(2019-12-05)
Sendmail TLS configuration
This should be moderately best-practice as of the above date. Check the internet for updates.
Add this to your
sendmail-mc
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-intermediate.bundle')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-cert.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-key-decrypt.key')dnl
..naturally replacing the paths and names with the correct values.
Change these corresponding lines to look as so:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
Add this at the
end of your
sendmail.mc:
LOCAL_CONFIG
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1
Generate a dhcparams.pem file:
# openssl dhparam -out dhparams.pem 2048
Restart sendmail and you should be good to go.
Test:
# openssl s_client -connect vsp1.example.local:25 -starttls smtp
Testing for specific versions of TLS (to prove that it won't do older, insecure versions):
# openssl s_client -starttls smtp -connect outbox.domain.com:25 -tls1
# openssl s_client -starttls smtp -connect outbox.domain.com:25 -tls1_1
# openssl s_client -starttls smtp -connect outbox.domain.com:25 -tls1_2
Sources:
Update 2020-08-10
- change CypherList to WeakDH.org recommendations
- add how to create dhparams.pem
Update 2021-11-08
- Add disable tlsv1, tlsv1.1