I know this is a Sendmail issue, but I haven't been able to track down
any information online, or found any Sendmail user email lists yet. And
since I am running it on a FreeBSD server, I thought I would try here
and see if anyone knows the answer to my problem.
I have enabled SSL on SMTP to enable the delivery and reception of TLS
encrypted emails, the server is going to be used as a relay between a MS
Exchange server and an external Spam filtering service that has an
encrypted email sending application that strips attachments and creates
a password protected HTTPS link based on keywords in the subject.
Everything works as expected, but when I test the server against
required PCI scans, it accepts weak encryption ciphers, I need to limit
these ciphers. After a lot of extensive searching I have found
references to the fact that it is possible to configure Sendmail to do
this, but I can't find any documentation on how to do it.
The server is running FreeBSD 8.2 which is patched up to p4, and
Sendmail was configured with the following options, this test setup is
also being used to test secure IMAP with authentication, so there are
settings in here as well for Cyrus IMAP.
/etc/make.conf:
# Use OpenSSL from ports instead of base
WITH_OPENSSL_PORT=yes
# Enable SMTP Authentication
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
Steps done after editing /etc/make.conf:
cd /usr/src/lib/libsmutil
make cleandir && make obj && make
cd /usr/src/lib/libsm
make cleandir && make obj && make
cd /usr/src/usr.sbin/sendmail
make cleandir && make obj && make && make install
/etc/rc.conf:
# Enable Sendmail
saslauthd_enable="YES"
saslauthd_flags="-a sasldb"
cyrus_imapd_enable="YES"
sendmail_enable="YES"
/etc/mail/hostname.mc:
define(`confLOCAL_MAILER',`cyrusv2')
define(`CYRUS_MAILER_PATH',`/usr/local/cyrus/bin/deliver')
MAILER(`cyrusv2')
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
dnl Cert Options
define(`confCACERT_PATH', `/usr/local/etc/ssl/smtp')dnl
define(`confCACERT', `/usr/local/etc/ssl/smtp/gd_bundle.crt')dnl
define(`confSERVER_CERT', `/usr/local/etc/ssl/smtp/server.crt')dnl
define(`confSERVER_KEY', `/usr/local/etc/ssl/smtp/server.key')dnl
dnl DAEMON_OPTIONS
dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')
I know that setting this option in Apache does the trick for HTTPS, I
just need to figure out how to tell Sendmail to do the same.
SSLCipherSuite
ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
If anyone has any idea how to do this, or any idea on what keywords to
search on that might find me the directions it would be a great help.
--
Thanks,
Dean E. Weimer
dwei...@dweimer.net
http://www.dweimer.net/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
