Ooops – some recent openssl update seems to have “broken” things. Well, technically they’re just dismissing weak keys (Logjam), but still – annoying side effect.
TL;DR fix:
openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 1024
Then edit your sendmail.mc by adding (if you have old versions – Fedora 10 or similar, comment out the two SSLOptions):
LOCAL_CONFIG
O CipherList=HIGH:!ADH
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
run “make” or whatever to re-create your sendmail.cf, then restart sendmail.
Quick little test-command:
openssl s_client -starttls smtp -crlf -connect mail.example.com:smtp
For more info, see these links:
http://serverfault.com/questions/700655/sendmail-rejecting-some-connections-with-handshake-failure-ssl-alert-number-40
http://www.reddit.com/r/sysadmin/comments/3ay2ez/openssls_logjam_cve20154000_fixes_break_smtp/
https://weakdh.org/sysadmin.html