Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
CityCat42016-06-02 22:18:09
Email
CityCat4, 2016-06-02 22:18:09

How to selectively enable client encryption choice for individual servers?

There is sendmail, which uses SSL when sending. The certificate is issued by a corporate CA, but it doesn't matter. Sendmail uses the following cipher suite and protocol selection settings:

O CipherList=kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

And everything would be fine. But there are still servers in the world that ignore the danger of attacks on SSL and use vulnerable encryption, such as DES-CBC3-SHA or, in general, completely crazy RC4-MD5. And you have to correspond with them, but you don’t want to turn on vulnerable ciphers. Now I just turned off encryption when communicating with these servers like this:
/etc/mail/access
Try_TLS:server.net NO
And when sending to server.net, there is simply no encryption. Question - is it possible to selectively set cipher suites for individual servers in the same way, or switch between "server selects cipher" and "client selects cipher" for individual servers?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
C
CityCat4, 2016-06-07
@CityCat4

So, judging by the fact that no one answered - no one knows. So I answer to myself - suddenly someone needs it.
So, there is such functionality. But it is available only in sendmail 8.15.2, and then with its separate rebuild with the _FFR_TLS_SE_OPTS_ parameter.
So far I've done a rebuild only on FreeBSD (for good measure :) ) - in the mail/sendmail port file files/site.config.m4.tls, the first line should look like this
and rebuild, then following all the installation recommendations. For configuration, the /etc/mail/access file is used, where it is written
And all connections to server.net will use the DES-CBC3-SHA cipher, even if it's not in the global CipherList. You can also set SSL options here, all this is described in the README.
I will add about the assembly in centos separately.

Report
M
Max Kostikov, 2016-06-02
@mxms

So you remove your !SSLv2 and ...NO_SSLv... from the configs and you will have support for the old insecure types of encryption. But do you really need it?

Similar questions
M
Maxim Semiletkin2021-07-26 20:45:05
There is a task to make a quick action button in the header of a letter on the Yandex mail platform. What is wrong here? 0Reply
A
asmodelis2021-07-26 20:51:49
How to forward emails from Rambler? 1Reply
B
bohdanNa2018-04-06 10:30:24
How to send an email notification in Vestacp when a user has exceeded or is close to the limit on the allocated disk space? 0Reply
D
dbmaster2012-07-24 22:17:37
Is the server hacked? 3Reply
N
newyork2015-12-04 03:01:45
How to collect contacts from mail? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question