IBM Support

Configuring SSL Between IBM i and Remote Mail Router WITHOUT Authentication

Question & Answer


Question

How can I configure SMTP on the IBM i to connect to a mail router using SSL without requiring authentication?

Answer

Pre-requisite:
The following PTF must be applied to allow the STARTTLS command to be executed when the Forwarding Mailhub Server SMTP Attribute is resolved via a DNS MX record.

IBM i 7.3: 5770TC1 - SI69785
IBM i 7.2: 5770TC1 - SI69942

If this PTF is not applied, then you will need to set the 'Forwarding Mailhub Server' to either the direct IP address of the mail router, or an alias that is resolved in CFGTCP opt. 10 (for example SMTPRELAY) and you will need to use the QIBM_SMTP_RLY_TLS_FIRST=YES environment variable value.



To get the IBM i SMTP client to negotiate an SSL connection to the remote mail router without needing to provide authentication credentials, you will need to do the following:

1)   Verify your IBM i SMTP Email Directory Type is *SMTP.

Check your current Email Directory Type by prompting the CHGSMTPA command with F4.  If your current email directory type value is *SDD, please refer to the IBM Technical Document, How To Migrate SMTP on IBM i from *SDD to *SMTP/*SMTPMSF, for detailed information on how to migrate to the *SMTP email directory type.  You MUST be using the *SMTP email directory type in order to configure SSL/TLS with SMTP without credential authentication.

2) Add the QIBM_SMTP_RLY_TLS_FIRST environment variable at the *SYS level with the appropriate value.

If the pre-requisite PTF is applied:
ADDENVVAR ENVVAR(QIBM_SMTP_RLY_TLS_FIRST) VALUE(YES_STARTTLS) LEVEL(*SYS)


If the pre-requisite PTF is NOT applied:
ADDENVVAR ENVVAR(QIBM_SMTP_RLY_TLS_FIRST) VALUE(YES) LEVEL(*SYS)

NOTE:
If the pre-requisite PTF is not applied, then you will need to set the 'Forwarding Mailhub Server' to either the direct IP address of the mail router, or an alias that is resolved in CFGTCP opt. 10 (for example SMTPRELAY) and you will need to use the QIBM_SMTP_RLY_TLS_FIRST=YES environment variable value.

3)  Obtain the Certificate Authority (CA) certificates used by the SMTP Relay server you are connecting to.

Since SMTP Authentication on the IBM i OS requires a SSL/TLS encrypted connection, you will need to obtain the Certificate Authority (CA) certificates used by your SMTP Relay Server for SSL/TLS connections. You can either obtain these manually from your SMTP Relay Server administrator or use the QMGTOOLS GETSSL utility if you know the TCP/IP Host Name or IP address of the SMTP Relay Server and the SSL/TLS port it listens on. For instructions on how to use the QMGTOOLS GETSSL utility, please refer to the following document.

QMGTOOLS GETSSL Utility

Example:

QMGTOOLS/GETSSL IP(MYDOMAIN.OUTLOOK.COM) PORT(587) STRTLS(Y)

The SSL/TLS certificates will be placed in the /tmp directory with the nomenclature, <user>_sslchainXX.cer, where XX is the order number of the certificate. This is important since it helps you identify which CA certificate should be imported first, second, etc. into DCM.

i.e. /tmp/QSECOFR-sslchain01.cer

4)  Import your SMTP Relay CA certificates into DCM.

A)   In a web browser, execute the following URL to access the Digital Certificate Manager (DCM) application:

http://systemname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

(Replace systemname with the TCP/IP Host Name or IP address of your IBM i server)

B) Click on the "Select a Certificate Store" button.

C) Select the radio button next to the *SYSTEM certificate store and click the Continue button.



If you don't see the *SYSTEM certificate store, then you will need to refer to the document, How to Create the *SYSTEM Store in DCM, to create the *SYSTEM certificate store first.

D) Enter the *SYSTEM certificate store password and click the Continue button.



If you cannot remember the password to the *SYSTEM certificate store, you can click on the Reset Password button to change the password. After changing the password, you would enter the new password and click the Continue button to sign into the *SYSTEM certificate store. If you cannot successfully reset the password, please open a Service Request (PMR) with IBM here or call 1-800-IBM-SERV.

E) After authenticating to the *SYSTEM certificate store successfully, the page should refresh and display the Current Certificate Store information as shown below.

F) On the left-hand, vertical menu, click on Fast Path and then click on Work with CA Certificates.

G) Scroll to the bottom of the Work with CA Certificates page and click the Import button.

H)  Input the IFS path to the CA certificate you would like to import in the Import file field and press the Continue button.

I) Specify a certificate label name to uniquely identify the certificate in the *SYSTEM certificate store.

The certificate label name must be unique and cannot already be used by another certificate in the certificate store. IBM recommends the certificate label be set to the Common Name of the certificate.

J) If the CA certificate imports successfully, the screen will be refreshed with a message highlighted in green stating, "The certificate has been imported", as seen below.

K) Repeat steps 2f - 2j for any additional CA certificates in the SSL/TLS certificate chain.

5)  End and Restart SMTP:

ENDTCPSVR SERVER(*SMTP)

STRTCPSVR SERVER(*SMTP)

After performing the steps listed above you now should be able to connect from the IBM i to your remote mail router via SSL.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
18 December 2019

UID

nas8N1020864