RedHat released sendmail-8.13.8-10.el5_11.src.rpm which includes sendmail-8.13.8-ssl-opts.patch which adds support for disabling SSLv3 and SSLv2 in sendmail.cf But as far as I can see there is no support in sendmail.mc - I can't see how to compile sendmail.mc to get the required line ServerSSLOptions in sendmail.cf Does anyone know how to do this ? -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time)
On Thu, 16 Apr 2015, Andrew Daviel wrote:> RedHat released sendmail-8.13.8-10.el5_11.src.rpm which includes > sendmail-8.13.8-ssl-opts.patch which adds support for disabling > SSLv3 and SSLv2 in sendmail.cf > > But as far as I can see there is no support in sendmail.mc - I can't > see how to compile sendmail.mc to get the required line > ServerSSLOptions in sendmail.cf > > > Does anyone know how to do this ?At the end of sendmail.mc, after the MAILER macros, add a LOCAL_CONFIG, e.g,, LOCAL_CONFIG O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W
On Thu, 16 Apr 2015, Paul Heinlein wrote:> On Thu, 16 Apr 2015, Andrew Daviel wrote: > >> RedHat released sendmail-8.13.8-10.el5_11.src.rpm which includes >> sendmail-8.13.8-ssl-opts.patch which adds support for disabling SSLv3 and >> SSLv2 in sendmail.cf >> >> But as far as I can see there is no support in sendmail.mc - I can't see >> how to compile sendmail.mc to get the required line ServerSSLOptions in >> sendmail.cf >> >> >> Does anyone know how to do this ? > > At the end of sendmail.mc, after the MAILER macros, add a LOCAL_CONFIG, e.g,, > > LOCAL_CONFIG > O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 > O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 > +SSL_OP_CIPHER_SERVER_PREFERENCEThanks. That was too obvious; I should have read more documentation. The generic advisory said to add those lines to the LOCAL_CONFIG section of my sendmail.mc, but I didn't have a LOCAL_CONFIG section, so I assumed it was referring to a newer version of sendmail. Meanwhile, I made a patch for sendmail-cf and sendmail-doc back-ported from sendmail-8.15.1, if anyone's interested. Andrew