[CentOS] sendmail tls and oppenssl

Sat Jul 4 14:35:54 UTC 2015
Leon Fauster <leonfauster at googlemail.com>

Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>:
> On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
>> Everyone,
>> 
>> Looks like the new version of oppenssl has broken my sendmail's use 
>> of
>> tls.   Has anyone else had this problem or seen a fix?
>> 
>> Greg Ennis
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> 
> I should have had a note with a few more details.  Sorry!
> 
> The os is Centos 5.11 with the latest update of openssl causing the
> problem. I will use the name "one.domain.com"
> 
> Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
> 
> It is interesting that this Centos 5.11 machine (one.domain.com)
> transfers its mail to our internal mail server that runs Centos
> 7.1.1503 (two.domain.com), and when the new openssl was updated June
> 16th on two.domain.com I had a similar problem.  At that time when
> two.domain.com accepted tls from one.domain.com it failed until I enter
> "Try_TLS:one.domain.com      NO" in the /etc/mail/access file of
> two.domain.com.  
> 
> My sendmail switches in one.domain.com include the following :
> 
> define(`confAUTH_OPTIONS', `A p y')dnl
> dnl #
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl #
> define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
> define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
> define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
> 
> 
> I would like to be able to continue using tls on one.domain.com, but am
> ready to turn it off until this can be debugged.  Has this problem
> affected anyone else.


are there (server- C7, client-side C5) any ciphers configured? One change 
addresses some weak DH parameters ... https://rhn.redhat.com/errata/RHSA-2015-1197.html

--
LF