[BlueOnyx:23843] Re: Question about sendmail TLS in 5210R
dirk.estenfeld at blackpoint.de
Fri May 15 01:51:30 -05 2020
thank you very much for the research and reporting the result.
This was very helpful. Sendmail is now accepting TLSv1 and v1.1 connections.
I did not find the bug ticket during my research yesterday...
blackpoint GmbH Friedberger Straße 106b 61118 Bad Vilbel
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Gesendet: Donnerstag, 14. Mai 2020 21:25
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:23839] Re: Question about sendmail TLS in 5210R
> one of our customer is using a 5210R Server also very intensive for
> his emails.
> Therefore the question (which I don't need to discuss in principle):
> Is it possible to let sendmail speak TLSv1.1 under 5210R (CentOS8) or
> is it not possible?
> Simply adding +SSL_OP_ALLOW_TLSv1_1 to the ServerSSLOptions and
> ClientSSLOptions line is not enough. Then sendmail will fail to start
> with a "sm-client.service: Job sm-client.service/start failed with
> result 'dependency'".
> If there is the possibility. What do I have to do to make it work?
I just checked. The sendmail.mc on 5210R has the following SSL/TLS settings:
sendmail.mc / sendmail.cf::
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
As you can see, this only disables SSLv2 and SSLv3, as I reasoned that for
email we might offer a bit more leeway than for web.
However: Even though I did *not* disable TLSv1.0 or TLSv1.1 in Sendmail, we
can see that on 5210R neither of them seem to work. Only TLSv1.2 and
You can use OpenSSL from the command line to test which TLS versions work
against Sendmail on 5210R:
#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1
#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_1
#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_2
#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_3
This shows us then that only TLSv1.2 and TLSv1.3 actually do work.
Anything else produces errors like this in /var/log/maillog:
May 14 12:06:35 5210r sendmail: STARTTLS=server, error: accept
failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1
Even commenting out the SSL options in Sendmail and restarting it makes no
difference. Hence we can assume that the stock Sendmail on CentOS 8 no
longer supports anything but TLSv1.2 and TLSv1.3 out of the box and the
usual Sendmail mechanisms we know don't allow us to enable it.
The Sendmail %changelog doesn't show any indication as of why this might be
However, there is a CentOS bugticket that holds the answers:
So here is the fix/work-around:
On 5210R run this as root:
#> update-crypto-policies --set LEGACY
#> systemctl restart sendmail
The "update-crypto-policies" recommends a reboot, but I leave that up to
you. The Sendmail restart fixed the issue for me and TLSv1.0 and TLSv1.1
started to work.
If you ever need or want to go back, you can run this:
#> update-crypto-policies --set DEFAULT
#> systemctl restart sendmail
With best regards
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5506 bytes
Desc: not available
More information about the Blueonyx