Bug 248387 - Change sendmail confDH_PARAMETERS argument from file to fixed-length parameter in freebsd.mc
Summary: Change sendmail confDH_PARAMETERS argument from file to fixed-length paramete...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Gregory Neil Shapiro
Depends on:
Reported: 2020-07-31 12:22 UTC by f.toscan
Modified: 2021-02-01 23:52 UTC (History)
4 users (show)

See Also:

Patch against /base/head/etc/sendmail/freebsd.mc (535 bytes, patch)
2020-07-31 12:22 UTC, f.toscan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description f.toscan 2020-07-31 12:22:17 UTC
Created attachment 216907 [details]
Patch against /base/head/etc/sendmail/freebsd.mc

freebsd.mc sets confDH_PARAMETERS to a file parameter, dh.param. This file is not created by /etc/rc.d/sendmail, which just provides rsa keys and certificates to enable a working, minimal sendmail TLS setup. Running default configuration, sendmail complains about nonexistent file.

I'm unsure whether confDH_PARAMETERS should be set at all since DSA keys are not used: maybe telling sendmail to generate 1024-bit length parameters is enough.

Patch attached.
Comment 1 Li-Wen Hsu freebsd_committer 2020-08-04 03:16:48 UTC
Over sendmail maintainer.
Comment 2 Gregory Neil Shapiro freebsd_committer 2020-08-11 18:14:31 UTC
Thank you for the report.

I'm tempted to remove the DH_PARAMETERS line from freebsd.mc completely and returning to using the built-in default (added in sendmail 8.15.2 after this line was added to freebsd.mc).  However, I want to get John-Mark's input since he added the change in rev 256773:


@jmg: How would you like to proceed?
Comment 3 f.toscan 2020-08-13 09:16:30 UTC
Thank you for looking into this!
Comment 4 Leo Bicknell 2021-01-28 13:04:34 UTC
Bumping this one.  The behavior without confDH_PARAMTERS set in FREEBSD-12.2 is to use sendmail's internal default:

STARTTLS=server, Diffie-Hellman init, key=2048 bit (I)

I agree that removing it is the best path forward.
Comment 5 Gregory Neil Shapiro freebsd_committer 2021-02-01 23:52:54 UTC
Hitting up @jmg one last time.  If we don't hear back by Feb 15th, I'll proceed.