Sendmail configuration
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.
The current Open Source Sendmail version is 8.16.1, see https://www.sendmail.com/sm/open_source/download/.
Sendmail versions in some Linuxes are:
RHEL7/CentOS7: version 8.14.7.
RHEL8/CentOS8: version 8.15.2.
Fedora 33: version 8.16.1.
This page refers mainly to the RHEL/CentOS installation of Sendmail.
Documentation
Some Sendmail documentation is available on the Sendmail homepage and in several books.
Configuration files
All configuration files of Sendmail is in the /etc/mail
directory.
The relevant files to configure are:
Makefile
: Manages most of the configuration files.sendmail.mc
: Contains the most crucial server configurations, see/usr/share/sendmail-cf/README
.local-host-names
: List of hostnames that alias to this server.access
: Reject/accept list.virtusertable
: Virtual users, such as user@nano.dtu.dk and invalid addresses.
Whenever a file has been changed, do a make
in this directory.
If sendmail.mc
has been changed, you also need to restart the sendmail
service.
Sendmail parameters
A few runtime parameters are defined in the file /etc/sysconfig/sendmail
:
DAEMON=yes
QUEUE=1h
SMQUEUE=5m
SMTP AUTH and STARTTLS
SMTP Authentication, often abbreviated SMTP_AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server. The authentication extension is mandatory for mail submission servers.
You can read about SMTP_AUTH_in_sendmail and Sendmail_STARTTLS. STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Usually port 587 is used for SMTP_AUTH mail submission with STARTTLS, although port 465 with SSL is sometimes used for legacy mail clients.
Sendmail TLS (SSL) configuration
Configuration of TLS for use with Sendmail_STARTTLS should be improved beyond the defaults in Sendmail. Modern and secure SSL certificates should be used for proper security, see also Web server SSL best practices.
Documentation:
The Sendmail file
/usr/share/sendmail-cf/README
defining thesendmail.mc
parameters.
Sendmail SSL/TLS connection options
From Configuration of hidden Sendmail SSL/TLS connection options:
CipherList: This option configures the available cipher list for encrypted connections. Your cipher list can be tuned by using the
openssl ciphers -v
command. Stronger ciphers are obviously better. Excluding weak ciphers may mean that very old clients will be unable to connect. Note that with SSLv3 and TLS1.x the client, by default, will select its preferred cipher from the server’s list.ServerSSLOptions: This option configures the OpenSSL connection flags used for the SSL/TLS connections into Sendmail. By default Sendmail, and most other applications using the OpenSSL library, uses the SSL_OP_ALL composite flag for its connections. This option allows these flags to be altered.
The first option to consider using is SSL_OP_CIPHER_SERVER_PREFERENCE. This option causes the server, rather than the client, to choose the cipher based on its preference order.
The next option to consider is SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. This option disables a countermeasure against a SSLv3/TLSv1 protocol vulnerability. This flag disables the countermeasure and is set by default when SSL_OP_ALL is used. Thus, if one wishes to have the vulnerability countermeasure enabled, this flag needs to be disabled.
Depending on the clients and servers of your Sendmail instance you may wish to consider the use of SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 and SSL_OP_NO_TLSv1.
Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included. The value of this parameter is used to manipulate the bits passed to OpenSSL.
Note that Sendmail starts with a value of SSL_OP_ALL and this option modifies that value – it does not reset it from scratch. You manipulate the value using [+]SSL_OP_XXX to SET the bits and using -SSL_OP_XXX to CLEAR the bits. Thus a value of +SSL_OP_ALL would have no effect (since those bits are already set. A value of -SSL_OP_ALL would result in no bits being set. A useful value might be
+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
.ClientSSLOptions: This option configures the OpenSSL connection flags used for the SSL/TLS connections initiated by Sendmail. The parameter’s value works the same as for ServerSSLOptions.
Diffie-Hellmann parameters
Diffie–Hellman key exchange should be configured securely, see Guide_to_Deploying_Diffie-Hellman_for_TLS.
The Sendmail Diffie-Hellmann parameter file may be configured by:
define(`confDH_PARAMETERS', `/etc/pki/tls/certs/dh2048.pem')dnl
To generate the DH_PARAMETERS file, see man dhparam
:
openssl dhparam 2048 > /etc/pki/tls/certs/dh2048.pem
From Sendmail 8.14.8 the Diffie-Hellman Keys of length 2048 Bit are supported inside Sendmail:
define(`confDH_PARAMETERS', `2048')dnl
Sendmail cipher list
From https://weakdh.org/sysadmin.html:
In the LOCAL_CONFIG section of your
/etc/mail/sendmail.mc
configure this:LOCAL_CONFIG dnl # Certificates and keys must also have been configured O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA dnl # Disable SSLv2, SSLv3, TLSv1.0 (TLSv1.1 and TLSv1.2 should be supported) dnl # O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_CIPHER_SERVER_PREFERENCE O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE dnl # Set options required when operating as client to remote servers dnl # O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
Here we have disabled also DES-CBC3-SHA because it’s insecure.
OPENSSL renegotiation Denial-Of-Service
The https://testssl.sh/ tool can be used to test for Secure Client-Initiated Renegotiation (CVE-2009-3555):
./testssl.sh -R --starttls smtp mail-server:587
and will show a warning for Sendmail:
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok) , DoS threat
See How to test for Secure Client-Initiated Renegotiation DOS Danger.
The OPENSSL parameters SSL_OP_LEGACY_SERVER_CONNECT
and SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
controls the usage of the vulnerable Renegotiation.
The manual page man SSL_CTX_set_options
(from the openssl-devel RPM) explains the SSL_OP_xxx parameters.
See also The Small Print for OpenSSL legacy_renegotiation.
Unfortunately, the parameters SSL_OP_LEGACY_SERVER_CONNECT
and SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
are only accepted by Sendmail version 8.14.9 and later, see the source file sendmail/readcf.c
.
To configure the LOCAL section of sendmail.mc
(Sendmail 8.14.9 or newer) to clear the SSL legacy flags:
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE -SSL_OP_LEGACY_SERVER_CONNECT -SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
Testing the Sendmail TLS
The https://testssl.sh/ tool can be used to test a mail-server port 587 (STARTTLS):
./testssl.sh --starttls smtp mail-server:587
or port 465 (TLS/SSL) used for legacy mail clients:
./testssl.sh mail-server:465
To display all TLS (SSL) parameters of a server mail-server port 587:
openssl s_client -starttls smtp -connect mail-server:587 < /dev/null