[BlueOnyx:17774] Re: Sendmail TLS Error

Michael Stauber mstauber at blueonyx.it
Fri Jun 12 19:53:54 -05 2015 

Hi Dan,

> ... We don't define a DH key size in BX and as far as I can tell the
> default for Sendmail is 512bits for STARTTLS client which explains this
> all away.

I kinda hate to do such fundamental changes with a hot needle and in
such a rush. But I just did it anyway for 5207R, 5208R and 5209R:

http://devel.blueonyx.it/trac/changeset/2145

This is also published to the YUM repositories as of this moment.

What it does:

It creates a 2048 bit DH file. Then sendmail.mc is amended with the
following provisions (if not already present):

define(`confDH_PARAMETERS',`/usr/share/ssl/certs/sendmail-2048.dh')
LOCAL_CONFIG
O
CipherList=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

The above will look weird in this email due to the odd line wraps. But
what it does is this:

1.) Adds the provisions for the 2048 bit Diffie-Hellman file.
2.) Enforces a pretty solid cipher list and disables weak ciphers.
3.) Disables SSLv2 and SSLv3 for server connections
4.) Disables SSLv2 and SSLv3 for client connections

Just to avoid confusion: The "CipherList" has +SSLv3 in it. That's
unrelated to the SSLv3 *protocol*. There are some ciphers under the
SSLv3 shortcut which we want. They are independent from the SSLv3
*protocol*. Which we turn off separately elsewhere.

Like said in the other message: A bit of this is redundant. So far I had
avoided giving Sendmail the bat in regards to ciphers and protocols, but
this time around I feel we need it. I've seen too many error messages in
regards to the SSLv3 protocol on my own mailservers and I feel that most
of that is related to some forms of attempted abuse.

I will also roll this up for 5106R, 5107R and 5108R. But not sure if I
can manage that today. If not it'll hit the YUM repositories on Saturday.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list