On 12/10/2011 20:36, Dean E. Weimer wrote: > Well after searching the comp.mail.sendmail list through Google groups, > I have come up wiht the following changes. > > I changed the orignal /etc/make.conf: > from this: > SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL > to: > SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL -D_FFR_TLS_1 > > redid the compile steps: > > Added this to the end of /etc/mail/hostname.mc: > LOCAL_CONFIG > O CipherList=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 > > under /etc/mail > executed the make, make install steps > > After restarting, an attempt to do: > /usr/local/bin/openssl s_client -starttls smtp -cipher EXP-RC4-MD5 > -connect localhost:25 > > Failed, this successfully connected before these changes. Scans are > running now, I will let you all know if it was successful.
_FFR_TLS_1 is actually already defined in the default sendmail on
FreeBSD. See /usr/src/usr.sbin/sendmail/Makefile around line 63.
It's also enabled in the ports version of sendmail, so long as you
select the WITH_TLS option. I just added this setting to my sendmail
config and it seems to work using the ports sendmail without having to
recompile anything.
It could certainly do with being mentioned in the documentation more
prominently. There's not a hint of the CipherList option in
/usr/share/sendmail/cf/README
_FFR_SMTP_SSL on the other hand, doesn't appear anywhere under /usr/src
-- think that must be a fossil remnant from some older version of sendmail.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
