[BlueOnyx:23843] Re: Question about sendmail TLS in 5210R

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Fri May 15 01:51:30 -05 2020


Hello Michael,

thank you very much for the research and reporting the result.
This was very helpful. Sendmail is now accepting TLSv1 and v1.1 connections.
I did not find the bug ticket during my research yesterday...

Best regards,
Dirk
 

 
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 

 
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Donnerstag, 14. Mai 2020 21:25
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:23839] Re: Question about sendmail TLS in 5210R

Hi Dirk,

> one of our customer is using a 5210R Server also very intensive for 
> his emails.
>
> Therefore the question (which I don't need to discuss in principle): 
> Is it possible to let sendmail speak TLSv1.1 under 5210R (CentOS8) or 
> is it not possible?
> 
> Simply adding +SSL_OP_ALLOW_TLSv1_1 to the ServerSSLOptions and 
> ClientSSLOptions line is not enough. Then sendmail will fail to start 
> with a "sm-client.service: Job sm-client.service/start failed with 
> result 'dependency'".
> 
> If there is the possibility. What do I have to do to make it work?

I just checked. The sendmail.mc on 5210R has the following SSL/TLS settings:

sendmail.mc / sendmail.cf::

O
CipherList=HIGH:MEDIUM:LOW:!aNULL:!eNULL:!3DES:!EXP:!PSK:!DSS:!SEED:!DES:!ID
EA
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

As you can see, this only disables SSLv2 and SSLv3, as I reasoned that for
email we might offer a bit more leeway than for web.

However: Even though I did *not* disable TLSv1.0 or TLSv1.1 in Sendmail, we
can see that on 5210R neither of them seem to work. Only TLSv1.2 and
TLSv1.3 work.

You can use OpenSSL from the command line to test which TLS versions work
against Sendmail on 5210R:

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_1

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_2

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_3

This shows us then that only TLSv1.2 and TLSv1.3 actually do work.
Anything else produces errors like this in /var/log/maillog:

May 14 12:06:35 5210r sendmail[16724]: STARTTLS=server, error: accept
failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1

Even commenting out the SSL options in Sendmail and restarting it makes no
difference. Hence we can assume that the stock Sendmail on CentOS 8 no
longer supports anything but TLSv1.2 and TLSv1.3 out of the box and the
usual Sendmail mechanisms we know don't allow us to enable it.

The Sendmail %changelog doesn't show any indication as of why this might be
the case.

However, there is a CentOS bugticket that holds the answers:

https://bugs.centos.org/view.php?id=16484

So here is the fix/work-around:


On 5210R run this as root:
===========================

#> update-crypto-policies --set LEGACY
#> systemctl restart sendmail

The "update-crypto-policies" recommends a reboot, but I leave that up to
you. The Sendmail restart fixed the issue for me and TLSv1.0 and TLSv1.1
started to work.

If you ever need or want to go back, you can run this:

#> update-crypto-policies --set DEFAULT
#> systemctl restart sendmail


--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5506 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20200515/ea8cb974/attachment-0001.p7s>


More information about the Blueonyx mailing list