On Sat, 2015-07-04 at 16:35 +0200, Leon Fauster wrote: > Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>: > > On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote: > > > Everyone, > > > > > > Looks like the new version of oppenssl has broken my sendmail's > > > use > > > of > > > tls. Has anyone else had this problem or seen a fix? > > > > > > Greg Ennis > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > I should have had a note with a few more details. Sorry! > > > > The os is Centos 5.11 with the latest update of openssl causing the > > problem. I will use the name "one.domain.com" > > > > Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686 > > > > It is interesting that this Centos 5.11 machine (one.domain.com) > > transfers its mail to our internal mail server that runs Centos > > 7.1.1503 (two.domain.com), and when the new openssl was updated > > June > > 16th on two.domain.com I had a similar problem. At that time when > > two.domain.com accepted tls from one.domain.com it failed until I > > enter > > "Try_TLS:one.domain.com NO" in the /etc/mail/access file of > > two.domain.com. > > > > My sendmail switches in one.domain.com include the following : > > > > define(`confAUTH_OPTIONS', `A p y')dnl > > dnl # > > TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > > LOGIN PLAIN')dnl > > dnl # > > define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl > > define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl > > define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl > > define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl > > define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl > > define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl > > > > > > I would like to be able to continue using tls on one.domain.com, > > but am > > ready to turn it off until this can be debugged. Has this problem > > affected anyone else. > > > are there (server- C7, client-side C5) any ciphers configured? One > change > addresses some weak DH parameters ... > https://rhn.redhat.com/errata/RHSA-2015-1197.html > > -- > LF > Leon, Thanks for you help. That ended up being the problem for sure. I found a fix on : http://serverfault.com/questions/700655/sendmail-rejecting-some -connections-with-handshake-failure-ssl-alert-number-40 To make this easier for all those using Centos 5 the above fix requires the following two steps : #1. Create a new key openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 1024 then add the following to /etc/mail/sendmail.mc : LOCAL_CONFIG O CipherList=HIGH:!ADH O DHParameters=/etc/pki/tls/certs/dhparams.pem O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 Greg