For When You Can't Have The Real Thing
[ start | index | login ]
start > sendmail > tls

tls

Created by dave. Last edited by dave, one year and 319 days ago. Viewed 4,222 times. #8
[diff] [history] [edit] [rdf]
labels
attachments
(2019-12-05)

Sendmail TLS configuration

This should be moderately best-practice as of the above date. Check the internet for updates.

Add this to your sendmail-mc

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-intermediate.bundle')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-cert.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/wiki.xdroop.com/wiki.xdroop.com-key-decrypt.key')dnl

..naturally replacing the paths and names with the correct values.

Change these corresponding lines to look as so:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

Add this at the end of your sendmail.mc:

LOCAL_CONFIG
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1

Generate a dhcparams.pem file:

# openssl dhparam -out dhparams.pem 2048

Restart sendmail and you should be good to go.

Test:

# openssl s_client -connect vsp1.example.local:25 -starttls smtp

Testing for specific versions of TLS (to prove that it won't do older, insecure versions):

# openssl s_client -starttls smtp -connect outbox.domain.com:25 -tls1
# openssl s_client -starttls smtp -connect outbox.domain.com:25 -tls1_1
# openssl s_client -starttls smtp -connect outbox.domain.com:25 -tls1_2

Sources:

Update 2020-08-10
  • change CypherList to WeakDH.org recommendations
  • add how to create dhparams.pem
Update 2021-11-08
  • Add disable tlsv1, tlsv1.1
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt