[CentOS] sendmail tls and oppenssl - Solution

Sat Jul 4 15:02:15 UTC 2015
Gregory P. Ennis <PoMec at PoMec.Net>

On Sat, 2015-07-04 at 16:35 +0200, Leon Fauster wrote:
> Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>:
> > On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
> > > Everyone,
> > > 
> > > Looks like the new version of oppenssl has broken my sendmail's 
> > > use 
> > > of
> > > tls.   Has anyone else had this problem or seen a fix?
> > > 
> > > Greg Ennis
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > 
> > I should have had a note with a few more details.  Sorry!
> > 
> > The os is Centos 5.11 with the latest update of openssl causing the
> > problem. I will use the name "one.domain.com"
> > 
> > Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
> > 
> > It is interesting that this Centos 5.11 machine (one.domain.com)
> > transfers its mail to our internal mail server that runs Centos
> > 7.1.1503 (two.domain.com), and when the new openssl was updated 
> > June
> > 16th on two.domain.com I had a similar problem.  At that time when
> > two.domain.com accepted tls from one.domain.com it failed until I 
> > enter
> > "Try_TLS:one.domain.com      NO" in the /etc/mail/access file of
> > two.domain.com.  
> > 
> > My sendmail switches in one.domain.com include the following :
> > 
> > define(`confAUTH_OPTIONS', `A p y')dnl
> > dnl #
> > TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> > LOGIN PLAIN')dnl
> > dnl #
> > define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
> > define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
> > define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
> > define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
> > define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
> > define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
> > 
> > 
> > I would like to be able to continue using tls on one.domain.com, 
> > but am
> > ready to turn it off until this can be debugged.  Has this problem
> > affected anyone else.
> 
> 
> are there (server- C7, client-side C5) any ciphers configured? One 
> change 
> addresses some weak DH parameters ... 
> https://rhn.redhat.com/errata/RHSA-2015-1197.html
> 
> --
> LF
> 

Leon,

Thanks for you help.

That ended up being the problem for sure.   I found a fix on :

http://serverfault.com/questions/700655/sendmail-rejecting-some
-connections-with-handshake-failure-ssl-alert-number-40

To make this easier for all those using Centos 5 the above fix requires
the following two steps :

#1. Create a new key
openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 1024


then add the following to /etc/mail/sendmail.mc :

LOCAL_CONFIG
O CipherList=HIGH:!ADH
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3


Greg