[Mimedefang] OFF-TOPIC: Heartbleed Information / OpenSSL 1.0.1 TLS Incompatibility w/Sendmail and Exchange 2003
Kevin A. McGrail
KMcGrail at PCCC.com
Thu Apr 10 15:52:06 EDT 2014
All,
I thought this might be a good list where some people might care/comment
on a TLS/Sendmail issue we uncovered while dealing with Heartbleed.
We're using Sendmail 8.14.5 on a machine that had OpenSSL 1.0.0j. As a
safety measure due to heartbleed, we upgraded to open OpenSSL 1.0.1g.
We then found that we had a server running Microsoft Exchange 2003 that
we could not email. After turning on full logs we found it appeared to
be a TLS error.
STARTTLS=read: 1800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:
STARTTLS: read error=generic SSL error (-1), errno=0,
get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=1
STARTTLS=client, SSL_shutdown failed: -1
We then use try_tls <server> no in access and that worked.
We also then switched back to OpenSSL 1.0.0j and TLS worked again.
We then upgraded to 1.0.0l and TLS continued to work.
For those in a similar boat, this appears to be what Claus Assman refers
to as a "cipher list too long" bug where: "... this server has the
Exchange 2003 cipher-count limit problem. When RC4-SHA and RC4-MD5 are
too low on the cipher-list, TLS breaks."
He then recommends that "you need to set a different cipher list for
those servers. " from
https://groups.google.com/forum/#!topic/comp.mail.sendmail/SXR51LaIB_U
To do this, re-compile sendmail with -D_FFR_TLS_1 and change your cipher
list.
echo "APPENDDEF(\`conf_sendmail_ENVDEF', \`-D_FFR_TLS_1')" >>
devtools/Site/site.config.m4
You can also check if you have this feature with sendmail -d0.14 -bt <
/dev/null | grep FFR
Then add this to your mc and compile:
dnl# Do not allow SSLv2 and weak ciphers:dnl
O
CipherList=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-DES-CBC3-MD5:+SSLv3:+TLSv1:-SSLv2
http://www.thedumbterminal.co.uk/?action=showArticle&articleId=152
This change at least got us from 4.0.0, stat=Deferred: Input/output
error to 403 4.7.0 TLS handshake failed which at least was accurate
because before that we thought maybe the ISP was the issue.
Then after lots of playing around, we determined if we added RC4-MD5
right to the front of the ciphers that Microsoft appeared to connect and
other servers negotiated appropriate strong ciphers. So we ended up
using this:
O
CipherList=RC4-MD5:ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-DES-CBC3-MD5:+SSLv3:+TLSv1:-SSLv2
This worked and thanks to Claus for his original post. I thought more
people might need this help because of the prevalence of Exchange 2003
servers in the real-world and the sudden explosion of upgraded OpenSSL
libraries.
Regards,
KAM
More information about the MIMEDefang
mailing list