[BlueOnyx:23839] Re: Question about sendmail TLS in 5210R

Michael Stauber mstauber at blueonyx.it
Thu May 14 14:24:53 -05 2020

Hi Dirk,

> one of our customer is using a 5210R Server also very intensive for his
> emails.
> Therefore the question (which I don't need to discuss in principle): Is
> it possible to let sendmail speak TLSv1.1 under 5210R (CentOS8) or is it
> not possible?
> Simply adding +SSL_OP_ALLOW_TLSv1_1 to the ServerSSLOptions and
> ClientSSLOptions line is not enough. Then sendmail will fail to start
> with a "sm-client.service: Job sm-client.service/start failed with
> result 'dependency'".
> If there is the possibility. What do I have to do to make it work?

I just checked. The sendmail.mc on 5210R has the following SSL/TLS settings:

sendmail.mc / sendmail.cf::

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

As you can see, this only disables SSLv2 and SSLv3, as I reasoned that
for email we might offer a bit more leeway than for web.

However: Even though I did *not* disable TLSv1.0 or TLSv1.1 in Sendmail,
we can see that on 5210R neither of them seem to work. Only TLSv1.2 and
TLSv1.3 work.

You can use OpenSSL from the command line to test which TLS versions
work against Sendmail on 5210R:

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_1

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_2

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_3

This shows us then that only TLSv1.2 and TLSv1.3 actually do work.
Anything else produces errors like this in /var/log/maillog:

May 14 12:06:35 5210r sendmail[16724]: STARTTLS=server, error: accept
failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1

Even commenting out the SSL options in Sendmail and restarting it makes
no difference. Hence we can assume that the stock Sendmail on CentOS 8
no longer supports anything but TLSv1.2 and TLSv1.3 out of the box and
the usual Sendmail mechanisms we know don't allow us to enable it.

The Sendmail %changelog doesn't show any indication as of why this might
be the case.

However, there is a CentOS bugticket that holds the answers:


So here is the fix/work-around:

On 5210R run this as root:

#> update-crypto-policies --set LEGACY
#> systemctl restart sendmail

The "update-crypto-policies" recommends a reboot, but I leave that up to
you. The Sendmail restart fixed the issue for me and TLSv1.0 and TLSv1.1
started to work.

If you ever need or want to go back, you can run this:

#> update-crypto-policies --set DEFAULT
#> systemctl restart sendmail

With best regards

Michael Stauber

More information about the Blueonyx mailing list