Steps for using Transport Layer Security for CSSMTP

You can enable the SMTP server and client to use Transport Layer Security (TLS) to provide private, authenticated communication over the Internet.

Procedure

Perform the following steps to use Transport Layer Security (TLS) for CSSMTP:

Set up secure mail using the YES option on the Secure parameter of the TargetServer statement, the STARTTLS command in the JES batch job, or both. Table 1 shows whether TLS is required between CSSMTP and a target server based on various JES batch job and CSSMTP configuration combinations.
Table 1. JES batch job and CSSMTP configuration combinations for secure mail
STARTTLS command? Secure parameter value TLS required?

Yes YES Yes

No YES Yes

Yes NO Yes

No NO No

If secure communication is required according to Table 1 and no available target servers support TLS (as indicated by server capabilities in response to the EHLO command), the mail message fails and is not delivered.

For information about the TargetServer statement, see z/OS Communications Server: IP Configuration Reference. For information about the STARTTLS command, see z/OS Communications Server: IP User's Guide and Commands.
See the following simple example to get started with TLS. For more information about TLS, see Application Transparent Transport Layer Security data protection.
In this example, assume the following characteristics:
- The mail contains sensitive data, and you want CSSMTP to communicate with only TLS protocols.
- CSSMTP is using port 25 to communicate with a target server on another platform.
- There is only one TCP/IP stack over which mail is delivered, referred to as the client stack.
To set up TLS for this sample environment, take the following actions:
1. Create the key ring.
  The client key ring needs the root certification used to sign the server certificates. For a TLS/SSL primer and some step-by-step examples, see TLS/SSL security. For more information about managing key rings and certificates with RACF® and the RACDCERT command, see z/OS Security Server RACF Security Administrator's Guide. For more information about managing key rings and certificates with gskkyman, see z/OS Cryptographic Services System SSL Programming.
2. Configure CSSMTP to require secure communication. Configure the TargetServer statement with the Secure parameter set to YES, which specifies that TLS protocols are always required. For information about the TargetServer statement, see z/OS Communications Server: IP Configuration Reference.
3. Configure the client system to use TLS with AT-TLS policies as follows:
  1. Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for the client stack. For information about the TCPCONFIG statement, see z/OS Communications Server: IP Configuration Reference.
  2. Block the ability of applications to open a socket before AT-TLS policy is loaded into the TCP/IP stack by setting up EZB.INITSTACK.sysname.tcpname for the client stack.
  3. Create a main Policy Agent configuration file containing a TcpImage statement for the client stack, and create a TcpImage policy file for the client stack. For more information about AT-TLS policy statements, see z/OS Communications Server: IP Configuration Reference.
  4. Add a TTLSConfig statement to each TcpImage policy file to identify the TTLSConfig policy file location:
```
TTLSConfig  clientPath
```
  5. Add the AT-TLS policy statements to the clientPath file:
```
TTLSRule                         CSSMTPRule 
{ 
   RemotePortRange               25
   Direction                     Outbound
   TTLSGroupActionRef            CSSMTPGroup
   TTLSEnvironmentActionRef      CSSMTPEnvironment
}
TTLSGroupAction                  CSSMTPGroup
{
   TTLSEnabled                   On 
}
TTLSEnvironmentAction            CSSMTPEnvironment
{
   HandshakeRole Client
   TTLSKeyRingParms
   {
      Keyring                    client_key_ring
   }
   TTLSEnvironmentAdvancedParms
   {
      ApplicationControlled      On
   }
}
```
  Tip: You can use the IBM® Configuration Assistant for z/OS® Communications Server to generate the AT-TLS Policy Agent files. For information about the configuration assistant, see Option 1: Use the IBM Configuration Assistant for z/OS Communications Server.

Table 1. JES batch job and CSSMTP configuration combinations for secure mail
STARTTLS command?	Secure parameter value	TLS required?
Yes	YES	Yes
No	YES	Yes
Yes	NO	Yes
No	NO	No

Results

You know you are done when CSSMTP can successfully deliver mail to a target server using secure connections. If SECURE YES is configured and CSSMTP is able to successfully negotiate and establish a TLS session, the following message is displayed:

EZD1821I  csproc ABLE TO USE TARGET SERVER  ipAddress

Restriction: To use the STARTTLS command with a target server, the target server must have a certificate that can be validated by the AT-TLS component of z/OS Communications Server as configured by Policy Agent. This certificate can be a self-signed certificate or a certificate that can be validated by a known certificate authority. If the certificate of the server cannot be validated, secure communication with the server fails and mail that requires security cannot be delivered to that server.