freebsd stable - Jun 2015 - [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

============================================================================FreeBSD-EN-15:08.sendmail
Errata Notice
                                                          The FreeBSD Project

Topic:          sendmail TLS/DH Interoperability Improvement

Category:       contrib
Module:         sendmail
Announced:      2015-06-18
Credits:        Frank Seltzer, Gregory Shapiro
Affects:        All supported versions of FreeBSD.
Corrected:      2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE)
                2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13)
                2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE)
                2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17)
                2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE)
                2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.

I.   Background

sendmail supports STARTTLS encrypted connections using DHE_EXPORT
ciphers.  As part of that support, by default, sendmail employs 1024-bit
DH parameters for server connections and 512-bit DH parameters for
client connections.

II.  Problem Description

In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and
other encryption packages have begun rejecting 512-bit and lower DH
parameters during negotiation, thereby reducing interoperability.

III. Impact

In its default configuration, client connections from sendmail to other
SMTP servers will not be able to negotiate a STARTTLS encrypted session
with SMTP servers which reject 512-bit DH parameters.  This may cause
mail deliverability issues for outbound mail.

IV.  Workaround

To work around this interoperability, sendmail can be configured to use
a 1024 or 2048 bit DH parameter using these steps:

        1. Edit /etc/mail/`hostname`.mc
        2. If a setting for confDH_PARAMETERS does not exist or
           exists and is set to a string beginning with '5',
           replace it with '1' for 1024-bit or '2' for 2048-bit.
        3. If a setting for confDH_PARAMETERS exists and is set to
           a file path, create a new file with:
                openssl dhparam -out /path/to/file 2048
           for 2048-bit or:
                openssl dhparam -out /path/to/file 1024
           for 1024-bit.
        4. If you have modified your MSP submission configuration
           file to enable STARTTLS (not enabled by default), repeat
           the above steps for /etc/mail/`hostname`.submit.mc.
        5. Rebuild the .cf file(s):
                cd /etc/mail/; make; make install
        6. Restart sendmail:
                cd /etc/mail/; make restart

Systems that do not use sendmail are not affected.

V.   Solution

A change to the raise the default for sendmail client connections to
1024-bit DH parameters has been committed.

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc
# gpg --verify sendmail.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the sendmail daemon(s), or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r284491
releng/8.4/                                                       r284536
stable/9/                                                         r284488
releng/9.3/                                                       r284536
stable/10/                                                        r284485
releng/10.1/                                                      r284536
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.5 (FreeBSD)

iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In
CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T
peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf
T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd
9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh
wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB
pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV
3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO
eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum
YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b
9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY
snl4x6f2t36abWYgneaP
=mvxv
-----END PGP SIGNATURE-----

On Thu, Jun 18, 2015 at 05:53:20AM +0000, FreeBSD Errata Notices
wrote:
> Corrected:      2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE)
>                 2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13)
> 
> V.   Solution
...
> # freebsd-update fetch
> # freebsd-update install
This does not seem to solve the problem.

I upgraded two of my 10.1-RELEASE-pX servers to
10.1-RELEASE-p12 a couple of days ago, after which all
outgoing mail, both for local destinations and for
destinations outside the servers, end up stuck in
/var/spool/clientmqueue with this in maillog:

sendmail[1045]: t5IBAMAB001045: from=pol, size=23, class=0, nrcpts=1,
msgid=<201506181110.t5IBAMAB001045 at xxx>, relay=root at localhost
sendmail[1045]: STARTTLS=client, error: connect failed=-1, reason=dh key too
small, SSL_error=1, errno=0, retry=-1
sm-mta[1046]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert
handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1]
sendmail[1045]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403
4.7.0 TLS handshake.
sm-mta[1046]: t5IBAMPQ001046: localhost [127.0.0.1] did not issue
MAIL/EXPN/VRFY/ETRN during connection to Daemon0
sendmail[1045]: t5IBAMAB001045: to=www, ctladdr=pol (xxx/xxx), delay=00:00:00,
xdelay=00:00:00, mailer=relay, pri=30023, relay=[127.0.0.1] [127.0.0.1],
dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.

And I still have the same problem after upgrading to
10.1-RELEASE-p13 and rebooting.

Both servers use base sendmail, and I have done nothing
(except adding aliases) with the sendmail configuration
in them. Not even created `hostname` mc/cf files, so they
are using the default cf files.

-- 
Peter Olsson