Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Fixing a commercial sendmail vulnerabilities

Posted on 2015-02-12
9
Medium Priority
?
448 Views
Last Modified: 2015-02-28
Our VA scan reported the following vulnerabilities on our 'commercial-version'
of sendmail.  I guess it's commercial as a developer put in a GUI interface for
whitelisting/blacklisting but the underlying sendmail should still be there.

Attached Excel is the detailed sanitized scan results.

Which file do I edit or what changes do I need to make to address the
vulnerabilities below?   (pls include every command step by step including
restarting the sendmail service to make it effective) :

If a patch is needed, kindly provide the url to download the patch.  I'm
running on RHES 5.x

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
M-smtp-va.xlsx
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Author Comment

by:sunhux
ID: 40605399
The version of the underlying sendmail:

# more VERSION
2.1.7
# pwd
/usr/local/sendmail/smflow

# Copyright(c) 2002, 2003, 2005, 2006 Sendmail, Inc. and its suppliers.
#       All rights reserved.
# $Id: sendmail,v 1.16 2007/06/07 01:25:23 epaull Exp $

# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.

===================some info fr the logs ======================

# grep -i version maillog
Feb  8 14:26:09 xxx sm-mta[14430]: STARTTLS=client, relay=mail.s50.au.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:25 xxx sm-mta[14689]: STARTTLS=client, relay=smtp3.hp.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:32 xxx sm-mta[14796]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128

=========================================

# find . -name *conf -print
./smflow-2.1/etc/snortsam.conf
./pgsql-1.0/conf
./mm-3.0/.install4j/i4jparams.conf
./smconsole-1.0/licenses/os/autoconf
./smadmin-3.3/monitor/conf
./smadmin-3.3/monitor/perconf
./smadmin-3.3/monitor/perconf/snmp.conf
./smadmin-3.3/apache/conf
./smadmin-3.3/apache/conf/httpd.conf
./smadmin-3.3/etc/cluster-fc.conf
./smadmin-3.3/etc/cluster-query.conf
./smadmin-3.3/etc/cluster-deploy.conf
./smmta-8.14/contrib/movemail.conf
./smmta-8.14/lib/sasl2/Sendmail.conf
[root@mvlsmtp01 sendmail]# pwd
/usr/local/sendmail

# more Sendmail.conf
pwcheck_method: auxprop
sasldb_path: /etc/mail/sasldb2
# pwd
/usr/local/sendmail/smmta-8.14/lib/sasl2


# service sendmail status
sendmail: status not implemented
# service sendmail
Starting sendmail MTA
sendmail MSP queue runner is already running
# service sendmail stat
Usage: sendmail {start|stop|restart}
       sendmail {start-mta|stop-mta|restart-mta}
       sendmail {start-mspq|stop-mspq|restart-mspq}
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 700 total points
ID: 40607074
Put the following lines in your sendmail.mc configuration file, in the LOCAL_CONFIG section:
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Then restart the sendmail server (sudo service sendmail restart).
http://bit.ly/1DLg2Cd
0
 

Author Comment

by:sunhux
ID: 40607188
In which folder sendmail.mc located?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 14

Assisted Solution

by:kenfcamp
kenfcamp earned 400 total points
ID: 40607327
0
 

Author Comment

by:sunhux
ID: 40607361
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-email-mta.html#s2-email-mta-sendmail

the above link mentions not to edit /etc/mail/sendmail.cf directly.
Is there any harm if I do so?
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 40607706
You could, "if you're careful", but it's much easier (and standard practice) to modify the sendmail.mc file and rebuild the cf file.

Remember to make a backup of the file(s) prior to modifying them. This way you'll be able to return to your previous state should there be issues w/ your configuration.

After implementing the new sendmail.cf file (built or modified), you will also need to restart your sendmail service
0
 

Author Comment

by:sunhux
ID: 40609373
Just one last query / clarification:

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Does the suggestion given by David Johnson above addresses all the reported vulnerabilities (reposted below) ?

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
0
 
LVL 65

Assisted Solution

by:btan
btan earned 900 total points
ID: 40609443
In fact RH has a post to disable SSLv3 for Sendmail, (too bad) I did  not register to see it
https://access.redhat.com/solutions/1277743
in fact since Poodle is a protocol issue, the only means is disable it as in the commands shared already into the config. IN this case, it disallow SSL v3 and SSLv2, including the weak hash
CipherList=HIGH tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).
http://mikeberggren.com/post/101178147946/sendmail-sslv3

Just a note, you may even want to be specific on certain cipher and hash aglo for the "CipherList=" field using this Openssl ref for the appending the configuration string. I do suggest to explicitly exclude !RC4-SHA:!RC4-MD5 where possible as likely they are still include in HIGH cipher (128bits and above, you can check out in the SSLv3 support listing in openssl link)
https://www.openssl.org/docs/apps/ciphers.html
0
 
LVL 65

Assisted Solution

by:btan
btan earned 900 total points
ID: 40609466
We can still stay with above discussed ...you can further test with s_client(1) this way should work:
e.g. openssl s_client -connect mailhost:25 -starttls smtp -ssl3

This should result in rejected connection if your mail server is configured correctly. But thought to further share as stated in this blog http://www.michaelm.info/blog/?p=1256, that one reader highlighted
“. Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included.”
Subsequently, the author (at hat pt of article is sendmail-8.14.7) submitted two patches configuration and they worked from reader feedback
http://www.michaelm.info/blog/?attachment_id=1288
http://www.michaelm.info/blog/?attachment_id=1289

And further there is one for sendmail with ECDHE (why - with OpenSSL 1.0.1e. Google selects ECDHE-RSA-RC4-SHA for inbound mail) http://diario.beerensalat.info/2013/09/15/harden_your_servers.html
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question