Sendmail CipherList Support

Notes on altering the default CipherList in Sendmail. Altering the CipherList allows one to drop support for old versions of the Secure Sockets Layer (SSL) protocol, or to force clients to use non-default ciphers. Old versions of SSL have various protocol weaknesses that later revisions have addressed. Newer versions of SSL are called Transport Layer Security (TLS).

Setup

First, ensure sendmail 8.11, 8.12, or 8.13 is compiled with _FFR_TLS_1. STARTTLS support was added in sendmail 8.11, though running a more recent release is recommended.

$ sendmail -d0.13 < /dev/null | grep FFR
FFR Defines: _FFR_SMTP_SSL _FFR_TLS_1

If not, recompile sendmail with _FFR_TLS_1 set in a custom site.config.m4.

APPENDDEF(`confENVDEF', `-D_FFR_TLS_1')dnl

Configuration

Under the LOCAL_CONFIG area of the sendmail.mc file used to build sendmail.cf, add the custom CipherList definition. For instance, disable SSLv2 with a -SSLv2 statement:

LOCAL_CONFIG
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:↵
-SSLv2:+EXP:+eNULL

Rebuild the sendmail.cf, restart sendmail, and check the logfile for errors. The CipherList option can also be placed into a submit.mc to control what ciphers the mail submission agent negotiates with. Usually this is not a problem, unless the default (EDH-RSA-DES-CBC3-SHA at 168 bits at time of writing) is too slow when talking to other OpenSSL-based servers.

For more information on CipherList or to experiment, use the OpenSSL ciphers utility.

$ openssl ciphers 'ALL:!ADH::RC4+RSA:-SSLv2:@STRENGTH' \
| perl -ple 's/:/\n/g'

Certain popular applications negotiate at the weak (but fast) RC4-MD5 cipher by default, and generally do not support perfect forward security ciphers. The book SSL and TLS has more information on this topic.