Sendmail configuration

Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.

The current Open Source Sendmail version is 8.16.1, see https://www.sendmail.com/sm/open_source/download/.

Sendmail versions in some Linuxes are:

  • RHEL7/CentOS7: version 8.14.7.

  • RHEL8/CentOS8: version 8.15.2.

  • Fedora 33: version 8.16.1.

This page refers mainly to the RHEL/CentOS installation of Sendmail.

Documentation

Some Sendmail documentation is available on the Sendmail homepage and in several books.

Configuration files

All configuration files of Sendmail is in the /etc/mail directory. The relevant files to configure are:

  • Makefile: Manages most of the configuration files.

  • sendmail.mc: Contains the most crucial server configurations, see /usr/share/sendmail-cf/README.

  • local-host-names: List of hostnames that alias to this server.

  • access: Reject/accept list.

  • virtusertable: Virtual users, such as user@nano.dtu.dk and invalid addresses.

Whenever a file has been changed, do a make in this directory. If sendmail.mc has been changed, you also need to restart the sendmail service.

Sendmail parameters

A few runtime parameters are defined in the file /etc/sysconfig/sendmail:

DAEMON=yes
QUEUE=1h
SMQUEUE=5m

SMTP AUTH and STARTTLS

SMTP Authentication, often abbreviated SMTP_AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server. The authentication extension is mandatory for mail submission servers.

You can read about SMTP_AUTH_in_sendmail and Sendmail_STARTTLS. STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Usually port 587 is used for SMTP_AUTH mail submission with STARTTLS, although port 465 with SSL is sometimes used for legacy mail clients.

Sendmail TLS (SSL) configuration

Configuration of TLS for use with Sendmail_STARTTLS should be improved beyond the defaults in Sendmail. Modern and secure SSL certificates should be used for proper security, see also Web server SSL best practices.

Documentation:

Sendmail SSL/TLS connection options

From Configuration of hidden Sendmail SSL/TLS connection options:

  • CipherList: This option configures the available cipher list for encrypted connections. Your cipher list can be tuned by using the openssl ciphers -v command. Stronger ciphers are obviously better. Excluding weak ciphers may mean that very old clients will be unable to connect. Note that with SSLv3 and TLS1.x the client, by default, will select its preferred cipher from the server’s list.

  • ServerSSLOptions: This option configures the OpenSSL connection flags used for the SSL/TLS connections into Sendmail. By default Sendmail, and most other applications using the OpenSSL library, uses the SSL_OP_ALL composite flag for its connections. This option allows these flags to be altered.

    • The first option to consider using is SSL_OP_CIPHER_SERVER_PREFERENCE. This option causes the server, rather than the client, to choose the cipher based on its preference order.

    • The next option to consider is SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. This option disables a countermeasure against a SSLv3/TLSv1 protocol vulnerability. This flag disables the countermeasure and is set by default when SSL_OP_ALL is used. Thus, if one wishes to have the vulnerability countermeasure enabled, this flag needs to be disabled.

    • Depending on the clients and servers of your Sendmail instance you may wish to consider the use of SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 and SSL_OP_NO_TLSv1.

    Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included. The value of this parameter is used to manipulate the bits passed to OpenSSL.

    Note that Sendmail starts with a value of SSL_OP_ALL and this option modifies that value – it does not reset it from scratch. You manipulate the value using [+]SSL_OP_XXX to SET the bits and using -SSL_OP_XXX to CLEAR the bits. Thus a value of +SSL_OP_ALL would have no effect (since those bits are already set. A value of -SSL_OP_ALL would result in no bits being set. A useful value might be +SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE.

  • ClientSSLOptions: This option configures the OpenSSL connection flags used for the SSL/TLS connections initiated by Sendmail. The parameter’s value works the same as for ServerSSLOptions.

Diffie-Hellmann parameters

Diffie–Hellman key exchange should be configured securely, see Guide_to_Deploying_Diffie-Hellman_for_TLS.

The Sendmail Diffie-Hellmann parameter file may be configured by:

define(`confDH_PARAMETERS', `/etc/pki/tls/certs/dh2048.pem')dnl

To generate the DH_PARAMETERS file, see man dhparam:

openssl dhparam 2048 > /etc/pki/tls/certs/dh2048.pem

From Sendmail 8.14.8 the Diffie-Hellman Keys of length 2048 Bit are supported inside Sendmail:

define(`confDH_PARAMETERS', `2048')dnl

Sendmail cipher list

From https://weakdh.org/sysadmin.html:

  • In the LOCAL_CONFIG section of your /etc/mail/sendmail.mc configure this:

    LOCAL_CONFIG
    dnl # Certificates and keys must also have been configured
    O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    dnl # Disable SSLv2, SSLv3, TLSv1.0 (TLSv1.1 and TLSv1.2 should be supported)
    dnl # O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_CIPHER_SERVER_PREFERENCE
    O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
    dnl # Set options required when operating as client to remote servers
    dnl # O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1
    O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
    

Here we have disabled also DES-CBC3-SHA because it’s insecure.

OPENSSL renegotiation Denial-Of-Service

The https://testssl.sh/ tool can be used to test for Secure Client-Initiated Renegotiation (CVE-2009-3555):

./testssl.sh -R --starttls smtp mail-server:587

and will show a warning for Sendmail:

Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok) , DoS threat

See How to test for Secure Client-Initiated Renegotiation DOS Danger.

The OPENSSL parameters SSL_OP_LEGACY_SERVER_CONNECT and SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION controls the usage of the vulnerable Renegotiation. The manual page man SSL_CTX_set_options (from the openssl-devel RPM) explains the SSL_OP_xxx parameters.

See also The Small Print for OpenSSL legacy_renegotiation.

Unfortunately, the parameters SSL_OP_LEGACY_SERVER_CONNECT and SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION are only accepted by Sendmail version 8.14.9 and later, see the source file sendmail/readcf.c.

To configure the LOCAL section of sendmail.mc (Sendmail 8.14.9 or newer) to clear the SSL legacy flags:

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE -SSL_OP_LEGACY_SERVER_CONNECT -SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Testing the Sendmail TLS

The https://testssl.sh/ tool can be used to test a mail-server port 587 (STARTTLS):

./testssl.sh --starttls smtp mail-server:587

or port 465 (TLS/SSL) used for legacy mail clients:

./testssl.sh mail-server:465

To display all TLS (SSL) parameters of a server mail-server port 587:

openssl s_client -starttls smtp -connect  mail-server:587 < /dev/null