Last updated: 2026-02-13
Sendmail TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for Sendmail to encrypt SMTP connections using STARTTLS. Encrypting mail traffic protects message content and authentication credentials in transit.
Prerequisites
- Sendmail 8.15 or later (compiled with STARTTLS support)
- OpenSSL 1.1.1 or later
- SSL certificates (server certificate, private key, and CA certificate)
Verify that your Sendmail binary was compiled with STARTTLS support:
sendmail -d0.1 -bv root 2>&1 | grep STARTTLS
The output should include STARTTLS.
Certificate Setup
Place your certificates in a dedicated directory:
mkdir -p /etc/mail/ssl
chmod 750 /etc/mail/ssl
cp server.crt /etc/mail/ssl/server-cert.pem
cp server.key /etc/mail/ssl/server-key.pem
cp ca.crt /etc/mail/ssl/ca.pem
chmod 640 /etc/mail/ssl/*.pem
chown root:smmsp /etc/mail/ssl/*.pem
RHEL/CentOS: The default certificate paths are
/etc/pki/tls/certs/and/etc/pki/tls/private/.
Server Configuration
Sendmail is configured through m4 macros in the .mc file, which is compiled into sendmail.cf. Add TLS settings to your .mc file (typically /etc/mail/sendmail.mc).
Certificate Files
define(`confCACERT_PATH', `/etc/mail/ssl')dnl
define(`confCACERT', `/etc/mail/ssl/ca.pem')dnl
define(`confSERVER_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/ssl/server-key.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/ssl/server-key.pem')dnl
Protocol Versions
Restrict connections to TLS 1.2 and later:
LOCAL_CONFIG
O CipherList=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1
Using m4 Macros
The equivalent m4 macro configuration:
define(`confCIPHER_LIST', `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305')dnl
define(`confSERVER_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE')dnl
define(`confCLIENT_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1')dnl
Require TLS for Authentication
Ensure that SMTP AUTH credentials are only sent over encrypted connections:
define(`confAUTH_OPTIONS', `A p')dnl
The p option prevents AUTH from being offered on unencrypted connections.
Require TLS for Specific Domains
Use the access database to require TLS when sending to specific domains:
Try_TLS:example.com YES
TLS_Srv:example.com VERIFY:256
To require TLS for all outbound mail (not recommended unless all recipients support it):
define(`confTLS_SRV_OPTIONS', `V')dnl
Complete Configuration
Add the following to your sendmail.mc:
dnl # TLS Certificate Configuration
define(`confCACERT_PATH', `/etc/mail/ssl')dnl
define(`confCACERT', `/etc/mail/ssl/ca.pem')dnl
define(`confSERVER_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/ssl/server-key.pem')dnl
define(`confCLIENT_CERT', `/etc/mail/ssl/server-cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/ssl/server-key.pem')dnl
dnl # TLS Cipher and Protocol Settings
define(`confCIPHER_LIST', `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305')dnl
define(`confSERVER_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE')dnl
define(`confCLIENT_SSL_OPTIONS', `+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1')dnl
dnl # Require TLS for AUTH
define(`confAUTH_OPTIONS', `A p')dnl
After editing, rebuild sendmail.cf:
cd /etc/mail
m4 sendmail.mc > sendmail.cf
systemctl restart sendmail
RHEL/CentOS: You can also use
make -C /etc/mailif the Makefile is present.
Client Configuration
Outbound STARTTLS
Sendmail automatically attempts STARTTLS for outbound connections when certificates are configured. No additional client configuration is needed.
Testing with openssl
Test inbound STARTTLS:
openssl s_client -connect mail.example.com:25 -starttls smtp
Verification
Verify STARTTLS is advertised in the EHLO response:
telnet mail.example.com 25
EHLO test.example.com
The response should include 250-STARTTLS.
Test the TLS handshake:
openssl s_client -connect mail.example.com:25 -starttls smtp
Check the Sendmail logs for TLS information:
grep -i tls /var/log/maillog
Verify the TLS version and cipher in the mail headers. A received header should contain:
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384)