Everyone,
Looks like the new version of oppenssl has broken my sendmail's use of tls. Has anyone else had this problem or seen a fix?
Greg Ennis
On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
Everyone,
Looks like the new version of oppenssl has broken my sendmail's use of tls. Has anyone else had this problem or seen a fix?
Greg Ennis _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I should have had a note with a few more details. Sorry!
The os is Centos 5.11 with the latest update of openssl causing the problem. I will use the name "one.domain.com"
Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
It is interesting that this Centos 5.11 machine (one.domain.com) transfers its mail to our internal mail server that runs Centos 7.1.1503 (two.domain.com), and when the new openssl was updated June 16th on two.domain.com I had a similar problem. At that time when two.domain.com accepted tls from one.domain.com it failed until I enter "Try_TLS:one.domain.com NO" in the /etc/mail/access file of two.domain.com.
My sendmail switches in one.domain.com include the following :
define(`confAUTH_OPTIONS', `A p y')dnl dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
I would like to be able to continue using tls on one.domain.com, but am ready to turn it off until this can be debugged. Has this problem affected anyone else.
Greg Ennis
Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis PoMec@PoMec.Net:
On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
Everyone,
Looks like the new version of oppenssl has broken my sendmail's use of tls. Has anyone else had this problem or seen a fix?
Greg Ennis _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I should have had a note with a few more details. Sorry!
The os is Centos 5.11 with the latest update of openssl causing the problem. I will use the name "one.domain.com"
Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
It is interesting that this Centos 5.11 machine (one.domain.com) transfers its mail to our internal mail server that runs Centos 7.1.1503 (two.domain.com), and when the new openssl was updated June 16th on two.domain.com I had a similar problem. At that time when two.domain.com accepted tls from one.domain.com it failed until I enter "Try_TLS:one.domain.com NO" in the /etc/mail/access file of two.domain.com.
My sendmail switches in one.domain.com include the following :
define(`confAUTH_OPTIONS', `A p y')dnl dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
I would like to be able to continue using tls on one.domain.com, but am ready to turn it off until this can be debugged. Has this problem affected anyone else.
are there (server- C7, client-side C5) any ciphers configured? One change addresses some weak DH parameters ... https://rhn.redhat.com/errata/RHSA-2015-1197.html
-- LF
On Sat, 2015-07-04 at 16:35 +0200, Leon Fauster wrote:
Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis PoMec@PoMec.Net:
On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
Everyone,
Looks like the new version of oppenssl has broken my sendmail's use of tls. Has anyone else had this problem or seen a fix?
Greg Ennis _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I should have had a note with a few more details. Sorry!
The os is Centos 5.11 with the latest update of openssl causing the problem. I will use the name "one.domain.com"
Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
It is interesting that this Centos 5.11 machine (one.domain.com) transfers its mail to our internal mail server that runs Centos 7.1.1503 (two.domain.com), and when the new openssl was updated June 16th on two.domain.com I had a similar problem. At that time when two.domain.com accepted tls from one.domain.com it failed until I enter "Try_TLS:one.domain.com NO" in the /etc/mail/access file of two.domain.com.
My sendmail switches in one.domain.com include the following :
define(`confAUTH_OPTIONS', `A p y')dnl dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
I would like to be able to continue using tls on one.domain.com, but am ready to turn it off until this can be debugged. Has this problem affected anyone else.
are there (server- C7, client-side C5) any ciphers configured? One change addresses some weak DH parameters ... https://rhn.redhat.com/errata/RHSA-2015-1197.html
-- LF
Leon,
Thanks for you help.
That ended up being the problem for sure. I found a fix on :
http://serverfault.com/questions/700655/sendmail-rejecting-some -connections-with-handshake-failure-ssl-alert-number-40
To make this easier for all those using Centos 5 the above fix requires the following two steps :
#1. Create a new key openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 1024
then add the following to /etc/mail/sendmail.mc :
LOCAL_CONFIG O CipherList=HIGH:!ADH O DHParameters=/etc/pki/tls/certs/dhparams.pem O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
Greg
-
Gregory P. Ennis -
Leon Fauster