From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 12 17:36:50 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A63A4106564A
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Oct 2011 17:36:50 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from asmtpout021.mac.com (asmtpout021.mac.com [17.148.16.96])
	by mx1.freebsd.org (Postfix) with ESMTP id 8E0938FC16
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Oct 2011 17:36:50 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from cswiger1.apple.com ([17.209.4.71])
	by asmtp021.mac.com (Oracle Communications Messaging Server 7u4-23.01
	(7.0.4.23.0) 64bit (built Aug 10 2011))
	with ESMTPSA id <0LSY001BJRL9DU80@asmtp021.mac.com> for
	freebsd-questions@freebsd.org; Wed, 12 Oct 2011 10:36:45 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.4.6813,1.0.211,0.0.0000
	definitions=2011-10-12_06:2011-10-12, 2011-10-12,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 suspectscore=1 phishscore=0 bulkscore=0 adultscore=0
	classifier=spam
	adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000
	definitions=main-1110120187
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <c867f6af02b1d0117bddbe0db805e668@www.dweimer.net>
Date: Wed, 12 Oct 2011 10:36:44 -0700
Message-id: <96D84300-128D-499C-8762-3A0EA4790A08@mac.com>
References: <c867f6af02b1d0117bddbe0db805e668@www.dweimer.net>
To: dweimer@dweimer.net
X-Mailer: Apple Mail (2.1084)
Cc: freebsd-questions@freebsd.org
Subject: Re: somewhat Off topic, Sendmail Issue
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2011 17:36:50 -0000

Hi--

On Oct 12, 2011, at 8:29 AM, Dean E. Weimer wrote:
> I know that setting this option in Apache does the trick for HTTPS, I just need to figure out how to tell Sendmail to do the same.
> SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
> 
> If anyone has any idea how to do this, or any idea on what keywords to search on that might find me the directions it would be a great help.

If you can't find a way of specifying the allowed SSL ciphers via sendmail config (as someone mentioned, you can test ${cipher_bits} against ENCR:bits, but that doesn't disable anonymous ciphers like ADH entirely), you can build a modern flavor of OpenSSL to /usr/local with the ciphers you don't like disabled, and rebuild sendmail against this OpenSSL.

I believe that the security/openssl already does most of this for you, and would be easy to tweak a bit more if that's needed.

Regards,
-- 
-Chuck