Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Fixing a commercial sendmail vulnerabilities

Posted on 2015-02-12
9
371 Views
Last Modified: 2015-02-28
Our VA scan reported the following vulnerabilities on our 'commercial-version'
of sendmail.  I guess it's commercial as a developer put in a GUI interface for
whitelisting/blacklisting but the underlying sendmail should still be there.

Attached Excel is the detailed sanitized scan results.

Which file do I edit or what changes do I need to make to address the
vulnerabilities below?   (pls include every command step by step including
restarting the sendmail service to make it effective) :

If a patch is needed, kindly provide the url to download the patch.  I'm
running on RHES 5.x

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
M-smtp-va.xlsx
0
Comment
Question by:sunhux
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Author Comment

by:sunhux
ID: 40605399
The version of the underlying sendmail:

# more VERSION
2.1.7
# pwd
/usr/local/sendmail/smflow

# Copyright(c) 2002, 2003, 2005, 2006 Sendmail, Inc. and its suppliers.
#       All rights reserved.
# $Id: sendmail,v 1.16 2007/06/07 01:25:23 epaull Exp $

# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.

===================some info fr the logs ======================

# grep -i version maillog
Feb  8 14:26:09 xxx sm-mta[14430]: STARTTLS=client, relay=mail.s50.au.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:25 xxx sm-mta[14689]: STARTTLS=client, relay=smtp3.hp.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:32 xxx sm-mta[14796]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128

=========================================

# find . -name *conf -print
./smflow-2.1/etc/snortsam.conf
./pgsql-1.0/conf
./mm-3.0/.install4j/i4jparams.conf
./smconsole-1.0/licenses/os/autoconf
./smadmin-3.3/monitor/conf
./smadmin-3.3/monitor/perconf
./smadmin-3.3/monitor/perconf/snmp.conf
./smadmin-3.3/apache/conf
./smadmin-3.3/apache/conf/httpd.conf
./smadmin-3.3/etc/cluster-fc.conf
./smadmin-3.3/etc/cluster-query.conf
./smadmin-3.3/etc/cluster-deploy.conf
./smmta-8.14/contrib/movemail.conf
./smmta-8.14/lib/sasl2/Sendmail.conf
[root@mvlsmtp01 sendmail]# pwd
/usr/local/sendmail

# more Sendmail.conf
pwcheck_method: auxprop
sasldb_path: /etc/mail/sasldb2
# pwd
/usr/local/sendmail/smmta-8.14/lib/sasl2


# service sendmail status
sendmail: status not implemented
# service sendmail
Starting sendmail MTA
sendmail MSP queue runner is already running
# service sendmail stat
Usage: sendmail {start|stop|restart}
       sendmail {start-mta|stop-mta|restart-mta}
       sendmail {start-mspq|stop-mspq|restart-mspq}
0
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 175 total points
ID: 40607074
Put the following lines in your sendmail.mc configuration file, in the LOCAL_CONFIG section:
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Then restart the sendmail server (sudo service sendmail restart).
http://bit.ly/1DLg2Cd
0
 

Author Comment

by:sunhux
ID: 40607188
In which folder sendmail.mc located?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 14

Assisted Solution

by:kenfcamp
kenfcamp earned 100 total points
ID: 40607327
0
 

Author Comment

by:sunhux
ID: 40607361
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-email-mta.html#s2-email-mta-sendmail

the above link mentions not to edit /etc/mail/sendmail.cf directly.
Is there any harm if I do so?
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 40607706
You could, "if you're careful", but it's much easier (and standard practice) to modify the sendmail.mc file and rebuild the cf file.

Remember to make a backup of the file(s) prior to modifying them. This way you'll be able to return to your previous state should there be issues w/ your configuration.

After implementing the new sendmail.cf file (built or modified), you will also need to restart your sendmail service
0
 

Author Comment

by:sunhux
ID: 40609373
Just one last query / clarification:

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Does the suggestion given by David Johnson above addresses all the reported vulnerabilities (reposted below) ?

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
0
 
LVL 63

Assisted Solution

by:btan
btan earned 225 total points
ID: 40609443
In fact RH has a post to disable SSLv3 for Sendmail, (too bad) I did  not register to see it
https://access.redhat.com/solutions/1277743
in fact since Poodle is a protocol issue, the only means is disable it as in the commands shared already into the config. IN this case, it disallow SSL v3 and SSLv2, including the weak hash
CipherList=HIGH tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).
http://mikeberggren.com/post/101178147946/sendmail-sslv3

Just a note, you may even want to be specific on certain cipher and hash aglo for the "CipherList=" field using this Openssl ref for the appending the configuration string. I do suggest to explicitly exclude !RC4-SHA:!RC4-MD5 where possible as likely they are still include in HIGH cipher (128bits and above, you can check out in the SSLv3 support listing in openssl link)
https://www.openssl.org/docs/apps/ciphers.html
0
 
LVL 63

Assisted Solution

by:btan
btan earned 225 total points
ID: 40609466
We can still stay with above discussed ...you can further test with s_client(1) this way should work:
e.g. openssl s_client -connect mailhost:25 -starttls smtp -ssl3

This should result in rejected connection if your mail server is configured correctly. But thought to further share as stated in this blog http://www.michaelm.info/blog/?p=1256, that one reader highlighted
“. Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included.”
Subsequently, the author (at hat pt of article is sendmail-8.14.7) submitted two patches configuration and they worked from reader feedback
http://www.michaelm.info/blog/?attachment_id=1288
http://www.michaelm.info/blog/?attachment_id=1289

And further there is one for sendmail with ECDHE (why - with OpenSSL 1.0.1e. Google selects ECDHE-RSA-RC4-SHA for inbound mail) http://diario.beerensalat.info/2013/09/15/harden_your_servers.html
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question