogue Email Application Control (REAC)

All conference participants were automatically eligible to become part of the early adopter program for the new Sentrion REAC product that was announced and discussed in detail at the Summit:

“It’s become a matter of man vs. machine as enterprises begin contending with the growing security and compliance risks presented by the uncontrolled high volume of email messages being generated by applications inside enterprise walls,” said Sendmail President & CEO Glen D. Vondrick. “Left unchecked, these machine-generated emails can result in the complete shut-down of IT networks at any time, though the potential for mayhem is at its highest during email-to-cloud migrations.”

Sentrion REAC product manager, Christiaan van Woudenberg, spent a lot of time introducing the new Sentrion REAC product to the audience and also gave an in-depth demonstration on how the product works.

Contact your Sendmail Sales Manager today to learn more about Sentrion REAC and the early adopter program and read the full news release here.

Customer Spotlight Presentation – EMC

Cathal O’Mahony, Director of Global Messaging with EMC gave a fantastic case study presentation of their history of relying on Sendmail technology and expertise.  EMC started with Sendmail back in 2007 and evolved from open source, Sendmail software, Sentrion hard appliances (MP), Sentrion virtual appliances (MPV) to now using a Sentrion-based private cloud solution.

Cathal was also presented this year’s Sentrion Innovation Award.  Congratulations to Cathal and his entire messaging team at EMC!

Sendmail Presentation on Sentrion in the Cloud

Sendmail’s VP of Cloud Enablement and CTO, Greg Shapiro, spent some time telling the audience about some exciting upcoming Sentrion Cloud offerings.

This is another don’t miss presentation–contact your sales team to learn more.

Customer and Partner Presentations

We also had an excellent presentation from Sentrion customer Rakuten (the “Amazon.com” of Japan), as well as a presentation from Sendmail private cloud partner CSC.

Industry Presentation:

Michael Osterman, of Osterman Research, did an excellent presentation recapping an extensive survey they conducted on moving email to the cloud.  A couple of key points from this presentation:

“Large and heavily regulated organizations will likely never adopt cloud email to the same extent as smaller and less regulated ones”

“Email-generating applications and systems serve as something of an “anchor” that restricts migration to the cloud

Customer Panel

We ended the regular session on the first day with a very lively panel discussion lead by Michael Osterman.  The group then adjourned for the Partner Fair and a fun dinner at a nearby Cuban Restaurant and Rum Bar.

Thanks to our Partner Fair Sponsors: Commtouch, Cloudmark, CSC, Hitachi, Rpost, and Trustsphere.

Finally on Friday there were in-depth presentations on Sentrion REAC as well as an extensive presentation of the Sentrion product roadmap – Past, Present and Future.

I encourage you to contact your local sales team to bring the Sendmail International Messaging Infrastructure Summit directly to you.  They have access to all the presentations and material and would be happy to walk through them with you.

We hope to see you at next year’s event.

P.S. Our EMEA team is offering a special EMEA focused User Summit coming this April 25 and 26 in Dusseldorf Germany.  Stay tuned for more information.

Posted in Uncategorized | Leave a comment

We’ve been warning you about it. And now ReadWriteWeb wrote about it.

Posted on August 16, 2012 by Barry Shurtz

In a post entitled, “Automated Emails: Are You Launching a Denial of Service Attack on Your Own Company,” tech reporter Brian Proffitt addresses the issue organizations are beginning to encounter as they attempt to migrate email to the cloud without considering the hundreds, if not thousands, of undetected systems and apps that pass automated emails back and forth within and beyond corporate walls.

Quoting Sendmail’s very own CEO Glen Vondrick, the post acknowledges that “applications can generate hundreds of messages per second,” and “if something goes wrong, a mail storm can create a denial-of-service-like attack on the company’s own servers.”

Talk about bringing down the business from the inside.

The post goes on to say that properly managing traffic on corporate networks can ultimately save big organizations from big headaches, but that you “have to know where to look.”

One large financial institution recently discovered through Sendmail that they had as many as 10,000 of these email-generating apps and systems. If they had tried moving email to the cloud without addressing their systems dependence on email, many aspects of their business would’ve come to a halt. Other organizations haven’t been so lucky.

But, Proffitt agrees that “out-of-sync timestamps and simple network topology changes can also throw off these apps’ messages,” meaning chaos may not just be a matter of cloud migration.

For you and your organization, it may just be a matter of time.

Posted in Barry Shurtz, Cloud | Leave a comment

Sentrion 4.3.0

Posted on July 30, 2012 by stevem

Hello Sendmail customers-my name is Steve Martensen and I am in Product Management at Sendmail. I’m relatively new to Sendmail, but I’ve been in the email industry for decades and am thrilled to be working at a company with the history and successes that Sendmail has experienced. The most recent contribution to that being the release of Sentrion 4.3.0. This release includes but is not limited to:

• Upgrade of Sendmail Messaging Directory: Utilizes version 2.4.31 of OpenLDAP and its associated improvements; allows for full as well as incremental replication

• Policy Engine (Mailstream Manager) Updates: Increased performance; updated default attachment scanning settings for today’s increased file sizes; support for additional file types and handling of ‘unscannable’ files; AS/AV updates

• Improvements for Administrative Tasks: Broader field validation; improved installation and upgrade experience; access to more files for “expert” administrators

• Support for VMware VSphere / ESXi 5: The latest from VMware and all the benefits that entails for your infrastructure

• Updates to a number of third-party components and various security, performance, and stability-related improvements

Access to this release as well as installation instructions, for existing customers, may be found on your support page. If you are not currently a Sendmail Sentrion customer, please don’t hesitate to visit our website for more information regarding our platform and sales contact. Additional information regarding the impact of this release on the End of Life/End of Support status on prior releases is available on your support page as well.

From the “Murphy strikes again” front, we were notified of a security issue with embedded software shortly after Release to Manufacturing so be sure to check out the Hotfix information as well.

I look forward to keeping you all informed of product enhancements and releases in the coming months.

Posted in Steve Martensen | Leave a comment

Did you catch it?

Posted on June 21, 2012 by Barry Shurtz

This week we announced 300% sales growth over the past three years in Japan, where smartphones surpassed feature phones as the most acquired device last February.

But we can’t give all the credit to Japan. Our Country Manager Nobuhiro Suemasa has been meeting every opportunity to provide enterprises and ISPs with the capabilities and support they need to feed user demand for critical smartphone messaging features. Thanks to Nobuhiro Suemasa’s tireless leadership and the hard work put in by his team, Sendmail is now used by more than 600 Japanese organizations, including 9 of the country’s largest email service providers and mobile operators.

That translates into roughly 50 million mailboxes for Sendmail, and a well-deserved VP promotion for Nobuhiro Suemasa.

We’ve come a long way. But with smart phone usage and machine-based email for core business operations continuing to grow rapidly in Japan and all over the world,  I’d say we’re still just getting started.

Posted in Barry Shurtz | Leave a comment

Easy use of Sendmail Premium Reporting

Posted on May 31, 2012 by Christophe Wolfhugel

The other day I needed to get some statistics while visiting a customer about how many accounts could eventually have compromised passwords. The first thing I needed to consider is how to determine if an account has been compromised. Our best practice is to consider that one which is being used from many different IP addresses for authenticated SMTP connections is likely compromised and used by spamming bots, so the exercise is simple: count how many different IP addresses are being used by all the customers.

Surprisingly getting this is also very simple. Thanks to the Sendmail Premium Reporting application powered by Splunk, what I thought would be a 20 lines Perl script needing to parse historical log files ended up being a simple one liner (split on the blog onto 3 lines for ease of reading):

# splunk search 'AUTH=server earliest=-2d |
    stats distinct_count(relay) as relays by authid |
    sort 3 relays desc'

authid                     relays
-------------------------- ------
user1@domain.nothere       20
user4@an.other.domain      17
user8@i.was.here           15

This request will extract all “AUTH=server” lines logged by the MTA (i.e. each time an incoming SMTP connection is authenticated we have this line) and simply display a table showing the authenticated user name (“authid”) and the number of different IP addresses (“relays”) being used.

Another funny and again very simple statistic I decided to determine using similar rules: I wanted to get an idea  how long it took to deliver messages to the local mail store for about the last 7 days.  As you can see this is another very simple search:

splunk search 'relay="store.my.domain. *" dsn=2.0.0
    earliest=-7d | top 20 delay' 

 delay   count   percent
-------- ------ ---------
00:00:01 140318 63.515300
00:00:02  30515 13.812692
00:00:00  22909 10.369817
00:00:03   7359  3.331070
00:00:04   3519  1.592884
00:00:05   2148  0.972298
00:00:06   1808  0.818396
00:00:07   1162  0.525982
00:00:08    780  0.353069
00:00:11    698  0.315951
00:00:09    684  0.309614
00:00:10    564  0.255296
00:00:12    500  0.226326
00:00:13    395  0.178798
00:00:14    355  0.160692
00:00:15    338  0.152997
00:00:17    303  0.137154
00:00:18    266  0.120406
00:00:23    259  0.117237
00:00:22    247  0.111805

Now it’s up to you to share your simple tricks with Sendmail Premium Reporting!

Posted in Christophe Wolfhugel | Leave a comment

Improving STARTTLS authentication in the Sendmail MTA

Posted on May 24, 2012 by Christophe Wolfhugel

After having worked on what I think is the right way to setup X.509 certificates for use in SMTP STARTTLS transactions (see my previous blog entry here), I am continuing my work on how we can improve the way the Sendmail MTA handles STARTTLS authentication. This article explains how the Sendmail MTA handles this and what the limitations are. We will  finally make some suggestions on how we could improve our implementation, and of course your comments to this article are not only welcome, but they will be particularly useful.

Opportunistic TLS or mandatory TLS?

In most cases, mail platforms use opportunistic TLS, sometimes even without the mail administrator knowing this. For example a default setup of the Sendmail Opensource MTA is likely to use opportunistic TLS as a client (when sending mail), and you don’t need to do anything for this. Opportunistic TLS brings encryption of your communication up to the next hop. It does not provide any form of authentication: you may still be sending your mail to the wrong server, just that the communication will be encrypted!

On the other hand, mandatory TLS is when you need to ensure you’re speaking to the right server, and this works both ways: inbound and outbound. Policy configuration will ensure that you speak to the right server, i.e. when the MTA has decided to send a message to, say, the host relay.wolfhugel.eu, you want to make sure that this host shows a X.509 certificate which is adequate and which you trust.

Mandatory TLS makes sense from the moment you need to be sure who you’re talking to, or who is connecting to your mail server. This policy enforcement can be partial: most real life situations use standard Internet mail routing (MX records), eventually opportunistic TLS, and mandatory TLS to/from just a few remote sites.

Current implementation in the Sendmail MTA

Thanks to the use of rulesets to handle TLS enforcement, site administrators have a vast choice of what they can do with respect to validating a TLS connection. The only limitations are:

  • The information coming from the certificate and provided by the MTA to the ruleset engine
  • The ability of the rulesets to do things (and this is quite a large set of things).

Most users will even not use these rules and prefer the existing methods which are part of the MTA package, mostly by ways of using entries in the “access_db” file.

The TLS_Srv and TLS_Clt tags are used respectivement when the Sendmail MTA sends (TLS_Srv) or receives (TLS_Clt) mail and it allows defining one or several actions. These filters apply when selecting the actual name of the server we’re talking to (or the domain of it), this means whatever appears in the MX. For fining control based on the recipient’s address there is a TLS_Rcpt keyword which is applied per recipient, regardless of the server we’re talking to. There is no such rule, sender address based, for incoming mail.

A few examples:

TLS_Srv:wolfhugel.eu      VERIFY:128+CN
TLS_Rcpt:wolfhugel.eu     VERIFY:128+CN++CI:/C=GB/.../O=MyCA

The first line means that when talking to any server called “wolfhugel.eu” or within this domain (mail.wolfhugel.eu, relay.wolfhugel.eu, …), we want the TLS connection to be shown with a certificate whose Certification Authority is trusted by our system, with at least a 128 bit encryption algorithm and in addition we will check the CN of the presented certificate to ensure it corresponds to the one we’re actually talking to. So if our MX record is “relay.wolfhugel.eu” and we send a mail to this server, we want the certificate to be trusted and to have “relay.wolfhugel.eu” in its CN field.

The second line applies to any mail going to someone within the wolfhugel.eu domain, regardless of the mail server we’re actually sending the mail to. We do all verifications described above and in addition we want that the Certificate Issuer (this can be an intermediate certification authority) has a Subject line of “/C=GB/…/O=MyCA”, i.e. we indicate clearly which CA we trust for this domain.

Full documentation is provided in the Opensource Sendmail MTA package in the cf/README file.

Another use of TLS authentication is to permit, or not, relaying, i.e. the goal is to say that if you show a given certificate you may use this SMTP server to send mail anywhere (typically you would use the MSA submission port, 587/tcp). I do use this when I’m roaming: regardless of the IP address I show, my home MTA with allow me to send messages to anyone if I can prove, by ways of the adequate certificate, it’s me.

The verification is again done in two steps by using the “access_db” map: first we check if the certificate issuer is authorized, and then eventually we check the certificate itself, like in following example:

CertIssuer:/C=GB/.../O=MyCA        RELAY
CertIssuer:/C=GB/.../O=AnotherCA   SUBJECT
CertSubject:/C=GB/.../CN=CWOLF     RELAY

The first line means that we will trust anyone showing a certificate issued by the certification authority “/C=GB/…/O=MyCA” (which again can be an intermediate authority). The second line says that if a certificate is presented signed by “/C=GB/…/O=AnotherCA” then we’ll check the Subject of the certificate itself, and we will authorize any listed entry with the adequate “CertSubject” entry.

Anything else? Just write your own rules, and this article won’t go into this. You can write any rules using the “sendmail.cf” language and the values provided for certificates. Following macros are available (taken from the documentation):

  • ${cert_issuer} holds the DN of the CA (the cert issuer).
  • ${cert_subject} holds the DN of the cert (called the cert subject).
  • ${cn_issuer} holds the CN of the CA (the cert issuer).
  • ${cn_subject} holds the CN of the cert (called the cert subject).
  • ${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, TLSv1/SSLv3, SSLv3, SSLv2.
  • ${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA.
  • ${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm used for the connection.
  • ${verify} holds the result of the verification of the presented cert.
    Possible values are:

    OK verification succeeded.
    NO no cert presented.
    NOT no cert requested.
    FAIL cert presented but could not be verified,
    e.g., the cert of the signing CA is missing.
    NONE STARTTLS has not been performed.
    TEMP temporary error occurred.
    PROTOCOL protocol error occurred (SMTP level).
    SOFTWARE STARTTLS handshake failed.
  • ${server_name} the name of the server of the current outgoing SMTP connection.
  • ${server_addr} the address of the server of the current outgoing SMTP connection.

Limitations in the current implementation

The provided primitives already allow a lot of flexibility, but I feel there are a few limitations which are worth being discussed and which could lead to improvements.

An important limitation I came across when setting up TLS recently is that the Sendmail MTA does not handle the X509v3 “Subject Alternative Name” extension which allows specifying more than one host name in a certificate: my certificate could have a CN=tea.wolfhugel.eu and the extension would list this and all other names I do use the certificate for (“DNS:mail.wolfhugel.eu”, “DNS:relay.wolfhugel.eu”, …). Also one could argue that when doing name matching in certificate validation the current rules do not support the use of wildcard certificates (i.e. “CN=*.wolfhugel.eu”, “DNS:*.wolfhugel.eu”).

It seems like the Sendmail MTA it is somewhat difficult to define rules with intermediary certification authorities when trusting or accepting certificates.

Some proposals to improve the current handling in Sendmail MTA

Here are a few proposals to hopefully improve the way the Sendmail MTA uses certificates in STARTTLS connections and how to decide about giving, or not, authorization to connect or to relay. Comments on this are more than welcome, as users’ feedback is essential for improving the product!

Implement X509v3 Subject Alternative Names

This is a significant change and it requires source code changes in the MTA, but I feel it is probably the most needed extension: the Sendmail MTA would extract the DNS Subject Alternative Names from the presented certificates and expose them to the configuration file in macros $&{altname_subject} and $&{altname_issuer}. These macros can later be used in any rule where they are available for deciding to give, or not, access to the SMTP service.

Create new rules to use the Subject Alternative Names

The two new macros defined with the new names extracted from the certificates can be used to extend the current way the MTA gives authorization. Here is a proposal to extend the current rules.

For the TLS_Srv/TLS_Rcpt entries in the access DB we would add a new attribute called “CA” (as Cert Altnames) who behaves identically to the “CN” attribute but would mean match the CN or any alternative name, and the example given in the beginning of this article would become:

TLS_Srv:wolfhugel.eu      VERIFY:128+CA
TLS_Rcpt:wolfhugel.eu     VERIFY:128+CA++CI:/C=GB/.../O=MyCA

This would mean the the host we’re connecting to must be found either in the CN of the certificate or in any DNS value of the alternative names for the verification to be successful.

Similarly when authorizing a remote party to relay, with the CertIssuer/CertSubject tags, we would add a new value to the access database: “ALTNAMES:xxx” would create an indirection telling to search for a key called “SubjAltName:xxx:value” in the access map which in turn would authorize or prevent access as shown in this example:

CertIssuer:/C=GB/.../O=MyCA         ALTNAMES:SMI
SubjAltName:SMI:cwolf@sendmail.com  RELAY

The meaning of the above would be that whenever a connection is made with a certificate issues by “/C=GB/…/O=MyCA” we will be checking the alternative names and our key for the lookup is “SMI”. If any of the alternative names is “cwolf@sendmail.com” relaying will be authorized, and yes here we do allow Email addresses as alternative names.

Implement the wildcard certificates

Another point which has not been implemented in supporting wildcard certificates, i.e. a certificate whose CN or alternative name contains a star, like “*.wolfhugel.eu” meaning this certificate covers any host within the “wolfhugel.eu” domain name. This implementation would be transparent, i.e. no changes in the access map would be required.

Conclusion & next steps

As you can see there is some room for a few improvements. While some of these changes already exist in a development lab environment, they have not been finalized.

Your input on this is valuable, please don’t hesitate to comment with your thoughts and suggestions on this topic. How would you like the Sendmail MTA to handle STARTTLS enforcement?

Posted in Christophe Wolfhugel, Email Security, Open source | Tagged , , | 2 Comments