Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at
PoMec.Net>:> On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
>> Everyone,
>>
>> Looks like the new version of oppenssl has broken my sendmail's use
>> of
>> tls. Has anyone else had this problem or seen a fix?
>>
>> Greg Ennis
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> I should have had a note with a few more details. Sorry!
>
> The os is Centos 5.11 with the latest update of openssl causing the
> problem. I will use the name "one.domain.com"
>
> Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
>
> It is interesting that this Centos 5.11 machine (one.domain.com)
> transfers its mail to our internal mail server that runs Centos
> 7.1.1503 (two.domain.com), and when the new openssl was updated June
> 16th on two.domain.com I had a similar problem. At that time when
> two.domain.com accepted tls from one.domain.com it failed until I enter
> "Try_TLS:one.domain.com NO" in the /etc/mail/access file of
> two.domain.com.
>
> My sendmail switches in one.domain.com include the following :
>
> define(`confAUTH_OPTIONS', `A p y')dnl
> dnl #
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl #
> define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
> define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
> define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
>
>
> I would like to be able to continue using tls on one.domain.com, but am
> ready to turn it off until this can be debugged. Has this problem
> affected anyone else.
are there (server- C7, client-side C5) any ciphers configured? One change
addresses some weak DH parameters ...
https://rhn.redhat.com/errata/RHSA-2015-1197.html
--
LF