It is interesting that this CentOS 5.11 machine (one.domain.com)
transfers its mail to our internal mail server that runs CentOS
7.1.1503 (two.domain.com), and when the new openssl was updated June
16th on two.domain.com I had a similar problem. At that time when two.domain.com accepted tls from one.domain.com it failed until I enter
“Try_TLS:one.domain.com NO” in the /etc/mail/access file of two.domain.com.
My sendmail switches in one.domain.com include the following :
I would like to be able to continue using tls on one.domain.com, but am ready to turn it off until this can be debugged. Has this problem affected anyone else.
2 thoughts on - Sendmail Tls And Oppenssl
I should have had a note with a few more details. Sorry!
The os is CentOS 5.11 with the latest update of openssl causing the problem. I will use the name “one.domain.com”
Jul 03 04:19:14 Updated: openssl-0.9.8e-36.el5_11.i686
It is interesting that this CentOS 5.11 machine (one.domain.com)
transfers its mail to our internal mail server that runs CentOS
7.1.1503 (two.domain.com), and when the new openssl was updated June
16th on two.domain.com I had a similar problem. At that time when two.domain.com accepted tls from one.domain.com it failed until I enter
“Try_TLS:one.domain.com NO” in the /etc/mail/access file of two.domain.com.
My sendmail switches in one.domain.com include the following :
define(`confAUTH_OPTIONS’, `A p y’)dnl dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN’)dnl dnl #
define(`confCACERT_PATH’, `/etc/pki/tls/certs’)dnl define(`confCACERT’, `/etc/pki/tls/certs/ca-bundle.crt’)dnl define(`confSERVER_CERT’, `/etc/pki/tls/certs/sendmail.pem’)dnl define(`confSERVER_KEY’, `/etc/pki/tls/certs/sendmail.pem’)dnl define(`confCLIENT_CERT’,`/etc/pki/tls/certs/sendmail.pem’)dnl define(`confCLIENT_KEY’,`/etc/pki/tls/certs/sendmail.pem’)dnl
I would like to be able to continue using tls on one.domain.com, but am ready to turn it off until this can be debugged. Has this problem affected anyone else.
Greg Ennis
Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis:
are there (server- C7, client-side C5) any ciphers configured? One change addresses some weak DH parameters … https://rhn.redhat.com/errata/RHSA-2015-1197.html