Securing sendmail with SSL/TLS on RHEL6

Updated -

Securing sendmail (sendmail-8.14.4-9.el6_8.1) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/mail/sendmail.mc

shortform

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.key')dnl
define(`confDH_PARAMETERS', `/etc/pki/tls/private/sendmail.dh.param')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

and at the end of the file

LOCAL_CONFIG
O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Protocols

    O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
    O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

TLSv1.0 and better

Protocol - Alternative Values

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1

TLSv1.1 or better. TLSv1 is disabled.

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2

Allow SSLv3 for really old environments

Limitations

Currently it is not possible to disable TLSv1.1 or TLSv1.2

Ciphers

    O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Currently recommended ciphers

Ciphers - Alternative Values

O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Add RC4-SHA for older systems compatibility

O CipherList=ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old ciphers

Certificate Handling

Sendmail expects separate PEM format files for key and certificate, and another for the CA chain. It also needs a CA bundle for verification when operating as a client.

Key File

define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.key')dnl

key should be readable only by root

Certificate File

define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl

Certificate Authority Chain

define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl

Intermediate and Root certificates for the CertificateFile

Diffie-Helman Parameter File

define(`confDH_PARAMETERS', `/etc/pki/tls/private/sendmail.dh.param')dnl

The use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.

openssl dhparam -out /etc/pki/tls/private/sendmail.dh.param.tmp 2048
mv /etc/pki/tls/private/sendmail.dh.param.tmp  /etc/pki/tls/private/sendmail.dh.param

Comments