Configuring TLS Between IBM i and Remote Mail Router WITHOUT Authentication

Answer

Prerequisite:
The following PTF must be applied to allow the STARTTLS command to be executed when the Forwarding Mailhub Server SMTP Attribute is resolved via a DNS MX record.

IBM i 7.5 & 7.4: Included in GA
IBM i 7.3: 5770TC1 - SI69785


If this PTF is not applied, then you will need to set the 'Forwarding Mailhub Server' to either the direct IP address of the mail router, or an alias that is resolved in CFGTCP opt. 10 (for example SMTPRELAY) and you will need to use the QIBM_SMTP_RLY_TLS_FIRST=YES environment variable value.

To get the IBM i SMTP client to negotiate an TLS connection to the remote mail router without needing to provide authentication credentials, you will need to do the following:

1)   Verify your IBM i SMTP email directory type is *SMTP.

Check your current email directory type by prompting the CHGSMTPA command with F4.  If your current email directory type value is *SDD, please refer to the IBM Technical Document, How To Migrate SMTP on IBM i from *SDD to *SMTP/*SMTPMSF, for detailed information on how to migrate to the *SMTP email directory type.  You must be using the *SMTP email directory type in order to configure TLS with SMTP without credential authentication.

2) Add the QIBM_SMTP_RLY_TLS_FIRST environment variable at the *SYS level with the appropriate value.

If the prerequisite PTF is applied:
ADDENVVAR ENVVAR(QIBM_SMTP_RLY_TLS_FIRST) VALUE(YES_STARTTLS) LEVEL(*SYS)

If the prerequisite PTF is NOT applied:
ADDENVVAR ENVVAR(QIBM_SMTP_RLY_TLS_FIRST) VALUE(YES) LEVEL(*SYS)

NOTE: If the prerequisite PTF is not applied, then you will need to set the 'Forwarding Mailhub Server' to either the direct IP address of the mail router, or an alias that is resolved in CFGTCP opt. 10 (for example SMTPRELAY) and you will need to use the QIBM_SMTP_RLY_TLS_FIRST=YES environment variable value.

3)  Obtain the certificate authority (CA) certificates used by the SMTP Relay server you are connecting to.

Since SMTP Authentication on the IBM i OS requires a TLS encrypted connection, you will need to obtain the certificate authority (CA) certificates used by your SMTP Relay Server for TLS connections. You can either obtain these manually from your SMTP Relay Server administrator or use the QMGTOOLS GETSSL utility if you know the TCP/IP hostname or IP address of the SMTP Relay Server and the TLS port it listens on. For instructions on how to use the QMGTOOLS GETSSL utility, please refer to the following document.

QMGTOOLS GETSSL Utility

Example (replace MAILROUTER with the CHGSMTPA 'Forwarding Mailhub Server' address password with the DCM *SYSTEM store password):

QMGTOOLS/GETSSL IP(MAILROUTER) PORT(587) STRTLS(Y) AUTOIMP(Y) STOREPWD(password)

The Auto Import function will attempt to automatically add the CA certificates it retrieves on the connection to the *SYSTEM store.  If the command is not able to retrieve the certificate, it will need to be imported manually using the following steps (The CA certificates will need to be obtained from the remote server side):

Import your SMTP Relay CA certificates into DCM.

In a web browser, execute the following URL to access the Digital Certificate Manager (DCM) application:

http://systemname:2001/dcm

or

https://systemname:2010/dcm

(Replace systemname with the TCP/IP hostname or IP address of your IBM i server)

We can then go through the steps in the following document to manually import the CA certificates into the *SYSTEM store:

https://www.ibm.com/docs/en/i/7.5?topic=dcm-importing-certificate

4)  End and restart SMTP:

ENDTCPSVR SERVER(*SMTP)

STRTCPSVR SERVER(*SMTP)

After performing the steps listed above you now should be able to connect from the IBM i to your remote mail router via TLS.