CentOS - Jul 2015 - sendmail tls and oppenssl

Everyone,

Looks like the new version of oppenssl has broken my sendmail's use of
tls.   Has anyone else had this problem or seen a fix?

Greg Ennis

On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis
wrote:
> Everyone,
> 
> Looks like the new version of oppenssl has broken my sendmail's use 
> of
> tls.   Has anyone else had this problem or seen a fix?
> 
> Greg Ennis
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
I should have had a note with a few more details.  Sorry!

The os is Centos 5.11 with the latest update of openssl causing the
problem. I will use the name "one.domain.com"

Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686

It is interesting that this Centos 5.11 machine (one.domain.com)
transfers its mail to our internal mail server that runs Centos
7.1.1503 (two.domain.com), and when the new openssl was updated June
16th on two.domain.com I had a similar problem.  At that time when
two.domain.com accepted tls from one.domain.com it failed until I enter
"Try_TLS:one.domain.com      NO" in the /etc/mail/access file of
two.domain.com.  

My sendmail switches in one.domain.com include the following :

define(`confAUTH_OPTIONS', `A p y')dnl
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl #
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl


I would like to be able to continue using tls on one.domain.com, but am
ready to turn it off until this can be debugged.  Has this problem
affected anyone else.

Greg Ennis

Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at
PoMec.Net>:
> On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote:
>> Everyone,
>> 
>> Looks like the new version of oppenssl has broken my sendmail's use
>> of
>> tls.   Has anyone else had this problem or seen a fix?
>> 
>> Greg Ennis
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> 
> I should have had a note with a few more details.  Sorry!
> 
> The os is Centos 5.11 with the latest update of openssl causing the
> problem. I will use the name "one.domain.com"
> 
> Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
> 
> It is interesting that this Centos 5.11 machine (one.domain.com)
> transfers its mail to our internal mail server that runs Centos
> 7.1.1503 (two.domain.com), and when the new openssl was updated June
> 16th on two.domain.com I had a similar problem.  At that time when
> two.domain.com accepted tls from one.domain.com it failed until I enter
> "Try_TLS:one.domain.com      NO" in the /etc/mail/access file of
> two.domain.com.  
> 
> My sendmail switches in one.domain.com include the following :
> 
> define(`confAUTH_OPTIONS', `A p y')dnl
> dnl #
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
> dnl #
> define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
> define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
> define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confCLIENT_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
> define(`confCLIENT_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
> 
> 
> I would like to be able to continue using tls on one.domain.com, but am
> ready to turn it off until this can be debugged.  Has this problem
> affected anyone else.

are there (server- C7, client-side C5) any ciphers configured? One change 
addresses some weak DH parameters ...
https://rhn.redhat.com/errata/RHSA-2015-1197.html

--
LF