Difference between revisions of "TLS Problems"

From Roaring Penguin
Jump to: navigation, search
Line 4: Line 4:
 
<ol>
 
<ol>
 
<li>Add this to the end of /etc/mail/sendmail.mc:
 
<li>Add this to the end of /etc/mail/sendmail.mc:
:<tt>--> LOCAL_CONFIG</tt>
+
:<tt>LOCAL_CONFIG</tt>
:<tt>--> dnl # Do not allow SSLv2 and weak ciphers</tt>
+
:<tt>dnl # Do not allow SSLv2 and weak ciphers</tt>
:<tt>--> O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2</tt>
+
:<tt>O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2</tt>
:<tt>--> O ClientSSLOptions=+SSL_OP_NO_TLSv1</tt>
+
:<tt> O ClientSSLOptions=+SSL_OP_NO_TLSv1</tt>
 
After you add the above lines, type:
 
After you add the above lines, type:
:<tt>--> make -C /etc/mail && /etc/init.d/sendmail reload</tt>
+
:<tt>make -C /etc/mail && /etc/init.d/sendmail reload</tt>
 
<li>If that doesn't help, you have to disable TLS with the machine gwmail.bradescoseguros.com.br.  Put this lines in /etc/mail/access:
 
<li>If that doesn't help, you have to disable TLS with the machine gwmail.bradescoseguros.com.br.  Put this lines in /etc/mail/access:
:<tt>--> Try_TLS:gwmail.bradescoseguros.com.br   NO</tt>
+
:<tt>Try_TLS:gwmail.bradescoseguros.com.br   NO</tt>
 
and again:  
 
and again:  
:<tt>--> make -C /etc/mail</tt>
+
:<tt>make -C /etc/mail</tt>
 
<li>If that still does not work, you may have to disable STARTTLS for now by removing  
 
<li>If that still does not work, you may have to disable STARTTLS for now by removing  
:<tt>--> include(`/etc/mail/tls/starttls.m4')dnl from sendmail.mc </tt>
+
:<tt>include(`/etc/mail/tls/starttls.m4')dnl from sendmail.mc </tt>
 
and running:
 
and running:
:<tt>--> make -C /etc/mail && /etc/init.d/sendmail reload</tt>
+
:<tt>make -C /etc/mail && /etc/init.d/sendmail reload</tt>
 
</ol>
 
</ol>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Security]]
 
[[category:All]][[category:Security]]

Revision as of 15:42, 20 June 2014

We've found that Debian 7's version of OpenSSL has problems interoperating with some other SSL implementations. Here are some things you can try:

  1. Add this to the end of /etc/mail/sendmail.mc:
    LOCAL_CONFIG
    dnl # Do not allow SSLv2 and weak ciphers
    O CipherList=HIGH:MEDIUM:!ADH:!MD5:!SSLv2
    O ClientSSLOptions=+SSL_OP_NO_TLSv1
    After you add the above lines, type:
    make -C /etc/mail && /etc/init.d/sendmail reload
  2. If that doesn't help, you have to disable TLS with the machine gwmail.bradescoseguros.com.br. Put this lines in /etc/mail/access:
    Try_TLS:gwmail.bradescoseguros.com.br NO
    and again:
    make -C /etc/mail
  3. If that still does not work, you may have to disable STARTTLS for now by removing
    include(`/etc/mail/tls/starttls.m4')dnl from sendmail.mc
    and running:
    make -C /etc/mail && /etc/init.d/sendmail reload