I didn't get any hits from a mailing list search and there is no mail or sendmail list so I am sending it here because stable is what I'm running. Because of a recent alert I updated both of my FreeBSD computers (both running 10.1-STABLE and built from /etc/src) to r284296 and am having a problem with sendmail. Sendmail is giving me the following error every 30 minutes: Jun 14 09:50:04 Ace sm-mta[10430]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1] If I restart it I get these errors: Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. I have made no changes to sendmail's configuration and all files in /etc/mail are dated Mar 16 so apparently mergemaster didn't see anything new to install and rebuild. There is no entry in /usr/src/UPDATING about any change in sendmail either. I first noticed this on the second machine on my home network. This machine has an entry in /etc/mail/aliases forwarding root's email to me on the primary. I noticed the day after the upgrade that I didn't get the nightly email from the /etc/periodic/daily/ run or from rkhunter. I checked my main machine and found that I am not getting these emails from it either and am getting the same errors in /var/log/maillog. It can't even email itself. Am I the only one seeing this? Did I get caught between revisions? Thanks, Frank
On Sun, Jun 14, 2015 at 10:57:13AM -0400, Frank Seltzer wrote:> Am I the only one seeing this?Nope, I had the same issues after upgading from 10.1-RELEASE-p10 to 10.1-RELEASE-p12 using freebsd-update. I fixed this in my home enviroment by disabling TLS in sendmail.cf, by commenting e.g. adding "dnl " to the beginning of the lines lines which have "CERT_DIR" string, rebuiding and installing sendmail.cf and restarting sendmail daemons. # cd /etc/mail # vi freebsd.mc :g/CERT_DIR/s/^/dnl / :wq! The lines should look like this: # fgrep CERT_DIR freebsd.mc dnl define(`CERT_DIR', `/etc/mail/certs')dnl dnl define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl dnl define(`confSERVER_KEY', `CERT_DIR/host.key')dnl dnl define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl dnl define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl dnl define(`confCACERT_PATH', `CERT_DIR')dnl dnl define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl These three commands create and update/install new sendmail.cf and restarts sendmail daemons. # make all # make install # make restart> Did I get caught between revisions?I do not know. # freebsd-version 10.1-RELEASE-p12 # ident /etc/mail/freebsd.mc /etc/mail/freebsd.mc: $FreeBSD: releng/10.1/etc/sendmail/freebsd.mc 266698 2014-05-26 15:42:39Z gshapiro $ Regards, Esa -- "In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move." -- Douglas Adams 1952 - 2001
On 14/06/2015 10:57, Frank Seltzer wrote:> Because of a recent alert I updated both of my FreeBSD computers (both > running 10.1-STABLE and built from /etc/src) to r284296 and am having a > problem with sendmail. Sendmail is giving me the following error every > 30 minutes: > > Jun 14 09:50:04 Ace sm-mta[10430]: STARTTLS=server, error: accept > failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, > retry=-1, relay=localhost [127.0.0.1] > > If I restart it I get these errors: > > Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect > failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, > arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. > > I have made no changes to sendmail's configuration and all files in > /etc/mail are dated Mar 16 so apparently mergemaster didn't see anything > new to install and rebuild. There is no entry in /usr/src/UPDATING > about any change in sendmail either. > > I first noticed this on the second machine on my home network. This > machine has an entry in /etc/mail/aliases forwarding root's email to me > on the primary. I noticed the day after the upgrade that I didn't get > the nightly email from the /etc/periodic/daily/ run or from rkhunter. I > checked my main machine and found that I am not getting these emails > from it either and am getting the same errors in /var/log/maillog. It > can't even email itself. > > Am I the only one seeing this? Did I get caught between revisions?Looks like your sendmail is trying to use SSLv3 a.k.a TLSv1 and that may not be supported in whichever version of OpenSSL you're linking to any more. TLSv1 has some known deficiencies, and the TLSv1.1 or TLSv1.2 ciphers are generally preferred nowadays[*] There's some config-fu at https://weakdh.org/sysadmin.html which will allow you to configure your sendmail to use the most up to date and believed still to be secure ciphers for preference, plus disallow anything known to be insecure. This works for me in general, but it might cause you problems if you need to exchange e-mail with some particularly old machines. Cheers, Matthew [*] Not least because they implement 'Perfect Forward Secrecy' which means the NSA has to keep breaking your crypto over and over again, rather than just once... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 971 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150614/881da868/attachment.sig>
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.The new OpenSSL eliminated small DHParam support. That leaves two possibilities: 1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting. 2. Your side is using a small value. Double check your setting:> grep DHParam /etc/mail/sendmail.cf# DHParameters (only required if DSA/DH is used) #O DHParameters If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS. Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version.