RC4-MD5 cipher no longer available
in [Sendmail]
|
Prev: what's happening here? I need desparately a SENDMAIL geek!!!!!!!!!!!!!!!!
Next: sendmail timeouts with attachments
From: Claus Assmann on 11 Jun 2010 13:33 Hugo Villeneuve wrote: > sendmail is funny that way. Most other openssl based tool I used, accept > any client certificate provided. But sendmail limits client certificate > only to children of some specified CA. Can you please provide an example for this? I've never seen this kind of problem; AFAICT sendmail accepts any client certificate. Your client might have a problem however, as sendmail includes a list of "acceptable" certs in the TLS handshake (using SSL_CTX_set_client_CA_list()) as explained in op.me: The file specified via CACertFile can contain several certificates of CAs. The DNs of these certificates are sent to the client during the TLS handshake (as part of the CertificateRequest) as the list of acceptable CAs. This server side behaviour should be the same with most MTAs (as I sometimes check the STARTTLS code in other open source software).
From: Ole Hansen on 11 Jun 2010 14:02 Scott wrote: > I was fighting this issue today, found the answer at: > http://warthog9.dreamwidth.org/25503.html > > -Scott > Absolutely fascinating analysis. Thanks so much for posting the link. Ole
From: David Carvalho on 12 Jun 2010 17:21 Thank you very much for the replies. Sometimes I have some difficulties when trying to post... I'll modify sendmail.mc to use a smaller ca-bundle.crt file and then compile it. I'll test this Monday and I'll post the results. Thank you very much for all the replies. David "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message news:hum0t7$m8t$1(a)speranza.aioe.org... > Hi ! > I am having trouble since I replaced my e-mail server (hardware and to > Fedora 12). > Basically I'm using almost the same sendmail.mc file than in the previous > server. > The problem is that Windows XP clients running Outlook, outlook express or > windows mail can not > relay, as they fail to STARTTLS. On those systems everything works fine if > using Thunderbird. > Using Windows 7, and OS X everything works fine. > In my previous server logs, I saw that these clients used RC4-MD5 cipher, > but now > I get > STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, retry=-1 > and other times > STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 > depending on wich client. > > I've found some information confirming this issue with older Windows at > http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html > > How can I get those Windows clients to relay using the same e-mail > clients? > Any help apreciated. > Regards > David > >
From: David Carvalho on 14 Jun 2010 18:35
it worked ! I copied the default /etc/pki/tls/certs/ca-bundle.crt to /etc/pki/tls/certs/ca-bundle.sendmail.crt, reduced its size from about 650KB to 270KB, used make -C /etc/mail to generate the new sendmail.cf. Restarted Sendmail and the result was immediate. I've teste only in one client but I guess everthing should be working fine (if not, I'll be back :) ) Thank you all very much. Regards David "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message news:hum0t7$m8t$1(a)speranza.aioe.org... > Hi ! > I am having trouble since I replaced my e-mail server (hardware and to > Fedora 12). > Basically I'm using almost the same sendmail.mc file than in the previous > server. > The problem is that Windows XP clients running Outlook, outlook express or > windows mail can not > relay, as they fail to STARTTLS. On those systems everything works fine if > using Thunderbird. > Using Windows 7, and OS X everything works fine. > In my previous server logs, I saw that these clients used RC4-MD5 cipher, > but now > I get > STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, retry=-1 > and other times > STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 > depending on wich client. > > I've found some information confirming this issue with older Windows at > http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html > > How can I get those Windows clients to relay using the same e-mail > clients? > Any help apreciated. > Regards > David > > |