(My answer is similar to @Greenonline's but I'm posting it separately since code formatting in comments can get crowded).
It should work but you need to be very specific on the formatting.
1) Edit /etc/mail/sendmail.mc
2) Add the following:
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
(if you already have a LOCAL_CONFIG
section, add the options under there).
3) Bounce sendmail: /etc/init.d/sendmail restart
The key parts to keep in mind are:
- The
O
prefix is needed.
- This stuff must go in the
LOCAL_CONFIG
section.
Let's breakdown these options for improved clarity:
CipherList=HIGH
tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.
ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.
ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).