Securing sendmail (sendmail-8.15.2-34.el8) that uses openssl

This article is part of the Securing Applications Collection

NOTE sendmail in RHEL8 is deprecated and is unlikely to be included in the next major release of RHEL. You should plan to migrate to postfix for future releases.

Configuration File

   /etc/mail/sendmail.mc

shortform

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

and at the end of the file

LOCAL_CONFIG
O ServerSSLOptions=+SSL_OP_CIPHER_SERVER_PREFERENCE

Protocols and Ciphers

sendmail ciphers and protocols are controlled by the system-wide crypto-policies package.

Cryptography in RHEL8

RHEL8 has a new mechnism to centralise the cryptographic defaults for a machine.
This is handled by the crypto-policies package. Details of the rationale and update policy can be found in other documents

• Strong crypto defaults in RHEL-8 and deprecations of weak crypto algorithms
• System-wide crypto policies in RHEL 8
• The man page for the crypto-policies command.

Certificate Handling

Sendmail expects separate PEM format files for key and certificate, and another for the CA chain. It also needs a CA bundle for verification when operating as a client.

Key File

define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl

key should be readable only by root

Certificate File

define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl

Certificate Authority Chain

define(`confCACERT', `/etc/pki/tls/certs/sendmail.int.crt')dnl

Intermediate and Root certificates for the CertificateFile