Configuring the encryption ciphers used with sendmail

Sendmail by default allows use of all SSL/TLS ciphers including potentially insecure ones. To be able to edit the cipher list the following config will need to be added to the end of the "sendmail.mc" configuration file:

LOCAL_CONFIG  
dnl# Do not allow SSLv2 and weak ciphers:dnl
O CipherList=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-DES-CBC3-MD5:+SSLv3:+TLSv1:-SSLv2

The SSL and TSL protocols can be specified too using the following config line:

O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Once the "sendmail.mc" file has been build the "sendmail.cf" file and restart sendmail.

Rebuilding of the sendmail config is performed in the following way in slackware linux, other distributions will vary:

cd /usr/share/sendmail/cf/cf
vi sendmail-slackware.mc
./Build sendmail-slackware.mc
cp sendmail-slackware.cf /etc/mail/sendmail.cf
/etc/rc.d/rc.sendmail stop
/etc/rc.d/rc.sendmail start

Last updated: 15/05/2015