Royce Williams
2015-Jun-18 12:54 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
On Thu, Jun 18, 2015 at 3:21 AM, Peter Olsson < list-freebsd-announce at jyborn.se> wrote:> On Thu, Jun 18, 2015 at 05:53:20AM +0000, FreeBSD Errata Notices wrote: > > Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE) > > 2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13) > > > > V. Solution > ... > > # freebsd-update fetch > > # freebsd-update install > > This does not seem to solve the problem. > > I upgraded two of my 10.1-RELEASE-pX servers to > 10.1-RELEASE-p12 a couple of days ago, after which all > outgoing mail, both for local destinations and for > destinations outside the servers, end up stuck in > /var/spool/clientmqueue with this in maillog: > > sendmail[1045]: t5IBAMAB001045: from=pol, size=23, class=0, nrcpts=1, > msgid=<201506181110.t5IBAMAB001045 at xxx>, relay=root at localhost > sendmail[1045]: STARTTLS=client, error: connect failed=-1, reason=dh key > too small, SSL_error=1, errno=0, retry=-1 > sm-mta[1046]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert > handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost > [127.0.0.1] > sendmail[1045]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], > reject=403 4.7.0 TLS handshake. > sm-mta[1046]: t5IBAMPQ001046: localhost [127.0.0.1] did not issue > MAIL/EXPN/VRFY/ETRN during connection to Daemon0 > sendmail[1045]: t5IBAMAB001045: to=www, ctladdr=pol (xxx/xxx), > delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30023, relay=[127.0.0.1] > [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake. > > And I still have the same problem after upgrading to > 10.1-RELEASE-p13 and rebooting. > > Both servers use base sendmail, and I have done nothing > (except adding aliases) with the sendmail configuration > in them. Not even created `hostname` mc/cf files, so they > are using the default cf files. >Did you (re)generate your dh.params file as noted in the Workaround section? On my systems, I had to do this to support the actual patch (not to perform the workaround). You might have to restart sendmail as well, but I have not tested this. Royce
Peter Olsson
2015-Jun-18 13:22 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
On Thu, Jun 18, 2015 at 04:54:31AM -0800, Royce Williams wrote:> On Thu, Jun 18, 2015 at 3:21 AM, Peter Olsson < > list-freebsd-announce at jyborn.se> wrote: > > > On Thu, Jun 18, 2015 at 05:53:20AM +0000, FreeBSD Errata Notices wrote: > > > Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE) > > > 2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13) > > > > > > V. Solution > > ... > > > # freebsd-update fetch > > > # freebsd-update install > > > > This does not seem to solve the problem. > > > > I upgraded two of my 10.1-RELEASE-pX servers to > > 10.1-RELEASE-p12 a couple of days ago, after which all > > outgoing mail, both for local destinations and for > > destinations outside the servers, end up stuck in > > /var/spool/clientmqueue with this in maillog: > > > > And I still have the same problem after upgrading to > > 10.1-RELEASE-p13 and rebooting. > > > > Both servers use base sendmail, and I have done nothing > > (except adding aliases) with the sendmail configuration > > in them. Not even created `hostname` mc/cf files, so they > > are using the default cf files. > > > > Did you (re)generate your dh.params file as noted in the Workaround section?No, because of this text under Solution: " A change to the raise the default for sendmail client connections to 1024-bit DH parameters has been committed. " As I understand it this would remove the need for generating the dh.params file? Hence my thinking that the patch is maybe not 100% correct. Mail from these two servers are not critical for me, so I will wait and see if there is another patch or if in fact I have to generate the dh.params file.> On my systems, I had to do this to support the actual patch (not to perform > the workaround). > > You might have to restart sendmail as well, but I have not tested this.I rebooted the server, didn't help. Peter Olsson
Matthew Seaman
2015-Jun-18 13:24 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
On 06/18/15 13:54, Royce Williams wrote:> Did you (re)generate your dh.params file as noted in the Workaround section?There isn't a default dh.param file. The suggested work-around in the EN is to generate one.> On my systems, I had to do this to support the actual patch (not to perform > the workaround).Which is precisely the point. The EN suggests either to patch sendmail or add a dh.param file. Either of those should work alone, but according to reports on various mailing lists it seems only the dh.param method works reliably (and I can personally confirm it works without needing the sendmail patches from the EN.) It's not clear to me if there are some special circumstances that happen to prevent the fix in the EN working for just a few people, or if it is a more general problem.> You might have to restart sendmail as well, but I have not tested this.Yes you do, with either alternative. Cheers, Matthew -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150618/8e3a8ca4/attachment.sig>