RC4-MD5 cipher no longer available
in [Sendmail]
|
Prev: what's happening here? I need desparately a SENDMAIL geek!!!!!!!!!!!!!!!!
Next: sendmail timeouts with attachments
From: David Carvalho on 9 Jun 2010 13:03 Could it be related to running Fedora 12 for 64 bits and sendmail-8.14.3-8.fc12.x86_64 ? Why my client is finishing the connection (listed belllow in ssldump log) ? I honestly don't know what else to do. Regards David "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message news:hum0t7$m8t$1(a)speranza.aioe.org... > Hi ! > I am having trouble since I replaced my e-mail server (hardware and to > Fedora 12). > Basically I'm using almost the same sendmail.mc file than in the previous > server. > The problem is that Windows XP clients running Outlook, outlook express or > windows mail can not > relay, as they fail to STARTTLS. On those systems everything works fine if > using Thunderbird. > Using Windows 7, and OS X everything works fine. > In my previous server logs, I saw that these clients used RC4-MD5 cipher, > but now > I get > STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, retry=-1 > and other times > STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 > depending on wich client. > > I've found some information confirming this issue with older Windows at > http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html > > How can I get those Windows clients to relay using the same e-mail > clients? > Any help apreciated. > Regards > David > >
From: Ole Hansen on 9 Jun 2010 17:22 David Carvalho wrote: > Thanks for the reply. > This is what I get using openssl ciphers -v 'SSLv2' > > DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 > RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 > RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) > Mac=MD5 > DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 > EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 > export > EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) > Mac=MD5 export > > searching for other RC4 encryptions with openssl ciphers -v | grep -i rc4 > I get: > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 > PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 > KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 > KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 > EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 > export > EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 > export > EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 > export > > So I guess that openssl is not the issue here, as I have several > supported RC4 types (both SSLv2 and SSLv3), right ? Yes, it looks like openssl supports the lower-grade encryption modes just fine. Which suggests that sendmail on Fedora 12 might be compiled in a way not to allow those modes. > How can I tell sendmail to also use SSLv2 RC4 ciphers ? Good question. I'd start with documentation on sendmail compilation options (probably on sendmail.org and in the sendmail book). Or install the sendmail source RPM and browse the sendmail.spec file - that's where the Fedora-specific configuration is defined. The spec file usually contains a changelog, so maybe there is something obvious in there. It's also possible that this is not a compilation option, but some setting that has changed in the default configuration files on Fedora 12. I was actually going to install Fedora 13 next weekend, on a box that is partly a mailserver, so I will see for myself ... > What do you mean by "Delete the "and" after "RC4-MD5"." ? I don't know! I must have been half-asleep when I typed my message this morning. I thought the "and" was a typo, but it isn't. I need more coffee!! > Thank you very much You're welcome. Ole > Regards > Dave > > > > > "Ole Hansen" <ole.at.redvw.com(a)foo.net> wrote in message > news:HBNPn.46366$Ak3.44098(a)newsfe16.iad... >> Ole Hansen wrote: >>> David Carvalho wrote: >>>> Hi ! >>>> After installing ssldump, I could compare windows xp and windows 7 >>>> clients STARTTLS negotiation. >>>> While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 >>>> >>>> Windows XP output is >>>> >>>> New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) >>>> 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello >>>> Version 3.1 >>>> cipher suites >>>> TLS_RSA_WITH_RC4_128_MD5 >>>> TLS_RSA_WITH_RC4_128_SHA >>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA >>>> SSL2_CK_RC4 >>>> SSL2_CK_3DES >>>> SSL2_CK_RC2 >>>> TLS_RSA_WITH_DES_CBC_SHA >>>> SSL2_CK_DES >>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>>> TLS_RSA_EXPORT_WITH_RC4_40_MD5 >>>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >>>> SSL2_CK_RC4_EXPORT40 >>>> SSL2_CK_RC2_EXPORT40 >>>> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >>>> TLS_DHE_DSS_WITH_DES_CBC_SHA >>>> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA >>>> >>>> 1 2 0.0188 (0.0005) S>C Handshake >>>> ServerHello >>>> Version 3.1 >>>> session_id[32]= >>>> 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 >>>> f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d >>>> cipherSuite TLS_RSA_WITH_RC4_128_MD5 >>>> compressionMethod NULL >>>> 1 3 0.0188 (0.0000) S>C Handshake >>>> Certificate >>>> 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C >>>> Handshake1 0.0229 (0.0026) C>S TCP FIN >>>> 1 0.0230 (0.0001) S>C TCP FIN >>>> New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) >>>> 2 60.0266 (60.0266) C>S TCP FIN >>>> 2 60.0267 (0.0000) S>C TCP FIN >>>> >>>> So how can I enable SSLv2 support, assuming that this is the problem ? >>>> Any help appreciated. >>>> Thanks and regards >>>> David >>>> >>>> >>> >> Oops, sorry for the hasty typing: >> >>> Well ... check if desired chipher/protocol etc. are enabled in openssl. >>> If no, rebuild openssl with appropriate options. >>> If yes, probably need to rebuild sendmail to enable lower-grade >>> encryption. >>> >>> On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the >>> default openssl installation. Don't know about the sendmail >>> configuration, but RC4-MD5 and submission from Outlook Express/WinXP >> >> Delete the "and" after "RC4-MD5". >> >>> worked (as you know) still fine as recently as Fedora 9, so it should be >> >> Meant to say "shouldn't" not "should". >> >>> too hard to compare rpm spec files for some obvious changes in >>> configuration options. >>> >>> HTH, >>> Ole >>> >>> >>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message >>>> news:hum0t7$m8t$1(a)speranza.aioe.org... >>>>> Hi ! >>>>> I am having trouble since I replaced my e-mail server (hardware and to >>>>> Fedora 12). >>>>> Basically I'm using almost the same sendmail.mc file than in the >>>>> previous server. >>>>> The problem is that Windows XP clients running Outlook, outlook >>>>> express or windows mail can not >>>>> relay, as they fail to STARTTLS. On those systems everything works >>>>> fine if using Thunderbird. >>>>> Using Windows 7, and OS X everything works fine. >>>>> In my previous server logs, I saw that these clients used RC4-MD5 >>>>> cipher, but now >>>>> I get >>>>> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, >>>>> retry=-1 >>>>> and other times >>>>> STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, >>>>> retry=-1 >>>>> depending on wich client. >>>>> >>>>> I've found some information confirming this issue with older >>>>> Windows at >>>>> http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html >>>>> >>>>> How can I get those Windows clients to relay using the same e-mail >>>>> clients? >>>>> Any help apreciated. >>>>> Regards >>>>> David >>>>> >>>>> >>>
From: David Carvalho on 10 Jun 2010 05:15 Thanks once again for the replies. the output from sendmail -d0.13 < /dev/null is Version 8.14.3 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT OS Defines: ADDRCONFIG_IS_BROKEN HASFCHOWN HASFCHMOD HASGETDTABLESIZE HASINITGROUPS HASLSTAT HASNICE HASRANDOM HASRRESVPORT HASSETREGID HASSETREUID HASSETRLIMIT HASSETSID HASSETVBUF HASURANDOMDEV HASSTRERROR HASUNAME HASUNSETENV HASWAITPID IDENTPROTO NEEDSGETIPNODE REQUIRES_DIR_FSYNC USE_DOUBLE_FORK USE_SIGLONGJMP Kernel symbols: /boot/vmlinux Conf file: /etc/mail/submit.cf (default for MSP) Conf file: /etc/mail/sendmail.cf (default for MTA) Pid file: /var/run/sendmail.pid (default) libsm Defines: SM_CONF_LDAP_INITIALIZE SM_CONF_LDAP_MEMFREE SM_CONF_LONGLONG SM_CONF_MEMCHR SM_CONF_MSG SM_CONF_SEM SM_CONF_SIGSETJMP SM_CONF_SHM SM_CONF_SSIZE_T SM_CONF_STDDEF_H SM_CONF_SYS_CDEFS_H SM_CONF_UID_GID DO_NOT_USE_STRCPY SM_HEAP_CHECK SM_OS=sm_os_linux SM_VA_STD FFR Defines: _FFR_TLS_1 So I see STARTTLS, SASLv2 and this last line _FFR_TLS_1 which is also on another mail server (running sendmail 8.14.1) that accpets relay from windows xp running outlook and outlook express. I've found the following information. LOCAL_CONFIG O CipherList=ALL:!NULL:+HIGH:+MEDIUM:+SSLv3:+TLSv1:+SSLv2:RC4+RSA:RC4+MEDIUM:!EXP:!eNULL:!aNULL define(`confTLS_SRV_OPTIONS',`C') Aparently this should tell sendmail to accpet SSLv2 ciphers and RC4, but it didn't work. There are some clients for whom migrating from outlook on windows xp is not an option. I'm getting desperate... Thanks once again. Regards David "Ole Hansen" <ole.at.redvw.com(a)foo.net> wrote in message news:hBTPn.10767$3y2.5639(a)newsfe11.iad... > David Carvalho wrote: >> Thanks for the reply. >> This is what I get using openssl ciphers -v 'SSLv2' >> >> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) >> Mac=MD5 >> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) >> Mac=MD5 >> RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) >> Mac=MD5 >> DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) >> Mac=MD5 >> EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 >> export >> EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) >> Mac=MD5 export >> >> searching for other RC4 encryptions with openssl ciphers -v | grep -i >> rc4 >> I get: >> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 >> RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 >> PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 >> KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 >> KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 >> EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 >> export >> EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 >> export >> EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 >> export >> >> So I guess that openssl is not the issue here, as I have several >> supported RC4 types (both SSLv2 and SSLv3), right ? > > Yes, it looks like openssl supports the lower-grade encryption modes > just fine. Which suggests that sendmail on Fedora 12 might be compiled > in a way not to allow those modes. > >> How can I tell sendmail to also use SSLv2 RC4 ciphers ? > > Good question. I'd start with documentation on sendmail compilation > options (probably on sendmail.org and in the sendmail book). Or install > the sendmail source RPM and browse the sendmail.spec file - that's where > the Fedora-specific configuration is defined. The spec file usually > contains a changelog, so maybe there is something obvious in there. > > It's also possible that this is not a compilation option, but some > setting that has changed in the default configuration files on Fedora 12. > > I was actually going to install Fedora 13 next weekend, on a box that is > partly a mailserver, so I will see for myself ... > >> What do you mean by "Delete the "and" after "RC4-MD5"." ? > > I don't know! I must have been half-asleep when I typed my message this > morning. I thought the "and" was a typo, but it isn't. I need more > coffee!! > >> Thank you very much > > > You're welcome. > > Ole > >> Regards >> Dave >> >> >> >> >> "Ole Hansen" <ole.at.redvw.com(a)foo.net> wrote in message >> news:HBNPn.46366$Ak3.44098(a)newsfe16.iad... >>> Ole Hansen wrote: >>>> David Carvalho wrote: >>>>> Hi ! >>>>> After installing ssldump, I could compare windows xp and windows 7 >>>>> clients STARTTLS negotiation. >>>>> While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 >>>>> >>>>> Windows XP output is >>>>> >>>>> New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) >>>>> 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello >>>>> Version 3.1 >>>>> cipher suites >>>>> TLS_RSA_WITH_RC4_128_MD5 >>>>> TLS_RSA_WITH_RC4_128_SHA >>>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA >>>>> SSL2_CK_RC4 >>>>> SSL2_CK_3DES >>>>> SSL2_CK_RC2 >>>>> TLS_RSA_WITH_DES_CBC_SHA >>>>> SSL2_CK_DES >>>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>>>> TLS_RSA_EXPORT_WITH_RC4_40_MD5 >>>>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >>>>> SSL2_CK_RC4_EXPORT40 >>>>> SSL2_CK_RC2_EXPORT40 >>>>> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >>>>> TLS_DHE_DSS_WITH_DES_CBC_SHA >>>>> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA >>>>> >>>>> 1 2 0.0188 (0.0005) S>C Handshake >>>>> ServerHello >>>>> Version 3.1 >>>>> session_id[32]= >>>>> 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 >>>>> f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d >>>>> cipherSuite TLS_RSA_WITH_RC4_128_MD5 >>>>> compressionMethod NULL >>>>> 1 3 0.0188 (0.0000) S>C Handshake >>>>> Certificate >>>>> 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C >>>>> Handshake1 0.0229 (0.0026) C>S TCP FIN >>>>> 1 0.0230 (0.0001) S>C TCP FIN >>>>> New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) >>>>> 2 60.0266 (60.0266) C>S TCP FIN >>>>> 2 60.0267 (0.0000) S>C TCP FIN >>>>> >>>>> So how can I enable SSLv2 support, assuming that this is the problem ? >>>>> Any help appreciated. >>>>> Thanks and regards >>>>> David >>>>> >>>>> >>>> >>> Oops, sorry for the hasty typing: >>> >>>> Well ... check if desired chipher/protocol etc. are enabled in openssl. >>>> If no, rebuild openssl with appropriate options. >>>> If yes, probably need to rebuild sendmail to enable lower-grade >>>> encryption. >>>> >>>> On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the >>>> default openssl installation. Don't know about the sendmail >>>> configuration, but RC4-MD5 and submission from Outlook Express/WinXP >>> >>> Delete the "and" after "RC4-MD5". >>> >>>> worked (as you know) still fine as recently as Fedora 9, so it should >>>> be >>> >>> Meant to say "shouldn't" not "should". >>> >>>> too hard to compare rpm spec files for some obvious changes in >>>> configuration options. >>>> >>>> HTH, >>>> Ole >>>> >>>> >>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> "David Carvalho" <dave_carvalho(a)hotmail.com> wrote in message >>>>> news:hum0t7$m8t$1(a)speranza.aioe.org... >>>>>> Hi ! >>>>>> I am having trouble since I replaced my e-mail server (hardware and >>>>>> to >>>>>> Fedora 12). >>>>>> Basically I'm using almost the same sendmail.mc file than in the >>>>>> previous server. >>>>>> The problem is that Windows XP clients running Outlook, outlook >>>>>> express or windows mail can not >>>>>> relay, as they fail to STARTTLS. On those systems everything works >>>>>> fine if using Thunderbird. >>>>>> Using Windows 7, and OS X everything works fine. >>>>>> In my previous server logs, I saw that these clients used RC4-MD5 >>>>>> cipher, but now >>>>>> I get >>>>>> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, >>>>>> retry=-1 >>>>>> and other times >>>>>> STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, >>>>>> retry=-1 >>>>>> depending on wich client. >>>>>> >>>>>> I've found some information confirming this issue with older >>>>>> Windows at >>>>>> http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html >>>>>> >>>>>> How can I get those Windows clients to relay using the same e-mail >>>>>> clients? >>>>>> Any help apreciated. >>>>>> Regards >>>>>> David >>>>>> >>>>>> >>>>
From: Scott on 10 Jun 2010 18:29 I was fighting this issue today, found the answer at: http://warthog9.dreamwidth.org/25503.html -Scott On Jun 10, 9:15 am, "David Carvalho" <dave_carva...(a)hotmail.com> wrote: > Thanks once again for the replies. > the output from sendmail -d0.13 < /dev/null is > > Version 8.14.3 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET > NETINET6 > NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS > TCPWRAPPERS USERDB USE_LDAP_INIT > OS Defines: ADDRCONFIG_IS_BROKEN HASFCHOWN HASFCHMOD > HASGETDTABLESIZE HASINITGROUPS HASLSTAT HASNICE HASRANDOM > HASRRESVPORT HASSETREGID HASSETREUID HASSETRLIMIT HASSETSID > HASSETVBUF HASURANDOMDEV HASSTRERROR HASUNAME HASUNSETENV > HASWAITPID IDENTPROTO NEEDSGETIPNODE REQUIRES_DIR_FSYNC > USE_DOUBLE_FORK USE_SIGLONGJMP > Kernel symbols: /boot/vmlinux > Conf file: /etc/mail/submit.cf (default for MSP) > Conf file: /etc/mail/sendmail.cf (default for MTA) > Pid file: /var/run/sendmail.pid (default) > libsm Defines: SM_CONF_LDAP_INITIALIZE SM_CONF_LDAP_MEMFREE > SM_CONF_LONGLONG SM_CONF_MEMCHR SM_CONF_MSG SM_CONF_SEM > SM_CONF_SIGSETJMP SM_CONF_SHM SM_CONF_SSIZE_T > SM_CONF_STDDEF_H > SM_CONF_SYS_CDEFS_H SM_CONF_UID_GID DO_NOT_USE_STRCPY > SM_HEAP_CHECK SM_OS=sm_os_linux SM_VA_STD > FFR Defines: _FFR_TLS_1 > > So I see STARTTLS, SASLv2 and this last line _FFR_TLS_1 which is also on > another mail server > (running sendmail 8.14.1) that accpets relay from windows xp running outlook > and outlook express. > > I've found the following information. > LOCAL_CONFIG O > CipherList=ALL:!NULL:+HIGH:+MEDIUM:+SSLv3:+TLSv1:+SSLv2:RC4+RSA:RC4+MEDIUM:!EXP:!eNULL:!aNULL > define(`confTLS_SRV_OPTIONS',`C') > Aparently this should tell sendmail to accpet SSLv2 ciphers and RC4, but it > didn't work. > There are some clients for whom migrating from outlook on windows xp is not > an option. > I'm getting desperate... > Thanks once again. > Regards > David > > "Ole Hansen" <ole.at.redvw....(a)foo.net> wrote in message > > news:hBTPn.10767$3y2.5639(a)newsfe11.iad... > > > David Carvalho wrote: > >> Thanks for the reply. > >> This is what I get using openssl ciphers -v 'SSLv2' > > >> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) > >> Mac=MD5 > >> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) > >> Mac=MD5 > >> RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) > >> Mac=MD5 > >> DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) > >> Mac=MD5 > >> EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 > >> export > >> EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) > >> Mac=MD5 export > > >> searching for other RC4 encryptions with openssl ciphers -v | grep -i > >> rc4 > >> I get: > >> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > >> RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 > >> PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 > >> KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 > >> KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 > >> EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 > >> export > >> EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 > >> export > >> EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 > >> export > > >> So I guess that openssl is not the issue here, as I have several > >> supported RC4 types (both SSLv2 and SSLv3), right ? > > > Yes, it looks like openssl supports the lower-grade encryption modes > > just fine. Which suggests that sendmail on Fedora 12 might be compiled > > in a way not to allow those modes. > > >> How can I tell sendmail to also use SSLv2 RC4 ciphers ? > > > Good question. I'd start with documentation on sendmail compilation > > options (probably on sendmail.org and in the sendmail book). Or install > > the sendmail source RPM and browse the sendmail.spec file - that's where > > the Fedora-specific configuration is defined. The spec file usually > > contains a changelog, so maybe there is something obvious in there. > > > It's also possible that this is not a compilation option, but some > > setting that has changed in the default configuration files on Fedora 12. > > > I was actually going to install Fedora 13 next weekend, on a box that is > > partly a mailserver, so I will see for myself ... > > >> What do you mean by "Delete the "and" after "RC4-MD5"." ? > > > I don't know! I must have been half-asleep when I typed my message this > > morning. I thought the "and" was a typo, but it isn't. I need more > > coffee!! > > >> Thank you very much > > > You're welcome. > > > Ole > > >> Regards > >> Dave > > >> "Ole Hansen" <ole.at.redvw....(a)foo.net> wrote in message > >>news:HBNPn.46366$Ak3.44098(a)newsfe16.iad... > >>> Ole Hansen wrote: > >>>> David Carvalho wrote: > >>>>> Hi ! > >>>>> After installing ssldump, I could compare windows xp and windows 7 > >>>>> clients STARTTLS negotiation. > >>>>> While the windows 7 used TLS_RSA_WITH_AES_128_CBC_SHA via TLSv1/SSLv3 > > >>>>> Windows XP output is > > >>>>> New TCP connection #1: 10.0.0.252(5000) <-> my.server (25) > >>>>> 1 1 0.0182 (0.0182) C>S SSLv2 compatible client hello > >>>>> Version 3.1 > >>>>> cipher suites > >>>>> TLS_RSA_WITH_RC4_128_MD5 > >>>>> TLS_RSA_WITH_RC4_128_SHA > >>>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA > >>>>> SSL2_CK_RC4 > >>>>> SSL2_CK_3DES > >>>>> SSL2_CK_RC2 > >>>>> TLS_RSA_WITH_DES_CBC_SHA > >>>>> SSL2_CK_DES > >>>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > >>>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > >>>>> TLS_RSA_EXPORT_WITH_RC4_40_MD5 > >>>>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > >>>>> SSL2_CK_RC4_EXPORT40 > >>>>> SSL2_CK_RC2_EXPORT40 > >>>>> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > >>>>> TLS_DHE_DSS_WITH_DES_CBC_SHA > >>>>> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA > > >>>>> 1 2 0.0188 (0.0005) S>C Handshake > >>>>> ServerHello > >>>>> Version 3.1 > >>>>> session_id[32]= > >>>>> 3e d1 e3 37 a1 47 c0 87 ff 1c 8b bf ab f3 fa 94 > >>>>> f7 da e7 27 d1 54 cf 10 95 ad ec c9 b4 90 b1 6d > >>>>> cipherSuite TLS_RSA_WITH_RC4_128_MD5 > >>>>> compressionMethod NULL > >>>>> 1 3 0.0188 (0.0000) S>C Handshake > >>>>> Certificate > >>>>> 1 4 0.0202 (0.0014) S>C Handshake1 5 0.0202 (0.0000) S>C > >>>>> Handshake1 0.0229 (0.0026) C>S TCP FIN > >>>>> 1 0.0230 (0.0001) S>C TCP FIN > >>>>> New TCP connection #2: 10.0.0.252(1025) <-> my.server(25) > >>>>> 2 60.0266 (60.0266) C>S TCP FIN > >>>>> 2 60.0267 (0.0000) S>C TCP FIN > > >>>>> So how can I enable SSLv2 support, assuming that this is the problem ? > >>>>> Any help appreciated. > >>>>> Thanks and regards > >>>>> David > > >>> Oops, sorry for the hasty typing: > > >>>> Well ... check if desired chipher/protocol etc. are enabled in openssl. > >>>> If no, rebuild openssl with appropriate options. > >>>> If yes, probably need to rebuild sendmail to enable lower-grade > >>>> encryption. > > >>>> On my Fedora 11 box, SSLv2 and RC4-MD5 are definitely enabled in the > >>>> default openssl installation. Don't know about the sendmail > >>>> configuration, but RC4-MD5 and submission from Outlook Express/WinXP > > >>> Delete the "and" after "RC4-MD5". > > >>>> worked (as you know) still fine as recently as Fedora 9, so it should > >>>> be > > >>> Meant to say "shouldn't" not "should". > > >>>> too hard to compare rpm spec files for some obvious changes in > >>>> configuration options. > > >>>> HTH, > >>>> Ole > > >>>>> "David Carvalho" <dave_carva...(a)hotmail.com> wrote in message > >>>>>news:hum0t7$m8t$1(a)speranza.aioe.org... > >>>>>> Hi ! > >>>>>> I am having trouble since I replaced my e-mail server (hardware and > >>>>>> to > >>>>>> Fedora 12). > >>>>>> Basically I'm using almost the same sendmail.mc file than in the > >>>>>> previous server. > >>>>>> The problem is that Windows XP clients running Outlook, outlook > >>>>>> express or windows mail can not > >>>>>> relay, as they fail to STARTTLS. On those systems everything works > >>>>>> fine if using Thunderbird. > >>>>>> Using Windows 7, and OS X everything works fine. > >>>>>> In my previous server logs, I saw that these clients used RC4-MD5 > >>>>>> cipher, but now > >>>>>> I get > >>>>>> STARTTLS=server, error: accept failed=-1, SSL_error=5, errno=104, > >>>>>> retry=-1 > >>>>>> and other times > >>>>>> STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, > >>>>>> retry=-1 > >>>>>> depending on wich client. > > >>>>>> I've found some information confirming this issue with older > >>>>>> Windows at > >>>>>>http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html > > >>>>>> How can I get those Windows clients to relay using the same e-mail > >>>>>> clients? > >>>>>> Any help apreciated. > >>>>>> Regards > >>>>>> David
From: Hugo Villeneuve on 11 Jun 2010 02:08 Scott <scott.l.miller(a)gmail.com> wrote: > I was fighting this issue today, found the answer at: > http://warthog9.dreamwidth.org/25503.html > > -Scott > Do I understand correctly that on your Fedora, "confCACERT/CACertFile" points to a file that contains all the public certiificates authorities usually found in web browsers? And that is too big. The tool "openssl s_client" is really wonderous for testing STARTTLS. Even if not run from a Windows machine. For exemple, you could have use: # openssl s_client -connect ip:25 -starttls smtp -showcerts -cipher RC4-MD5 Although, it might have failed too. Usually the Subjects from all the certificates in CACertFile are listed after the header "Acceptable client certificate CA names". sendmail is funny that way. Most other openssl based tool I used, accept any client certificate provided. But sendmail limits client certificate only to children of some specified CA. I'm too late to help but I'd like to know. The article you pointed to do not got into sendmail configuration details. -- Hugo Villeneuve
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: what's happening here? I need desparately a SENDMAIL geek!!!!!!!!!!!!!!!! Next: sendmail timeouts with attachments |