Is it possible to disable SSLv3 in Sendmail 8.14.3?

Question

Is it possible to disable SSLv3 in Sendmail 8.14.3?

The recommendations that I found is to use -O ServerSSLOptions=... but that option is not recognized. Is there any other way of disabling SSLv3 without changing Sendmail code?

If not, which is the earliest version of Sendmail in which SSLv3 can be disabled?

Thanks for your help.

Answer 1

What is the error that you get when you enter your command..?

However, you could try modifying the LOCAL_CONFIG section of the sendmail.mc file, instead of specifying the option on the command line.

CipherList=HIGH

ServerSSLOptions= +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE

ClientSSLOptions= +SSL_OP_NO_SSLv3

Answer is modified from the source: POODLE Disabling SSLv3 Support on Servers

Answer 2

in case of Centos OS, options as ServerSSLOptions or ClientSSLOptions were probably backported also to latest updates of sendmail v8.13.8 rpm packages..?

because sendmail-8-13.8-2.el5 from Centos 5 does not know these options (sendmail returns error: "unknown option name ServerSSLOptions" etc.), while sendmail-8-13.8-10.el5_11 from latest "updates" directory of Centos 5.11 already knows these options..

Answer 3

(My answer is similar to @Greenonline's but I'm posting it separately since code formatting in comments can get crowded).

It should work but you need to be very specific on the formatting.

1) Edit /etc/mail/sendmail.mc
2) Add the following:

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

(if you already have a LOCAL_CONFIG section, add the options under there).

3) Bounce sendmail: /etc/init.d/sendmail restart

The key parts to keep in mind are:

• The O prefix is needed.
• This stuff must go in the LOCAL_CONFIG section.

Let's breakdown these options for improved clarity:

• CipherList=HIGH tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.
• ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.
• ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).

Answer 4

Sendmail ServerSSLOptions [sendmail-8.15.1]

ServerSSLOptions support has been added in sendmail-8.15.1

https://www.sendmail.com/sm/open_source/download/8.15.1/?show_rs=1#RS

Answer 5

Is possible with lines similiar to this for yourconfigm4.mc

FEATURE(access_db)dnl
define(`confCACERT_PATH', `/etc/pki/certs')dnl
define(`confCACERT', `/etc/pki/certs/server.crt')dnl
define(`confSERVER_CERT', `/etc/pki/certs/server.site.crt')dnl
define(`confSERVER_KEY', `/etc/pki/certs/private.key')dnl
define(`confCLIENT_CERT', `/etc/pki/certs/server.site.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/certs/private.key')dnl
O DHParameters=/etc/pki/private/dhparams.pem
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=HIGH:!ADH-DES-CBC3-SHA:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-CAMELLIA128-SHA:!ADH-CAMELLIA256-SHA:!DH-AES128-SHA256:!DH-AES256-SHA256:!aNULL:!DES:!3DES:!MD5:!DES+MD5:!RC4
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

and sendmail 15.1 which you can find precompiled on csw repository for solaris.