Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
CityCat42016-06-02 22:18:09
Email
CityCat4, 2016-06-02 22:18:09

How to selectively enable client encryption choice for individual servers?

There is sendmail, which uses SSL when sending. The certificate is issued by a corporate CA, but it doesn't matter. Sendmail uses the following cipher suite and protocol selection settings:

O CipherList=kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

And everything would be fine. But there are still servers in the world that ignore the danger of attacks on SSL and use vulnerable encryption, such as DES-CBC3-SHA or, in general, completely crazy RC4-MD5. And you have to correspond with them, but you don’t want to turn on vulnerable ciphers. Now I just turned off encryption when communicating with these servers like this:
/etc/mail/access
Try_TLS:server.net NO
And when sending to server.net, there is simply no encryption. Question - is it possible to selectively set cipher suites for individual servers in the same way, or switch between "server selects cipher" and "client selects cipher" for individual servers?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
C
CityCat4, 2016-06-07
@CityCat4

So, judging by the fact that no one answered - no one knows. So I answer to myself - suddenly someone needs it.
So, there is such functionality. But it is available only in sendmail 8.15.2, and then with its separate rebuild with the _FFR_TLS_SE_OPTS_ parameter.
So far I've done a rebuild only on FreeBSD (for good measure :) ) - in the mail/sendmail port file files/site.config.m4.tls, the first line should look like this
and rebuild, then following all the installation recommendations. For configuration, the /etc/mail/access file is used, where it is written
And all connections to server.net will use the DES-CBC3-SHA cipher, even if it's not in the global CipherList. You can also set SSL options here, all this is described in the README.
I will add about the assembly in centos separately.

Report
M
Max Kostikov, 2016-06-02
@mxms

So you remove your !SSLv2 and ...NO_SSLv... from the configs and you will have support for the old insecure types of encryption. But do you really need it?

Similar questions
V
Vista2015-06-23 16:40:08
The system for adding banners to the site, how to write it yourself? 5Reply
I
Ilya Sidorenko2014-03-05 10:26:19
What are the benefits of iCloud mail? 1Reply
S
sawa42018-10-03 20:13:46
Why is Laravel 5.6 sending mail not working on hosting? 1Reply
A
Alex04022021-12-10 21:58:41
Laravel: how to get messages for E-mail (gmail)? 1Reply
A
Alexander Yerko2016-05-13 12:16:44
Why doesn't php mail work on vps from infobox? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question