Securing sendmail with SSL/TLS on RHEL7

Updated -

Securing sendmail (sendmail-8.14.7-4.el7) that uses openssl

This article is part of the Securing Applications Collection

WARNING

As of the RHEL7.6 release sendmail is deprecated package. This means it will no longer be available in a later major release of RHEL. Customers are advised to migrate to postfix which is the default MTA shipped in RHEL7.

Configuration File

   /etc/mail/sendmail.mc

shortform

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl
define(`confDH_PARAMETERS', `/etc/pki/tls/private/sendmail.dh.param')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

and at the end of the file

LOCAL_CONFIG
O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Protocols

    O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
    O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

TLSv1.0 and better

Protocol - Alternative Values

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1

TLSv1.1 or better. TLSv1 is disabled.

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2

Allow SSLv3 for really old environments

Ciphers

    O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Currently recommended ciphers

Ciphers - Alternative Values

O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Add RC4-SHA for older systems compatibility

O CipherList=ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old ciphers

Certificate Handling

Sendmail expects separate PEM format files for key and certificate, and another for the CA chain. It also needs a CA bundle for verification when operating as a client.

Key File

define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl

key should be readable only by root

Certificate File

define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl

Certificate Authority Chain

define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl

Intermediate and Root certificates for the CertificateFile

Diffie-Helman Parameter File

define(`confDH_PARAMETERS', `/etc/pki/tls/private/sendmail.dh.param')dnl

The use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.

openssl dhparam -out /etc/pki/tls/private/sendmail.dh.param.tmp 2048
mv /etc/pki/tls/private/sendmail.dh.param.tmp  /etc/pki/tls/private/sendmail.dh.param

Comments