Notes on altering the default CipherList in Sendmail. Altering the CipherList allows one to drop support for old versions of the Secure Sockets Layer (SSL) protocol, or to force clients to use ciphers of a particular strength. Old versions of SSL have various protocol weaknesses that later revisions have addressed. Newer versions of SSL are called Transport Layer Security (TLS), while various security policies usually require the use of stronger ciphers. Another use of customizing the CipherList is to communicate with servers that use incompatible SSL libraries and therefore require a particular cipher.
Setup
First, ensure sendmail 8.11, 8.12, or 8.13 is compiled with _FFR_TLS_1. STARTTLS support was added in sendmail 8.11, though running a more recent release is recommended.
$ sendmail -d0.13 < /dev/null | grep FFR
FFR Defines: _FFR_SMTP_SSL _FFR_TLS_1
If not, recompile sendmail with _FFR_TLS_1 set in a custom site.config.m4.
APPENDDEF(`confENVDEF', `-D_FFR_TLS_1')dnl
Configuration
Under the LOCAL_CONFIG area of the sendmail.mc file used to build sendmail.cf, add the custom CipherList definition. For instance, to disable old and low security ciphers, try:
LOCAL_CONFIG
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:↵
-SSLv2:-EXP:-eNULL
Rebuild the sendmail.cf, restart sendmail, and check the logfile for errors. The CipherList option can also be placed into a submit.mc to control what ciphers the Mail Submission Agent (MSA) negotiates with.
For more information on CipherList or to experiment, use the OpenSSL ciphers utility. CipherList strings can be tested with the ciphers(1) option to openssl, to reveal what ciphers will be offered for negotiation:
$ openssl ciphers 'ALL:!ADH::RC4+RSA:-SSLv2:@STRENGTH' \
| perl -ple 's/:/\n/g'
Certain popular applications negotiate at the weak (but fast) RC4-MD5 cipher by default, and generally do not support perfect forward security ciphers. The book SSL and TLS has more information on this topic.
