Re: somewhat Off topic, Sendmail Issue
On 12.10.2011 15:16, Matthew Seaman wrote: _FFR_TLS_1 is actually already defined in the default sendmail on FreeBSD. See /usr/src/usr.sbin/sendmail/Makefile around line 63. It's also enabled in the ports version of sendmail, so long as you select the WITH_TLS option. I just added this setting to my sendmail config and it seems to work using the ports sendmail without having to recompile anything. It could certainly do with being mentioned in the documentation more prominently. There's not a hint of the CipherList option in /usr/share/sendmail/cf/README _FFR_SMTP_SSL on the other hand, doesn't appear anywhere under /usr/src -- think that must be a fossil remnant from some older version of sendmail. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Interesting info, I will take a look at that Makefile and see what I find, I found those options to set originally on a web page, can't quite remember where, I pieced info from a few different locations to get everything working as I wanted. I do know a lot of it was originally done for an older version of FreeBSD, so perhaps it was an FFR option at that time it was written. One thing I have figured out in this process is that Sendmail FFR compiled options are basically undocumented outside of the source file comments. Perhaps it was my inclusion of an old setting, that caused the ciphers to open up more to start with. It did pass the tests as is, I will look more into this though. And see if I can't slim down the overall steps to get the server up and running before it goes live on a production server. -- Thanks, Dean E. Weimer dwei...@dweimer.net http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: somewhat Off topic, Sendmail Issue
On 12/10/2011 20:36, Dean E. Weimer wrote: > Well after searching the comp.mail.sendmail list through Google groups, > I have come up wiht the following changes. > > I changed the orignal /etc/make.conf: > from this: > SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL > to: > SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL -D_FFR_TLS_1 > > redid the compile steps: > > Added this to the end of /etc/mail/hostname.mc: > LOCAL_CONFIG > O CipherList=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 > > under /etc/mail > executed the make, make install steps > > After restarting, an attempt to do: > /usr/local/bin/openssl s_client -starttls smtp -cipher EXP-RC4-MD5 > -connect localhost:25 > > Failed, this successfully connected before these changes. Scans are > running now, I will let you all know if it was successful. _FFR_TLS_1 is actually already defined in the default sendmail on FreeBSD. See /usr/src/usr.sbin/sendmail/Makefile around line 63. It's also enabled in the ports version of sendmail, so long as you select the WITH_TLS option. I just added this setting to my sendmail config and it seems to work using the ports sendmail without having to recompile anything. It could certainly do with being mentioned in the documentation more prominently. There's not a hint of the CipherList option in /usr/share/sendmail/cf/README _FFR_SMTP_SSL on the other hand, doesn't appear anywhere under /usr/src -- think that must be a fossil remnant from some older version of sendmail. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: somewhat Off topic, Sendmail Issue
On 12.10.2011 11:30, Daniel Feenberg wrote: There is an active Usenet group at comp.mail.sendmail. Does the ENCR parameter documented at http://www.sendmail.org/m4/starttls.html do you any good? It doesn't restrict the method, only the number of bits in the key. Daniel Feenberg Well after searching the comp.mail.sendmail list through Google groups, I have come up wiht the following changes. I changed the orignal /etc/make.conf: from this: SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL to: SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL -D_FFR_TLS_1 redid the compile steps: Added this to the end of /etc/mail/hostname.mc: LOCAL_CONFIG O CipherList=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 under /etc/mail executed the make, make install steps After restarting, an attempt to do: /usr/local/bin/openssl s_client -starttls smtp -cipher EXP-RC4-MD5 -connect localhost:25 Failed, this successfully connected before these changes. Scans are running now, I will let you all know if it was successful. -- Thanks, Dean E. Weimer dwei...@dweimer.net http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: somewhat Off topic, Sendmail Issue
Hi--
On Oct 12, 2011, at 8:29 AM, Dean E. Weimer wrote:
> I know that setting this option in Apache does the trick for HTTPS, I just
> need to figure out how to tell Sendmail to do the same.
> SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
>
> If anyone has any idea how to do this, or any idea on what keywords to search
> on that might find me the directions it would be a great help.
If you can't find a way of specifying the allowed SSL ciphers via sendmail
config (as someone mentioned, you can test ${cipher_bits} against ENCR:bits,
but that doesn't disable anonymous ciphers like ADH entirely), you can build a
modern flavor of OpenSSL to /usr/local with the ciphers you don't like
disabled, and rebuild sendmail against this OpenSSL.
I believe that the security/openssl already does most of this for you, and
would be easy to tweak a bit more if that's needed.
Regards,
--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: somewhat Off topic, Sendmail Issue
On Wed, 12 Oct 2011, Dean E. Weimer wrote: I know this is a Sendmail issue, but I haven't been able to track down any information online, or found any Sendmail user email lists yet. And since I am running it on a FreeBSD server, I thought I would try here and see if anyone knows the answer to my problem. I have enabled SSL on SMTP to enable the delivery and reception of TLS encrypted emails, the server is going to be used as a relay between a MS Exchange server and an external Spam filtering service that has an encrypted email sending application that strips attachments and creates a password protected HTTPS link based on keywords in the subject. Everything works as expected, but when I test the server against required PCI scans, it accepts weak encryption ciphers, I need to limit these ciphers. After a lot of extensive searching I have found references to the fact that it is possible to configure Sendmail to do this, but I can't find any documentation on how to do it. There is an active Usenet group at comp.mail.sendmail. Does the ENCR parameter documented at http://www.sendmail.org/m4/starttls.html do you any good? It doesn't restrict the method, only the number of bits in the key. Daniel Feenberg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
somewhat Off topic, Sendmail Issue
I know this is a Sendmail issue, but I haven't been able to track down any information online, or found any Sendmail user email lists yet. And since I am running it on a FreeBSD server, I thought I would try here and see if anyone knows the answer to my problem. I have enabled SSL on SMTP to enable the delivery and reception of TLS encrypted emails, the server is going to be used as a relay between a MS Exchange server and an external Spam filtering service that has an encrypted email sending application that strips attachments and creates a password protected HTTPS link based on keywords in the subject. Everything works as expected, but when I test the server against required PCI scans, it accepts weak encryption ciphers, I need to limit these ciphers. After a lot of extensive searching I have found references to the fact that it is possible to configure Sendmail to do this, but I can't find any documentation on how to do it. The server is running FreeBSD 8.2 which is patched up to p4, and Sendmail was configured with the following options, this test setup is also being used to test secure IMAP with authentication, so there are settings in here as well for Cyrus IMAP. /etc/make.conf: # Use OpenSSL from ports instead of base WITH_OPENSSL_PORT=yes # Enable SMTP Authentication SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 # Adding to enable alternate port (smtps) for sendmail... SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL Steps done after editing /etc/make.conf: cd /usr/src/lib/libsmutil make cleandir && make obj && make cd /usr/src/lib/libsm make cleandir && make obj && make cd /usr/src/usr.sbin/sendmail make cleandir && make obj && make && make install /etc/rc.conf: # Enable Sendmail saslauthd_enable="YES" saslauthd_flags="-a sasldb" cyrus_imapd_enable="YES" sendmail_enable="YES" /etc/mail/hostname.mc: define(`confLOCAL_MAILER',`cyrusv2') define(`CYRUS_MAILER_PATH',`/usr/local/cyrus/bin/deliver') MAILER(`cyrusv2') dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN') define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN') dnl Cert Options define(`confCACERT_PATH', `/usr/local/etc/ssl/smtp')dnl define(`confCACERT', `/usr/local/etc/ssl/smtp/gd_bundle.crt')dnl define(`confSERVER_CERT', `/usr/local/etc/ssl/smtp/server.crt')dnl define(`confSERVER_KEY', `/usr/local/etc/ssl/smtp/server.key')dnl dnl DAEMON_OPTIONS dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA') DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s') I know that setting this option in Apache does the trick for HTTPS, I just need to figure out how to tell Sendmail to do the same. SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 If anyone has any idea how to do this, or any idea on what keywords to search on that might find me the directions it would be a great help. -- Thanks, Dean E. Weimer dwei...@dweimer.net http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
