Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>: > On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote: >> Everyone, >> >> Looks like the new version of oppenssl has broken my sendmail's use >> of >> tls. Has anyone else had this problem or seen a fix? >> >> Greg Ennis >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > > I should have had a note with a few more details. Sorry! > > The os is Centos 5.11 with the latest update of openssl causing the > problem. I will use the name "one.domain.com" > > Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686 > > It is interesting that this Centos 5.11 machine (one.domain.com) > transfers its mail to our internal mail server that runs Centos > 7.1.1503 (two.domain.com), and when the new openssl was updated June > 16th on two.domain.com I had a similar problem. At that time when > two.domain.com accepted tls from one.domain.com it failed until I enter > "Try_TLS:one.domain.com NO" in the /etc/mail/access file of > two.domain.com. > > My sendmail switches in one.domain.com include the following : > > define(`confAUTH_OPTIONS', `A p y')dnl > dnl # > TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > LOGIN PLAIN')dnl > dnl # > define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl > define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl > define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl > define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl > define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl > define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl > > > I would like to be able to continue using tls on one.domain.com, but am > ready to turn it off until this can be debugged. Has this problem > affected anyone else. are there (server- C7, client-side C5) any ciphers configured? One change addresses some weak DH parameters ... https://rhn.redhat.com/errata/RHSA-2015-1197.html -- LF