?
Solved

Fixing a commercial sendmail vulnerabilities

Posted on 2015-02-12
9
Medium Priority
?
409 Views
Last Modified: 2015-02-28
Our VA scan reported the following vulnerabilities on our 'commercial-version'
of sendmail.  I guess it's commercial as a developer put in a GUI interface for
whitelisting/blacklisting but the underlying sendmail should still be there.

Attached Excel is the detailed sanitized scan results.

Which file do I edit or what changes do I need to make to address the
vulnerabilities below?   (pls include every command step by step including
restarting the sendmail service to make it effective) :

If a patch is needed, kindly provide the url to download the patch.  I'm
running on RHES 5.x

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
M-smtp-va.xlsx
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Author Comment

by:sunhux
ID: 40605399
The version of the underlying sendmail:

# more VERSION
2.1.7
# pwd
/usr/local/sendmail/smflow

# Copyright(c) 2002, 2003, 2005, 2006 Sendmail, Inc. and its suppliers.
#       All rights reserved.
# $Id: sendmail,v 1.16 2007/06/07 01:25:23 epaull Exp $

# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.

===================some info fr the logs ======================

# grep -i version maillog
Feb  8 14:26:09 xxx sm-mta[14430]: STARTTLS=client, relay=mail.s50.au.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:25 xxx sm-mta[14689]: STARTTLS=client, relay=smtp3.hp.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:32 xxx sm-mta[14796]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128

=========================================

# find . -name *conf -print
./smflow-2.1/etc/snortsam.conf
./pgsql-1.0/conf
./mm-3.0/.install4j/i4jparams.conf
./smconsole-1.0/licenses/os/autoconf
./smadmin-3.3/monitor/conf
./smadmin-3.3/monitor/perconf
./smadmin-3.3/monitor/perconf/snmp.conf
./smadmin-3.3/apache/conf
./smadmin-3.3/apache/conf/httpd.conf
./smadmin-3.3/etc/cluster-fc.conf
./smadmin-3.3/etc/cluster-query.conf
./smadmin-3.3/etc/cluster-deploy.conf
./smmta-8.14/contrib/movemail.conf
./smmta-8.14/lib/sasl2/Sendmail.conf
[root@mvlsmtp01 sendmail]# pwd
/usr/local/sendmail

# more Sendmail.conf
pwcheck_method: auxprop
sasldb_path: /etc/mail/sasldb2
# pwd
/usr/local/sendmail/smmta-8.14/lib/sasl2


# service sendmail status
sendmail: status not implemented
# service sendmail
Starting sendmail MTA
sendmail MSP queue runner is already running
# service sendmail stat
Usage: sendmail {start|stop|restart}
       sendmail {start-mta|stop-mta|restart-mta}
       sendmail {start-mspq|stop-mspq|restart-mspq}
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 700 total points
ID: 40607074
Put the following lines in your sendmail.mc configuration file, in the LOCAL_CONFIG section:
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Then restart the sendmail server (sudo service sendmail restart).
http://bit.ly/1DLg2Cd
0
 

Author Comment

by:sunhux
ID: 40607188
In which folder sendmail.mc located?
0
WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

 
LVL 14

Assisted Solution

by:kenfcamp
kenfcamp earned 400 total points
ID: 40607327
0
 

Author Comment

by:sunhux
ID: 40607361
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-email-mta.html#s2-email-mta-sendmail

the above link mentions not to edit /etc/mail/sendmail.cf directly.
Is there any harm if I do so?
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 40607706
You could, "if you're careful", but it's much easier (and standard practice) to modify the sendmail.mc file and rebuild the cf file.

Remember to make a backup of the file(s) prior to modifying them. This way you'll be able to return to your previous state should there be issues w/ your configuration.

After implementing the new sendmail.cf file (built or modified), you will also need to restart your sendmail service
0
 

Author Comment

by:sunhux
ID: 40609373
Just one last query / clarification:

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Does the suggestion given by David Johnson above addresses all the reported vulnerabilities (reposted below) ?

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
0
 
LVL 64

Assisted Solution

by:btan
btan earned 900 total points
ID: 40609443
In fact RH has a post to disable SSLv3 for Sendmail, (too bad) I did  not register to see it
https://access.redhat.com/solutions/1277743
in fact since Poodle is a protocol issue, the only means is disable it as in the commands shared already into the config. IN this case, it disallow SSL v3 and SSLv2, including the weak hash
CipherList=HIGH tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).
http://mikeberggren.com/post/101178147946/sendmail-sslv3

Just a note, you may even want to be specific on certain cipher and hash aglo for the "CipherList=" field using this Openssl ref for the appending the configuration string. I do suggest to explicitly exclude !RC4-SHA:!RC4-MD5 where possible as likely they are still include in HIGH cipher (128bits and above, you can check out in the SSLv3 support listing in openssl link)
https://www.openssl.org/docs/apps/ciphers.html
0
 
LVL 64

Assisted Solution

by:btan
btan earned 900 total points
ID: 40609466
We can still stay with above discussed ...you can further test with s_client(1) this way should work:
e.g. openssl s_client -connect mailhost:25 -starttls smtp -ssl3

This should result in rejected connection if your mail server is configured correctly. But thought to further share as stated in this blog http://www.michaelm.info/blog/?p=1256, that one reader highlighted
“. Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included.”
Subsequently, the author (at hat pt of article is sendmail-8.14.7) submitted two patches configuration and they worked from reader feedback
http://www.michaelm.info/blog/?attachment_id=1288
http://www.michaelm.info/blog/?attachment_id=1289

And further there is one for sendmail with ECDHE (why - with OpenSSL 1.0.1e. Google selects ECDHE-RSA-RC4-SHA for inbound mail) http://diario.beerensalat.info/2013/09/15/harden_your_servers.html
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month10 days, left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question