Securing sendmail with SSL/TLS on RHEL5

Updated -

Securing sendmail (sendmail-8.13.8-10.el5_11) that uses openssl

This article is part of the Securing Applications Collection

Version Warning

The version of sendmail on RHEL5 should always be at least sendmail-8.13.8-10.el5_11 to allow for disabling SSL3 and avoiding the POODLE exploit.

Configuration File

   /etc/mail/sendmail.mc

shortform

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.key')dnl
define(`confDH_PARAMETERS', `/etc/pki/tls/private/sendmail.dh.param')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

and at the end of the file

LOCAL_CONFIG
O CipherList=kDH:AES
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Protocols

    O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
    O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

TLSv1.0 and better

Protocol - Alternative Values

SSLProtocol All -SSLv2 -SSLv3 -TLSv1
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1

TLSv1.1 or better. TLSv1 is disabled.

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2

Allow SSLv3 for really old environments

Ciphers

    O CipherList=kDH:AES

Currently recommended ciphers

Ciphers - Alternative Values

O CipherList=kDH:AES:RC4-SHA

Allow old clients

Certificate Handling

Sendmail expects separate PEM format files for key and certificate, and another for the CA chain. It also needs a CA bundle for verification when operating as a client.

Key File

define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.key')dnl

key should be readable only by root

Certificate File

define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl

Certificate Authority Chain

define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl

Intermediate and Root certificates for the CertificateFile

Diffie-Helman Parameter File

define(`confDH_PARAMETERS', `/etc/pki/tls/private/sendmail.dh.param')dnl

The use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.

openssl dhparam -out /etc/pki/tls/private/sendmail.dh.param.tmp 2048
mv /etc/pki/tls/private/sendmail.dh.param.tmp  /etc/pki/tls/private/sendmail.dh.param

Comments