Bug#1106146: sendmail: please enable _FFR_CLIENTCA
Package: sendmail
Version: 8.18.1-6
Severity: wishlist
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Maintainer,
Quoting from sendmail/conf.c:
#if _FFR_CLIENTCA
/*
** Allow to set client specific CA values.
** CACertFile: see doc/op.*:
** "The DNs of these certificates are sent to the client
** during the TLS handshake (as part of the CertificateRequest)
** as the list of acceptable CAs.
** However, do not list too many root CAs in that file,
** otherwise the TLS handshake may fail;"
** In TLSv1.3 the certs in CACertFile are also sent by
** the client to the server and there is seemingly a
** 16KB limit (just in OpenSSL?).
** Having a separate CACertFile for the client
** helps to avoid this problem.
*/
"_FFR_CLIENTCA",
#endif
Like any other MTA, sendmail will operate as both server and client.
_FFR_CLIENTCA enables sendmail to validate peer certificates using a
different set of root CAs for the two modes. This is required in cases
where we
1) must validate the peer certificate against a list of public CAs in
client mode, and
2) must validate the peer certificate against a private CA in server
mode
Given MTA-STS, this will be the case for all installations, with an
empty list of list of private CAs for client authentication by default.
Note that _FFR_CLIENTCA can safely be enabled without updating existing
configurations. sendmail/deliver.c automatically falls back to
CACertPath and CACertFile if the new options ClientCACertPath and
ClientCACertFile are undefined, behaving exactly as if _FFR_CLIENTCA
was not enabled.
Future default configurations should point the new client mode options
to the system public CA list for proper MTA-STS support:
O ClientCACertFile=/etc/ssl/certs/ca-certificates.crt
O ClientCACertPath=/etc/ssl/certs
and recommend a private sendmail-specific CA for the server mode CA
options. E.g
O CACertFile=/etc/mail/tls/sendmail-private-ca.pem
O CACertPath=/dev/null
or similar
Bjørn
- -- System Information:
Debian Release: 12.11
APT prefers stable-security
APT policy: (700, 'stable-security'), (700, 'stable'), (699, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-35-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sendmail depends on:
ii sendmail-base 8.18.1-6
ii sendmail-bin 8.18.1-6
ii sendmail-cf 8.18.1-6
ii sensible-mda 8.18.1-6
sendmail recommends no packages.
Versions of packages sendmail suggests:
ii rmail 8.18.1-6
ii sendmail-doc 8.18.1-6
Versions of packages sensible-mda depends on:
ii libc6 2.36-9+deb12u10
ii procmail 3.22-27
ii sendmail-bin [mail-transport-agent] 8.18.1-6
Versions of packages rmail depends on:
ii libc6 2.36-9+deb12u10
ii libldap-2.5-0 2.5.13+dfsg-5
ii sendmail-bin [mail-transport-agent] 8.18.1-6
Versions of packages libmilter1.0.1 depends on:
ii libc6 2.36-9+deb12u10
Versions of packages sendmail-bin depends on:
ii debconf 1.5.82
ii init-system-helpers 1.65.2
ii libc6 2.36-9+deb12u10
ii libdb5.3 5.3.28+dfsg2-1
ii libldap-2.5-0 2.5.13+dfsg-5
ii liblockfile1 1.17-1+b1
ii libnsl2 1.3.0-2
ii libsasl2-2 2.1.28+dfsg-10
ii libssl3 3.0.16-1~deb12u1
ii libwrap0 7.6.q-32
ii procps 2:4.0.2-3
ii sendmail-base 8.18.1-6
ii sendmail-cf 8.18.1-6
Versions of packages sendmail-bin suggests:
ii libsasl2-modules 2.1.28+dfsg-10
ii openssl 3.0.16-1~deb12u1
ii sasl2-bin 2.1.28+dfsg-10
ii sendmail-doc 8.18.1-6
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iGwEARECACwWIQR3fjfc8EF8nPbC0aDXSuqSjBsiyQUCaCxT5w4cYmpvcm5AbW9y
ay5ubwAKCRDXSuqSjBsiyfYtAJ9rbXQJKaBDpJ3qrSWxCq1pWUBg3QCePoYlERwy
z/EQ8c/m6sk1b1ljLB8=
=vAnH
-----END PGP SIGNATURE-----
Reply to: