Package: sendmail Version: 8.18.1-6.1 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Maintainer, tl;dr; The _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE build flag is required See also https://bugzilla.redhat.com/show_bug.cgi?id=1565341 which has a more complete description of the issue, and shows that Fedora fixed this same issue over 6 years ago. All public CAs, and many private CAs too, will use intermediate CAs to sign server certificates. Clients trust root CAs and depend on servers sending the rest of the chain to be able to validate the certificates. Sendmail will only send the complete chain if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE is enabled A well known workaround for this problem has been to add the intermediate CA certificates to the CACertFile. One simple method is to use the server chain file as both ServerCertFile and CACertFile. This makes the intermediate certificates available to the client, and validation will succeed. This abuses a side effect. The real purpose of CACertFile is to configure CAs the server will trust for client certificates. Adding a public CA to this list is likely to cause security issues. Anyone can the get a valid client certificate, and will be trusted if the server is configured with for example AUTH EXTERNAL. Building sendmail with this flag disabled encourages insecure configurations. Users should not be forced to abuse CACertFile like this, and should in fact be warned about the security implications of adding any CA outside their control to this file. Enabling _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE now is a good start. Bjørn - -- System Information: Debian Release: 12.8 APT prefers stable-security APT policy: (700, 'stable-security'), (700, 'stable'), (699, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-27-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages sendmail depends on: ii sendmail-base 8.18.1-6.1 ii sendmail-bin 8.18.1-6.1 ii sendmail-cf 8.18.1-6.1 ii sensible-mda 8.18.1-6.1 sendmail recommends no packages. Versions of packages sendmail suggests: ii rmail 8.18.1-6.1 ii sendmail-doc 8.18.1-6.1 Versions of packages sensible-mda depends on: ii libc6 2.36-9+deb12u9 ii procmail 3.22-27 ii sendmail-bin [mail-transport-agent] 8.18.1-6.1 Versions of packages rmail depends on: ii libc6 2.36-9+deb12u9 ii libldap-2.5-0 2.5.13+dfsg-5 ii sendmail-bin [mail-transport-agent] 8.18.1-6.1 Versions of packages libmilter1.0.1 depends on: ii libc6 2.36-9+deb12u9 Versions of packages sendmail-bin depends on: ii debconf 1.5.82 ii init-system-helpers 1.65.2 ii libc6 2.36-9+deb12u9 ii libdb5.3 5.3.28+dfsg2-1 ii libldap-2.5-0 2.5.13+dfsg-5 ii liblockfile1 1.17-1+b1 ii libnsl2 1.3.0-2 ii libsasl2-2 2.1.28+dfsg-10 ii libssl3 3.0.15-1~deb12u1 ii libwrap0 7.6.q-32 ii procps 2:4.0.2-3 ii sendmail-base 8.18.1-6.1 ii sendmail-cf 8.18.1-6.1 Versions of packages sendmail-bin suggests: ii libsasl2-modules 2.1.28+dfsg-10 ii openssl 3.0.15-1~deb12u1 ii sasl2-bin 2.1.28+dfsg-10 ii sendmail-doc 8.18.1-6.1 - -- no debconf information -----BEGIN PGP SIGNATURE----- iGwEARECACwWIQR3fjfc8EF8nPbC0aDXSuqSjBsiyQUCZzI86w4cYmpvcm5AbW9y ay5ubwAKCRDXSuqSjBsiyQolAJ47hNRCjIpCmn31ghKo3YYqC3CafQCfaHT2QN9a LzpD6a+dxxVtiiHrIqs= =kn2u -----END PGP SIGNATURE-----
