Does anyone here understand how sendmail’s TLS settings and the system crypto settings interact?
I need to send mails to a server which (obviously) uses less than perfect encryption. With the default settings, sendmail refuses to deliver mails, and gives a log message like this:
STARTTLS=client, error: connect failed=-1, reason=unsupported protocol, SSL_error=1, errno=0, retry=-1
ruleset=tls_server, arg1=SOFTWARE, relay=…, reject=403 4.7.0 TLS handshake failed.
18ODJWYA532026: to=…, delay=02:33:19, xdelay=00:00:02, mailer=esmtp, pri=392315, relay=… […], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.
If I lower the requirements system-wide with update-crypto-policies --set DEFAULT:FEDORA32 sendmail accepts the crypto the other side apparently supports.
STARTTLS=client, relay=…, version=TLSv1, verify=FAIL, cipher=AES256-SHA, bits=256/256
18FC4Msd1893243: to=…, delay=01:33:54, xdelay=00:00:02, mailer=esmtp, pri=422280, relay=… […], dsn=2.0.0, stat=Sent (18FDcIr4002287 Message accepted for delivery)
My question is: is it possible to allow this lower crypto setting, but only for this server? I tried a couple of different entries in /etc/mail/aliases, but I can’t get it to work. For example, I tried this which I thought would be pretty general, but it doesn’t seem to make any difference.
TLS_Clt_features:the.domain.name CipherList=ALL;
TLS_Clt_features:the.ip.address CipherList=ALL;
If I instead take the big hammer and turn off TLS completely
Try_TLS:the.domain.name NO
mails are delivered. Since this is on a reasonably protected internal network that might be ok, but I would prefer to have some encryption enabled.
Is there anyone here who knows how to do it?