1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Re: Change SSL security level per host/IP when sending email

    From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to AMM on Wed Jan 3 01:17:57 2024
    AMM wrote:

    Recently I switched to OpenSSL 3.2 which now defaults to security level
    2 by default. Which means that it now requires DH key to be atleast 2048
    bit long.

    BTW: so no DANE support enabled for sendmail?

    Due to this when sendmail sends email to (now broken) server, which
    still uses 1024 bit DH keys, then email fails with "DH key too small"
    SSL error.

    Did you try to disable ciphersuites which use DH?

    But I do not want to disable TLS completely. I just want it to switch to security level 1.

    Can you override it via the OpenSSL config file?
    As documented:

    Note: OpenSSL 3 loads by default an openssl.cnf file from a location
    specified in the library which may cause unwanted behaviour in
    sendmail. Hence sendmail sets the environment variable OPENSSL_CONF
    to /etc/mail/sendmail.ossl to override the default. The file name
    can be changed by defining confOPENSSL_CNF in the mc file; using
    an empty value prevents setting OPENSSL_CONF. Note: referring to
    a file which does not exist does not cause an an error.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to AMM on Wed Jan 3 05:34:37 2024
    AMM wrote:

    Recently I switched to OpenSSL 3.2 which now defaults to security level

    I can see -DDANE mentioned in site.config.m4 but I have no clue what it

    Look for DANE in the fine documentation...
    Do you use OpenSSL 3.2.0 and sendmail 8.18?
    The former has a bug in its DANE code.

    It would be nice if this feature can be implemented in clt_features,
    where it will use security level 1 for certain domains.

    That's not possible - sendmail does not support those openssl
    "security level"s.

    Do you actually gain anything by using "security level 2"
    then using STARTTLS in an MTA?
    Just because the OpenSSL people thought it would be a cool
    feature doesn't mean it's useful for SMTP (AFAIR postfix
    disables that stuff too).

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)