How to disable "SSLv3" in sendmail

Solution Verified - Updated 9 Aug 2024

Environment

Red Hat Enterprise Linux 5, 6, 7 (RHEL)
sendmail
openssl

Issue

How do I disable SSL3 when using sendmail
How do I avoid CVE-2014-3566 (aka POODLE) when using sendmail

Resolution

For RHEL5, RHEL6 and RHEL7

To disable SSL3 in sendmail under RHEL6 or RHEL7 firstly ensure that the openssl package has been updated to the latest available version.
Next the /etc/mail/sendmail.mc should be edited. Locate the section starting LOCAL_CONFIG or go to the end of the file and add it along with the following

LOCAL_CONFIG
dnl # use for most secure connections
O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
dnl #
dnl # use if compatibility with early Microsoft products is needed
dnl O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!DES:!EXP:!SEED:!IDEA:!3DES
dnl #
dnl # Set options required when operating as server
dnl # Certificates and keys must also have been configured
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
dnl #
dnl # Set options required when operating as client to remote servers
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
dnl #

Remake the runtime configuration file sendmail.cf

make -C /etc/mail

Restart the sendmail service

service sendmail restart

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

sendmail

Category

Secure

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.