Last updated: 2026-05-15

Sendmail TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Sendmail to encrypt SMTP connections using STARTTLS. Encrypting mail traffic protects message content and authentication credentials in transit.

Prerequisites

  • Sendmail 8.15 or later (compiled with STARTTLS support)
  • OpenSSL 1.1.1 or later
  • SSL certificates (server certificate, private key, and CA certificate)

Verify that your Sendmail binary was compiled with STARTTLS support:

sendmail -d0.1 -bv root 2>&1 | grep STARTTLS

The output should include STARTTLS.

Certificate Setup

Place your certificates in a dedicated directory:

mkdir -p /etc/mail/ssl
chmod 750 /etc/mail/ssl

cp server.crt /etc/mail/ssl/server-cert.pem
cp server.key /etc/mail/ssl/server-key.pem
cp ca.crt /etc/mail/ssl/ca.pem

chmod 640 /etc/mail/ssl/*.pem
chown root:smmsp /etc/mail/ssl/*.pem

RHEL/CentOS: The default certificate paths are /etc/pki/tls/certs/ and /etc/pki/tls/private/.

Server Configuration

Sendmail is configured through m4 macros in the .mc file, which is compiled into sendmail.cf. Add TLS settings to your .mc file (typically /etc/mail/sendmail.mc).

Certificate Files

define(`confCACERT_PATH', `/etc/mail/ssl')dnl
define(`confCACERT', `/etc/mail/ssl/ca.pem')dnl
define(`confSERVER_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/ssl/server-key.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/ssl/server-key.pem')dnl

Protocol Versions

Restrict connections to TLS 1.2 and later:

LOCAL_CONFIG
O CipherList=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1

Using m4 Macros

The equivalent m4 macro configuration:

define(`confCIPHER_LIST', `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305')dnl
define(`confSERVER_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE')dnl
define(`confCLIENT_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1')dnl

Require TLS for Authentication

Ensure that SMTP AUTH credentials are only sent over encrypted connections:

define(`confAUTH_OPTIONS', `A p')dnl

The p option prevents AUTH from being offered on unencrypted connections.

Require TLS for Specific Domains

Use the access database to require TLS when sending to specific domains:

Try_TLS:example.com        YES
TLS_Srv:example.com        VERIFY:256

To require TLS for all outbound mail (not recommended unless all recipients support it):

define(`confTLS_SRV_OPTIONS', `V')dnl

Complete Configuration

Add the following to your sendmail.mc:

dnl # TLS Certificate Configuration
define(`confCACERT_PATH', `/etc/mail/ssl')dnl
define(`confCACERT', `/etc/mail/ssl/ca.pem')dnl
define(`confSERVER_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/ssl/server-key.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/ssl/server-key.pem')dnl

dnl # TLS Cipher and Protocol Settings
define(`confCIPHER_LIST', `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305')dnl
define(`confSERVER_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE')dnl
define(`confCLIENT_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1')dnl

dnl # Require TLS for AUTH
define(`confAUTH_OPTIONS', `A p')dnl

After editing, rebuild sendmail.cf:

cd /etc/mail
m4 sendmail.mc > sendmail.cf
systemctl restart sendmail

RHEL/CentOS: You can also use make -C /etc/mail if the Makefile is present.

Client Configuration

Outbound STARTTLS

Sendmail automatically attempts STARTTLS for outbound connections when certificates are configured. No additional client configuration is needed.

Testing with openssl

Test inbound STARTTLS:

openssl s_client -connect mail.example.com:25 -starttls smtp

Security Notes

The cipher suite and protocol configuration in this guide addresses the following known TLS vulnerabilities:

  • POODLE (CVE-2014-3566, 2014): SSL 3.0 is disabled. TLS_FALLBACK_SCSV was added in OpenSSL 1.0.1j / 1.0.2 (October 2014); SSL 3.0 disabled by default in OpenSSL 1.1.0 (August 2016).
  • BEAST (CVE-2011-3389, 2011): Mitigated by recommending TLS 1.2 as the minimum; AEAD-only ciphers eliminate the CBC padding oracle.
  • CRIME (CVE-2012-4929, 2012): TLS compression is off by default in OpenSSL 1.1.0+; do not enable it.
  • Lucky13 (2013): AEAD-only cipher list eliminates CBC padding timing side-channels entirely.
  • FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers are excluded from the cipher string. Removed from OpenSSL 1.1.0 (August 2016).
  • LOGJAM (CVE-2015-4000, 2015): Short-key DHE is excluded; only ECDHE key exchange is recommended.
  • Sweet32 (CVE-2016-2183, 2016): 3DES is excluded from the cipher string. Disabled by default in OpenSSL 3.0 (September 2021).
  • ROBOT (CVE-2017-13099, 2017): Static RSA key exchange is excluded; only ECDHE is recommended. Fixed in OpenSSL 1.0.2m / 1.0.1v (November 2017).
  • Downgrade attacks: TLS_FALLBACK_SCSV prevents protocol version rollback.
  • Renegotiation injection (CVE-2009-3555, 2009): Secure renegotiation is enforced by default in OpenSSL 0.9.8m+; TLS 1.3 removes renegotiation entirely.

The following are not addressable through TLS configuration alone:

  • Heartbleed (CVE-2014-0160, 2014): A memory disclosure bug in OpenSSL 1.0.1 through 1.0.1f. Fixed in OpenSSL 1.0.1g (April 7, 2014). Addressed by patching OpenSSL, not by TLS configuration.
  • BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; SMTP does not involve HTTP.
  • DROWN (CVE-2016-0800, 2016): Requires SSLv2 to be enabled on any server sharing the same private key. Ensure SSLv2 is disabled on all services that use the same certificate and key pair.

Verification

Verify STARTTLS is advertised in the EHLO response:

telnet mail.example.com 25
EHLO test.example.com

The response should include 250-STARTTLS.

Test the TLS handshake:

openssl s_client -connect mail.example.com:25 -starttls smtp

Check the Sendmail logs for TLS information:

grep -i tls /var/log/maillog

Verify the TLS version and cipher in the mail headers. A received header should contain:

(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384)

Test your MX server's TLS configuration externally with the Mr.DNS SSL/TLS Certificate Check (port 25 for STARTTLS, 465 for implicit TLS).

Verify SPF, DKIM, and DMARC alignment for the sending domain with the Mr.DNS Email Authentication Health Check.

Related Guides

Postfix

High-performance SMTP mail server.

Exim

Highly configurable SMTP mail transfer agent.

Dovecot

Secure IMAP and POP3 mail server.

View all Mail Servers guides →

Mail Server Hardened? Now Watch Your Reputation.

Generator Labs monitors your sending IPs and domains across 100+ blacklists — alerting you the moment a listing threatens deliverability.

Blacklist Monitoring →