Hi Dan, > ... We don't define a DH key size in BX and as far as I can tell the > default for Sendmail is 512bits for STARTTLS client which explains this > all away.
I kinda hate to do such fundamental changes with a hot needle and in such a rush. But I just did it anyway for 5207R, 5208R and 5209R: http://devel.blueonyx.it/trac/changeset/2145 This is also published to the YUM repositories as of this moment. What it does: It creates a 2048 bit DH file. Then sendmail.mc is amended with the following provisions (if not already present): define(`confDH_PARAMETERS',`/usr/share/ssl/certs/sendmail-2048.dh') LOCAL_CONFIG O CipherList=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 The above will look weird in this email due to the odd line wraps. But what it does is this: 1.) Adds the provisions for the 2048 bit Diffie-Hellman file. 2.) Enforces a pretty solid cipher list and disables weak ciphers. 3.) Disables SSLv2 and SSLv3 for server connections 4.) Disables SSLv2 and SSLv3 for client connections Just to avoid confusion: The "CipherList" has +SSLv3 in it. That's unrelated to the SSLv3 *protocol*. There are some ciphers under the SSLv3 shortcut which we want. They are independent from the SSLv3 *protocol*. Which we turn off separately elsewhere. Like said in the other message: A bit of this is redundant. So far I had avoided giving Sendmail the bat in regards to ciphers and protocols, but this time around I feel we need it. I've seen too many error messages in regards to the SSLv3 protocol on my own mailservers and I feel that most of that is related to some forms of attempted abuse. I will also roll this up for 5106R, 5107R and 5108R. But not sure if I can manage that today. If not it'll hit the YUM repositories on Saturday. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx