From owner-freebsd-questions@FreeBSD.ORG Wed Oct 12 16:02:42 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11CCD106564A for ; Wed, 12 Oct 2011 16:02:42 +0000 (UTC) (envelope-from dweimer@dweimer.net) Received: from webmail.dweimer.net (adsl-70-129-195-213.dsl.ksc2mo.swbell.net [70.129.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id A13598FC13 for ; Wed, 12 Oct 2011 16:02:41 +0000 (UTC) Received: from www.dweimer.net (localhost [127.0.0.1]) by webmail.dweimer.net (8.14.4/8.14.4) with ESMTP id p9CFTEiO063880 for ; Wed, 12 Oct 2011 10:29:14 -0500 (CDT) (envelope-from dweimer@dweimer.net) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 12 Oct 2011 10:29:14 -0500 From: "Dean E. Weimer" To: Mail-Reply-To: Message-ID: X-Sender: dweimer@dweimer.net User-Agent: RoundCube Webmail/0.6 Subject: somewhat Off topic, Sendmail Issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dweimer@dweimer.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2011 16:02:42 -0000 I know this is a Sendmail issue, but I haven't been able to track down any information online, or found any Sendmail user email lists yet. And since I am running it on a FreeBSD server, I thought I would try here and see if anyone knows the answer to my problem. I have enabled SSL on SMTP to enable the delivery and reception of TLS encrypted emails, the server is going to be used as a relay between a MS Exchange server and an external Spam filtering service that has an encrypted email sending application that strips attachments and creates a password protected HTTPS link based on keywords in the subject. Everything works as expected, but when I test the server against required PCI scans, it accepts weak encryption ciphers, I need to limit these ciphers. After a lot of extensive searching I have found references to the fact that it is possible to configure Sendmail to do this, but I can't find any documentation on how to do it. The server is running FreeBSD 8.2 which is patched up to p4, and Sendmail was configured with the following options, this test setup is also being used to test secure IMAP with authentication, so there are settings in here as well for Cyrus IMAP. /etc/make.conf: # Use OpenSSL from ports instead of base WITH_OPENSSL_PORT=yes # Enable SMTP Authentication SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 # Adding to enable alternate port (smtps) for sendmail... SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL Steps done after editing /etc/make.conf: cd /usr/src/lib/libsmutil make cleandir && make obj && make cd /usr/src/lib/libsm make cleandir && make obj && make cd /usr/src/usr.sbin/sendmail make cleandir && make obj && make && make install /etc/rc.conf: # Enable Sendmail saslauthd_enable="YES" saslauthd_flags="-a sasldb" cyrus_imapd_enable="YES" sendmail_enable="YES" /etc/mail/hostname.mc: define(`confLOCAL_MAILER',`cyrusv2') define(`CYRUS_MAILER_PATH',`/usr/local/cyrus/bin/deliver') MAILER(`cyrusv2') dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN') define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN') dnl Cert Options define(`confCACERT_PATH', `/usr/local/etc/ssl/smtp')dnl define(`confCACERT', `/usr/local/etc/ssl/smtp/gd_bundle.crt')dnl define(`confSERVER_CERT', `/usr/local/etc/ssl/smtp/server.crt')dnl define(`confSERVER_KEY', `/usr/local/etc/ssl/smtp/server.key')dnl dnl DAEMON_OPTIONS dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA') DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s') I know that setting this option in Apache does the trick for HTTPS, I just need to figure out how to tell Sendmail to do the same. SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 If anyone has any idea how to do this, or any idea on what keywords to search on that might find me the directions it would be a great help. -- Thanks, Dean E. Weimer dweimer@dweimer.net http://www.dweimer.net/