Patch for sendmail (TLS handshake error)
Hello,
Since Debian team has removed some ciphers from OpenSSL, sendmail is
unable to send mails to domains that use old ciphers.
Sendmail team has committed a patch upstream to add :
FEATURE(`tls_failures', `8')
in sendmail.mc. After 8 TLS handshake failures, sendmail will switch to
unencrypted communication.
This patch is in attachment. I use this patch for long time without any
trouble. Can you patch, please, debian package ?
Best regards,
JB
diff -ruN sendmail-8.15.2-/cf/README sendmail-8.15.2/cf/README
--- sendmail-8.15.2-/cf/README 2015-06-17 09:51:58.000000000 -0700
+++ sendmail-8.15.2/cf/README 2015-07-22 20:42:14.000000000 -0700
@@ -1603,6 +1603,24 @@
has been compiled with the options MAP_REGEX and
DNSMAP.
+tls_failures If enabled, the MTA will stop using STARTTLS on
+ outbound connections after a certain number of previous
+ failures with either PROTOCOL or SOFTWARE error. An
+ optional numeric value indicates the number of attempts
+ after which the MTA will give up trying STARTTLS:
+
+ FEATURE(`tls_failures', `8')
+
+ Once ${ntries} exceeds the value of 8, and if the
+ previous delivery ended up with a PROTOCOL or
+ SOFTWARE TLS errors, then the MTA will not use
+ STARTTLS. Default value for the parameter is 5.
+
+ Note: if you enforce TLS for the recipient or
+ destination then it is likely the message will
+ never be delivered as the TLS enforced criterias
+ are unlikely to be ever verified.
+
+-------+
| HACKS |
+-------+
diff -ruN sendmail-8.15.2-/cf/feature/tls_failures.m4 sendmail-8.15.2/cf/feature/tls_failures.m4
--- sendmail-8.15.2-/cf/feature/tls_failures.m4 1969-12-31 16:00:00.000000000 -0800
+++ sendmail-8.15.2/cf/feature/tls_failures.m4 2015-07-22 20:42:56.000000000 -0700
@@ -0,0 +1,17 @@
+divert(-1)
+#
+# Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
+# All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+define(`_TLS_FAILURES_', `1')dnl
+define(`_NEED_MACRO_MAP_', `1')dnl
+define(`_TLS_FAILURES_CNT_', ifelse(len(X`'_ARG_),`1',`5',_ARG_)))dnl
+
+LOCAL_CONFIG
+C{persistentMacros}{saved_verify}
diff -ruN sendmail-8.15.2-/cf/m4/proto.m4 sendmail-8.15.2/cf/m4/proto.m4
--- sendmail-8.15.2-/cf/m4/proto.m4 2015-05-22 06:42:27.000000000 -0700
+++ sendmail-8.15.2/cf/m4/proto.m4 2015-07-22 20:39:48.000000000 -0700
@@ -2686,7 +2686,11 @@
R$* $: $>D <$&{server_name}> <?> <! TLS_TRY_TAG> <>
R<?>$* $: $>A <$&{server_addr}> <?> <! TLS_TRY_TAG> <>
R<?>$* $: <$(access TLS_TRY_TAG`'_TAG_DELIM_ $: ? $)>
-R<?>$* $@ OK
+ifdef(`_TLS_FAILURES_', `dnl
+R<?>$* $: <?> $&{saved_verify} $| $(arith l $@ `'_TLS_FAILURES_CNT_`' $@ $&{ntries} $) $| $1
+R<?> SOFTWARE $| TRUE $| $* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"] due to previous verify=SOFTWARE errors"
+R<?> PROTOCOL $| TRUE $| $* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"] due to previous verify=PROTOCOL errors"')
+R<?>$* $@ OK
ifdef(`_ATMPF_', `dnl tempfail?
R<$* _ATMPF_>$* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
R<NO>$* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"')
@@ -2769,6 +2773,8 @@
R$* $: $1 $| $>"Local_tls_server" $1
R$* $| $#$* $#$2
R$* $| $* $: $1', `dnl')
+ifdef(`_TLS_FAILURES_',`dnl
+R$* $: $(macro {saved_verify} $@ $1 $) $1')
ifdef(`_ACCESS_TABLE_', `dnl
dnl store name of other side
R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
Reply to: