TLS Problems

From Roaring Penguin
Jump to: navigation, search

Note on Debian 7 (Wheezy) and older

We've found that Debian 7's version of OpenSSL using the TLSv1 protocol has problems interoperating with some other SSL implementations. This can be disabled as discussed below.

HOWEVER, many systems now refuse the older protocols that are supported by this version of Debian, namely SSLv2 and SSLv3. This means that if you disable TLSv1 to resolve the interoperability problems, you will leave no common protocols for those pickier machines.

It is possible to selectively disable TLS to and from specific domains which is also discussed below, but at this time it is highly recommended that you perform the necessary Debian Upgrades, specifically Upgrade to Jessie in order to get access to stable versions of newer TLS protocols.

Versions of Debian older than Wheezy have even less protocol support and it is recommended that you not use TLS at all, even with exceptions.

Disable TLS Globally

CanIt appliances do not come with TLS enabled. This will have been enabled as instructed in our TLS Enable article.

In order to disable it, you will need to remove, or comment out (by prefacing with: dnl) the configuration line:

   include(`/etc/mail/tls/starttls.m4')dnl

Then reconfigure Sendmail with:

   make -C /etc/mail && /etc/init.d/sendmail reload

Disable TLS for specific domains

Put this lines in /etc/mail/access:

   Try_TLS:example.com	  NO

And run:

   make -C /etc/mail

See also: TLS Disable

Disable Specific Protocols and Ciphers

Add a LOCAL_CONFIG to the end of /etc/mail/sendmail.mc:

   LOCAL_CONFIG
   dnl # Do not allow SSLv2 and weak ciphers

You can then define appropriate ciphers:

   O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2

This says only High or Medium strength ciphers and NOT: ADH, MD5 or any SSLv2 ciphers.

You can also disable protocols like:

   O ClientSSLOptions=+SSL_OP_NO_TLSv1

Which would fix the TLSv1 problem with Wheezy.

After adding either, you need to reconfigure Sendmail with:

   make -C /etc/mail && /etc/init.d/sendmail reload