Bookmark and Share
RSS

Recent Posts

SENDMAIL SSL efix: a Painless ifix

May 12, 2016

There is a good chance you are not using sendmail at all (on AIX) to receive mail. However, if you are, you should be using sendmail plus ssl. If you are using sendmail and ssl you have probably applied the fix suppiled last August (First Issued: Fri Aug  7 15:15:59 CDT 2015 |Updated: Tue Aug 18 09:19:51 CDT 2015) - see http://aix.software.ibm.com/aix/efixes/security/sendmail_advisory2.asc

Personally, I have not been using SENDMAIL. However, as I want to wean myself from web-based mail that stores all there is to know about me – I hope this changes soon (I shall save the old addresses for convenience). To prepare I need to get the basics done. This begins with supporting more secure SSL connections, i.e., no SSL2/SSL3 or early grade TLS (v1.0). These SSL concerns are addressed in the fix (again, check out the advisory)

From the efix messages:
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
IV75643: sendmail configured with TLS is affected by CVE-2015-40
IV74920: Disable RC4 cipher by default in sendmail
IV73417: Option to disable SSLv3 and SSLv2 in sendmail


Again - if you are using sendmail, but not with SSL - you can ignore this fix:

From the efix messages:
Please note that this fix only applies to the SSL-enabled sendmail binary, /usr/sbin/sendmail_ssl.  The default sendmail binary, /usr/sbin/sendmail,
does not use SSL and is therefore not vulnerable to POODLE, Bar Mitzvah and Logjam.


Fortunately, this painless ifix as installp has been instructed to remove it during the next upgrade (rather than blocking installp update_all).

From the efix messages:
+-----------------------------------------------------------------------------+
Processing APAR reference file
+-----------------------------------------------------------------------------+
ATTENTION: Interim fix is enabled for automatic removal by installp.


More to come
Fairly soon, I hope, I will have an article on either rootvg.net or on how to use the m4 files to create a stronger sendmail.cf including support for SSL aka STARTTLS.

Posted May 12, 2016 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus