Sendmail has done it again – proved just how powerful it is, as long as you know what you’re doing.<\/p>\n
While investigating the configuration of the ciphers to used by Apache ( The “standard” encryption related options (enabled with the There are some other useful options available when the <\/p>\n Note:\u00a0You can determine the compile settings used for your version of Sendmail by running:<\/p>\n <\/p>\n These four options do not appear to be documented properly anywhere – even the Sendmail source code is pretty light on their configuration syntax and use. The These four options are configured in the <\/p>\n The options described:<\/p>\nSSLCipherSuite<\/code>) and the associated SSLHonorCipherOrder<\/code> option (to ensure the server’s cipher preference order is used), I realised that although I enable TLS on my Sendmail instances I don’t configure the cipher options. Given I’d spent some time coming up with my preferred cipher order for Apache (unfortunately RC4-SHA is fairly high on the list) I decided I may as well put it in place for other daemons which perform OpenSSL based encryption (Sendmail and IMAP for instance). Given the available Sendmail documentation is light on this subject I had to go digging.<\/p>\nSTARTTLS<\/code> define at compilation time) for Sendmail are pretty well documented<\/a> and understood:
\nServerCertFile
\nServerKeyFile
\nClientCertFile
\nClientKeyFile
\nCACertFile
\nCACertPath
\nDHParameters
\nTLSSrvOptions
\nRandFile
\nCRLFile<\/code><\/p>\nSTARTTLS<\/code> define is combined with the _FFR_TLS_1<\/code> define at compile time.
\nDHParameters512
\nCipherList
\nServerSSLOptions
\nClientSSLOptions<\/code><\/p>\nsendmail -d0.14 -bt < \/dev\/null<\/code><\/p>\nCipherList<\/code> option is mentioned as an available option on a page titled “Tips and Tricks for Sendmail Hackers<\/a>“, dated 2006-03-31. There are a few other web pages and blog posts which mention or show one how to use the CipherList<\/code> option. No mention is made of the remaining three.<\/p>\nLOCAL_CONFIG<\/code> section of your sendmail.mc<\/code> file. The following is an example (which may or may not be suitable for you) of such a section:<\/p>\nLOCAL_CONFIG
\nO CipherList=HIGH:RC4-SHA:RC4-MD5
\nO\u00a0ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
\n<\/code><\/p>\nCipherList<\/code><\/strong> : This option configures the available cipher list for encrypted connections. Your cipher list can be tuned by using the openssl ciphers -v<\/code><\/a> command. Stronger ciphers are obviously better. Excluding weak ciphers may mean that very old clients will be unable to connect. Note that with SSLv3 and TLS1.x the client, by default, will select its preferred cipher from the server’s list.<\/p>\nServerSSLOptions<\/code><\/strong> : This option configures the OpenSSL connection flags<\/a>\u00a0used for the SSL\/TLS connections into Sendmail. By default Sendmail, and most other applications using the OpenSSL library, uses the SSL_OP_ALL<\/code> composite flag for its connections. This option allows these flags to be altered. The first option to consider using is\u00a0SSL_OP_CIPHER_SERVER_PREFERENCE<\/code>. This option causes the server, rather than the client, to choose the cipher based on its preference order. The next option to consider is SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS<\/code>. This option disables a countermeasure against a SSLv3\/TLSv1 protocol vulnerability. This flag disables the countermeasure and is set by default when SSL_OP_ALL<\/code> is used. Thus, if one wishes to have the vulnerability countermeasure enabled, this flag needs to be disabled. Depending on the clients and servers of your Sendmail instance you may wish to consider the use of SSL_OP_NO_SSLv2<\/code>, SSL_OP_NO_SSLv3<\/code> and SSL_OP_NO_TLSv1<\/code>. Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1<\/code> nor for SSL_OP_NO_TLSv1_2<\/code>. These two could be quite useful and I have submitted a patch to Sendmail for these to be included. The value of this parameter is used to manipulate the bits passed to OpenSSL. Note that Sendmail starts with a value of SSL_OP_ALL<\/code> and this option modifies that value – it does not reset it from scratch. You manipulate the value using [+]SSL_OP_XXX<\/code> to SET the bits and using -SSL_OP_XXX<\/code> to CLEAR the bits. Thus a value of +SSL_OP_ALL<\/code> would have no effect (since those bits are already set. A value of -SSL_OP_ALL<\/code> would result in no bits being set. A useful value might be +SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE<\/code>.<\/p>\n