"Sendmail is prone to a security-bypass vulnerability because the
application fails to properly validate the domain name in a signed CA
certificate, allowing attackers to substitute malicious SSL certificates
for trusted ones.
Successfully exploiting this issue allows attackers to perform
man-in-the-middle attacks or impersonate trusted servers, which will aid
in further attacks.
Versions prior to Sendmail 8.14.4 are vulnerable."
For RHEL, this was fixed in sendmail-8.13.8-6.el5, although the latest
version available is sendmail-8.13.8-8.el5. This is also known as
CVE-2009-4565 if you want to look in your version of sendmail:
$ rpm -q --changelog sendmail | grep CVE-2009-4565
It is recommended that Sendmail be updated to 8.14.4 or comparable to
fix this vulnerability. Please let me know if your systems are
vulnerable to this issue.