Created attachment 216907 [details] Patch against /base/head/etc/sendmail/freebsd.mc freebsd.mc sets confDH_PARAMETERS to a file parameter, dh.param. This file is not created by /etc/rc.d/sendmail, which just provides rsa keys and certificates to enable a working, minimal sendmail TLS setup. Running default configuration, sendmail complains about nonexistent file. I'm unsure whether confDH_PARAMETERS should be set at all since DSA keys are not used: maybe telling sendmail to generate 1024-bit length parameters is enough. Patch attached.
Over sendmail maintainer.
Thank you for the report. I'm tempted to remove the DH_PARAMETERS line from freebsd.mc completely and returning to using the built-in default (added in sendmail 8.15.2 after this line was added to freebsd.mc). However, I want to get John-Mark's input since he added the change in rev 256773: https://svnweb.freebsd.org/base/head/etc/sendmail/freebsd.mc?revision=256773&view=markup @jmg: How would you like to proceed?
Thank you for looking into this!
Bumping this one. The behavior without confDH_PARAMTERS set in FREEBSD-12.2 is to use sendmail's internal default: STARTTLS=server, Diffie-Hellman init, key=2048 bit (I) I agree that removing it is the best path forward.
Hitting up @jmg one last time. If we don't hear back by Feb 15th, I'll proceed.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=98fd1add676321978db72d77d34ef51ca454c814 commit 98fd1add676321978db72d77d34ef51ca454c814 Author: Gregory Neil Shapiro <gshapiro@FreeBSD.org> AuthorDate: 2023-08-18 00:32:56 +0000 Commit: Gregory Neil Shapiro <gshapiro@FreeBSD.org> CommitDate: 2023-08-18 00:32:56 +0000 Remove confDH_PARAMETERS settings in favor of using sendmail's built-in default which was added in sendmail 8.15.2 (the config line predates that 8.15.2 feature). This also alleviates the need for admins to create the DH parameters file if they opt to use Diffie-Hellman. PR: 248387 MFC after: 2 weeks etc/sendmail/freebsd.mc | 1 - 1 file changed, 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9e8372d0103ac474c08cc0031110860855368b05 commit 9e8372d0103ac474c08cc0031110860855368b05 Author: Gregory Neil Shapiro <gshapiro@FreeBSD.org> AuthorDate: 2023-08-18 00:32:56 +0000 Commit: Gregory Neil Shapiro <gshapiro@FreeBSD.org> CommitDate: 2023-10-17 19:44:01 +0000 MFC: Remove confDH_PARAMETERS settings in favor of using sendmail's built-in default which was added in sendmail 8.15.2 (the config line predates that 8.15.2 feature). This also alleviates the need for admins to create the DH parameters file if they opt to use Diffie-Hellman. PR: 248387 (cherry picked from commit 98fd1add676321978db72d77d34ef51ca454c814) etc/sendmail/freebsd.mc | 1 - 1 file changed, 1 deletion(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=98f15d8f2fd46c49a4ede89ac1a52aa3b5da8a41 commit 98f15d8f2fd46c49a4ede89ac1a52aa3b5da8a41 Author: Gregory Neil Shapiro <gshapiro@FreeBSD.org> AuthorDate: 2023-08-18 00:32:56 +0000 Commit: Gregory Neil Shapiro <gshapiro@FreeBSD.org> CommitDate: 2023-10-17 19:48:22 +0000 MFC: Remove confDH_PARAMETERS settings in favor of using sendmail's built-in default which was added in sendmail 8.15.2 (the config line predates that 8.15.2 feature). This also alleviates the need for admins to create the DH parameters file if they opt to use Diffie-Hellman. PR: 248387 (cherry picked from commit 98fd1add676321978db72d77d34ef51ca454c814) etc/sendmail/freebsd.mc | 1 - 1 file changed, 1 deletion(-)