View Issue Details

IDProjectCategoryView StatusLast Update
0016484CentOS-8sendmailpublic2019-10-09 19:33
Reporterdjast 
PrioritylowSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016484: Default crypto policies prevent sendmail from delivering to pre-TLS1.2 sites
DescriptionThe default cryptographic policy prevents sendmail from being able to deliver mail to mail servers which advertise STARTTLS, but only support TLS 1.0/1.1.

Steps To ReproduceConfigure sendmail on a site with cryptographic policies ("update-crypto-policies --show") set to DEFAULT; attempt to send mail to any site with a deprecated (e.g. CentOS 5) mail server which advertises STARTTLS but does not negotiate TLS 1.2. Observe (via "mailq") that the connection fails with a TLS handshake error.
Additional InformationWhile it's stipulated that those protocols are broken and ideally should no longer be used, TLS is an optional component of SMTP; it is nonsensical that messages may be delivered using no encryption but not with weak encryption.

Currently, to be able to deliver to such sites in general requires issuing the command "update-crypto-policies --set LEGACY", which relaxes cipher selection for all applications using the framework, which not be desirable. (STARTTLS can be turned off on a per-site basis via the Try_TLS directive in /etc/mail/access, but falling back to TLS 1.0/1.1 would be preferable to turning off TLS entirely.)

sendmail 8.16 reportedly includes a feature which will allow it to fall back to plaintext connections after a certain number of TLS failures; integrating this feature would acceptably solve the overall problem of not being able to deliver to old sites, but again, falling back to weak protocols would be a preferable approach to delivering the mail entirely in cleartext.

Tagscrypto-policies

Activities

TrevorH

TrevorH

2019-10-09 19:33

manager   ~0035412

CentOS is a rebuild of the sources used to create RHEL. We do not modify anything except to remove branding and logos. You will need to submit your request to Redhat via bugzilla.redhat.com and if/when RH accepts it and incorporates it into RHEL and releases a patched version, then CentOS will pick it up and rebuild it.

Issue History

Date Modified Username Field Change
2019-09-28 14:05 djast New Issue
2019-09-28 14:05 djast Tag Attached: crypto-policies
2019-10-09 19:33 TrevorH Note Added: 0035412