IBM Support

IBM AIX: How to check if STARTTLS is enabled for sendmail in AIX 7.2 TL 4 and higher.

How To


Summary

This technote describes how to determine if STARTTLS is enabled on the AIX mailserver

Objective

Beginning with AIX 7200-04, sendmail is preconfigured with TLS support. When sending an email from AIX to your relay server, if the relay server also supports TLS, it will respond with the message:
250-STARTTLS
This response confirms that the mail server is capable of TLS encryption. In response, the AIX sender will also confirm its support for TLS by issuing the command: 
>>> STARTTLS
Once this point is reached, the email transmission should proceed in TLS mode.
Below are the steps on how to determine if STARTTLS is enabled on the mailserver.

Environment

Starting from AIX 7.2 TL 4 up to the higher versions.

Steps

1) Open a terminal and execute the following command: 
nslookup

This will redirect you to a prompt that begins with:

>
2) Enter the following command at the prompt:
> set type=mx
Assuming you want to send an email to "us.ibm.com," we need to check its mail servers before proceeding with the test.
3) Still at the prompt, run the following command:
> us.ibm.com

You should receive a response similar to this:

> us.ibm.com
Server:         9.3.4.200
Address:        9.3.4.200#53
Non-authoritative answer:
us.ibm.com      mail exchanger = 10 smtpav06.wdc07v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav04.dal12v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav06.dal12v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav05.dal12v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav01.wdc07v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav03.dal12v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav04.wdc07v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav03.wdc07v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav02.wdc07v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav01.dal12v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav02.dal12v.mail.ibm.com.
us.ibm.com      mail exchanger = 10 smtpav05.wdc07v.mail.ibm.com.
Authoritative answers can be found from:
smtpav06.dal12v.mail.ibm.com    internet address = 9.208.128.130
smtpav03.dal12v.mail.ibm.com    internet address = 9.208.128.129
smtpav06.wdc07v.mail.ibm.com    internet address = 9.208.128.115
smtpav02.wdc07v.mail.ibm.com    internet address = 9.208.128.114
4) Exit the prompt by running this: 
> exit
In this context, "mail exchanger" refers to the priority of each server, indicating which server will be used first. Here, all the servers have equal priority.
5) To establish a connection, use the following command to telnet to the chosen mail server: 
# tn smtpav02.dal12v.mail.ibm.com 25
Trying...
Connected to smtpav02.dal12v.mail.ibm.com.
Escape character is '^T'.
220 ESMTP IMSVA
6) Run the following command:  
ehlo truth
You will then see something like this:
  
250-smtpav02.dal12v.mail.ibm.com
250-PIPELINING
250-SIZE 105906176
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


​
Notice the <250-STARTTLS> in the output, this confirms that the connected mail server supports STARTTLS. If the mail server does not respond with STARTTLS, the client will not attempt to establish a TLS connection.
Another way to check is the following:

To start, please run the following command:
# ls -l /usr/sbin/sendmail*
You should get this output: 
-r-xr-s--x    3 root     smmsp       1683083 Aug 03 2023  /usr/sbin/sendmail
-r--r--r--    1 root     bin             725 Mar 02 2023  /usr/sbin/sendmail_load
-r-xr-s--x    1 root     smmsp       1583729 Aug 03 2023  /usr/sbin/sendmail_nonssl
lrwxrwxrwx    1 root     system           18 Jan 10 12:59 /usr/sbin/sendmail_ssl -> /usr/sbin/sendmail
Notice this line : 
lrwxrwxrwx    1 root     system           18 Jan 10 12:59 /usr/sbin/sendmail_ssl -> /usr/sbin/sendmail
This means that the current sendmail version on the server supports SSL which indicates that STARTTLS should be enabled by default. 

Additional Information

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation.

c.  Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your case

   -You can attach files to your case in the IBM Support Community
   -Or Upload data to IBM testcase server analysis:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxaAAA","label":"Communication Applications-\u003ESENDMAIL\/MAIL"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"7.2.0;and future releases"}]

Document Information

Modified date:
15 July 2024

UID

ibm17150723

Page Feedback