View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016484 | CentOS-8 | sendmail | public | 2019-09-28 14:05 | 2019-10-09 19:33 |
Reporter | djast | ||||
Priority | low | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 8.0.1905 | ||||
Target Version | Fixed in Version | ||||
Summary | 0016484: Default crypto policies prevent sendmail from delivering to pre-TLS1.2 sites | ||||
Description | The default cryptographic policy prevents sendmail from being able to deliver mail to mail servers which advertise STARTTLS, but only support TLS 1.0/1.1. | ||||
Steps To Reproduce | Configure sendmail on a site with cryptographic policies ("update-crypto-policies --show") set to DEFAULT; attempt to send mail to any site with a deprecated (e.g. CentOS 5) mail server which advertises STARTTLS but does not negotiate TLS 1.2. Observe (via "mailq") that the connection fails with a TLS handshake error. | ||||
Additional Information | While it's stipulated that those protocols are broken and ideally should no longer be used, TLS is an optional component of SMTP; it is nonsensical that messages may be delivered using no encryption but not with weak encryption. Currently, to be able to deliver to such sites in general requires issuing the command "update-crypto-policies --set LEGACY", which relaxes cipher selection for all applications using the framework, which not be desirable. (STARTTLS can be turned off on a per-site basis via the Try_TLS directive in /etc/mail/access, but falling back to TLS 1.0/1.1 would be preferable to turning off TLS entirely.) sendmail 8.16 reportedly includes a feature which will allow it to fall back to plaintext connections after a certain number of TLS failures; integrating this feature would acceptably solve the overall problem of not being able to deliver to old sites, but again, falling back to weak protocols would be a preferable approach to delivering the mail entirely in cleartext. | ||||
Tags | crypto-policies | ||||
CentOS is a rebuild of the sources used to create RHEL. We do not modify anything except to remove branding and logos. You will need to submit your request to Redhat via bugzilla.redhat.com and if/when RH accepts it and incorporates it into RHEL and releases a patched version, then CentOS will pick it up and rebuild it. | |