Bug 200903 - sendmail default configuration was broken by FreeBSD-SA-15:10.openssl
Summary: sendmail default configuration was broken by FreeBSD-SA-15:10.openssl
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 10.1-RELEASE
Hardware: Any Any
: --- Affects Many People
Assignee: FreeBSD Release Engineering
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-16 12:21 UTC by Anton Saietskii
Modified: 2015-07-07 14:34 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Saietskii 2015-06-16 12:21:17 UTC 
I'm running default sendmail configuration just for forwarding mail for logwatch. The /etc/mail/certs/ directory doesn't contains dh.param file, so sendmail tries to use some internal default that is shorter than 768 bits, and I'm getting the following errors:

> Jun 16 14:41:39 cs0 sm-msp-queue[9971]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> Jun 16 14:41:39 cs0 sm-mta[9973]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1]
> Jun 16 14:41:39 cs0 sm-msp-queue[9971]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
> Jun 16 14:41:39 cs0 sm-mta[9973]: t5GBfd11009973: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0
Comment 1 Xin LI freebsd_committer freebsd_triage 2015-06-17 19:42:14 UTC 
We are aware of this issue and there will be an EN to correct this.

In the meantime, please use this workaround:

20150614:
        The import of openssl to address the FreeBSD-SA-15:10.openssl
        security advisory includes a change which rejects handshakes
        with DH parameters below 768 bits.  sendmail releases prior
        to 8.15.2 (not yet released), defaulted to a 512 bit
        DH parameter setting for client connections.  To work around
        this interoperability, sendmail can be configured to use a
        2048 bit DH parameter by:

        1. Edit /etc/mail/`hostname`.mc 
        2. If a setting for confDH_PARAMETERS does not exist or
           exists and is set to a string beginning with '5',
           replace it with '2'.
        3. If a setting for confDH_PARAMETERS exists and is set to
           a file path, create a new file with:
                openssl dhparam -out /path/to/file 2048
        4. Rebuild the .cf file:
                cd /etc/mail/; make; make install
        5. Restart sendmail:
                cd /etc/mail/; make restart

        A sendmail patch is coming, at which time this file will be
        updated.
Comment 2 Anton Saietskii 2015-06-22 06:36:40 UTC 
Unfortunately, r284436 and appropriate SA does not fix this issue - errors are still there.
Comment 3 Anton Saietskii 2015-06-22 06:39:46 UTC 
(In reply to Anton Sayetsky from comment #2)

Sorry, appropriate EN, of course. Workaround works, but it would be better if sendmail will work totally out of the box as was before.
Comment 4 Glen Barber freebsd_committer freebsd_triage 2015-07-07 14:34:20 UTC 
EN-15:08 was revised on 2015-06-30 to address this.