Disabling TLS sending for certain domains
Newer versions of NetManager will try to send all mail over secure channels using TLS if the receiving server supports it. However, it is not uncommon for the receiver to have a broken TLS implementation which can cause delivery problems as sendmail on NetManager will not trying sending insecurely if the remote end advertises that it can support secure transport.
It is possible to specify a list of mail servers that NetManager should not try to use TLS with. Currently there is no webadmin GUI for this, so this page will document the manual procedure to edit the list.
Step 1: determine the mail servers for the domainUse the host command to look up the mail servers (N.B. Precedence doesn't have broken mail servers, I'm just using our domain as an example!):
netmanager 1# host -t MX precedence.co.uk precedence.co.uk mail is handled by 10 mail.ptlnet.com. precedence.co.uk mail is handled by 20 mx1.ptlnet.com.
Here we see that there are 2 mail servers
Step 2: edit the access file to mark those servers as broken
joe /etc/mail/access to edit the configuration file. For each mail server add a line in the following format:
Try_TLS and NO are case-sensitive. You can use spaces or tabs to separate out the two columns; using tabs will make it a little easier to read as the two columns will then be aligned.So in our example, this would be:
Try_TLS:mail.ptlnet.com NO Try_TLS:mx1.ptlnet.com NO
Once you have finished, save the file with Ctrl-K followed by X. Further information on using the joe editor can be found here.
Step 3: rebuild the access databaseRun the following command:
makemap hash /etc/mail/access < /etc/mail/access