freebsd stable - Jun 2015 - [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail

> I never changed or generated anything in the mail configuration
> on these servers, they use the default mc/cf files:
> 
> $ grep DHParam /etc/mail/sendmail.cf
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
> 
> $ ls -l /etc/mail/certs
> total 12
> lrwxr-xr-x  1 root  wheel    10 31 Aug  2014 4bc0b037.0 -> cacert.pem
> -rw-r--r--  1 root  wheel  1326 31 Aug  2014 cacert.pem
> -rw-r--r--  1 root  wheel  1375 31 Aug  2014 host.cert
> -rw-------  1 root  wheel  1704 31 Aug  2014 host.key
I found what is breaking it.  This commit made locally to FreeBSD:

  Revision 256982 
  Modified Wed Oct 23 16:55:20 2013 UTC (19 months, 3 weeks ago) by jmg 
  MFC r256773:
  Enable the automatic creation of a certificate (if one does not exists)
  and enable the usage by sendmail if sendmail is enabled.

sets DHParameters to that file but nothing else generates that file.
We'll have to rev the Errata (and patch) to create that file.  In the mean
time, generating the file will fix the problem:

openssl dhparam -out /etc/mail/certs/dh.param 2048

I'll probably fix this by changing /etc/rc.d/sendmail to do the above.

I'll also look into the sendmail source behavior when the file doesn't
exist (it should revert to it's defaults).

On Thu, Jun 18, 2015 at 08:41:51AM -0700, Gregory Shapiro
wrote:
> > I never changed or generated anything in the mail configuration
> > on these servers, they use the default mc/cf files:
> > 
> > $ grep DHParam /etc/mail/sendmail.cf
> > # DHParameters (only required if DSA/DH is used)
> > O DHParameters=/etc/mail/certs/dh.param
> > 
> > $ ls -l /etc/mail/certs
> > total 12
> > lrwxr-xr-x  1 root  wheel    10 31 Aug  2014 4bc0b037.0 ->
cacert.pem
> > -rw-r--r--  1 root  wheel  1326 31 Aug  2014 cacert.pem
> > -rw-r--r--  1 root  wheel  1375 31 Aug  2014 host.cert
> > -rw-------  1 root  wheel  1704 31 Aug  2014 host.key
> 
> I found what is breaking it.  This commit made locally to FreeBSD:
> 
>   Revision 256982 
>   Modified Wed Oct 23 16:55:20 2013 UTC (19 months, 3 weeks ago) by jmg 
>   MFC r256773:
>   Enable the automatic creation of a certificate (if one does not exists)
>   and enable the usage by sendmail if sendmail is enabled.
> 
> sets DHParameters to that file but nothing else generates that file.
> We'll have to rev the Errata (and patch) to create that file.  In the
mean
> time, generating the file will fix the problem:
> 
> openssl dhparam -out /etc/mail/certs/dh.param 2048
> 
> I'll probably fix this by changing /etc/rc.d/sendmail to do the above.
> 
> I'll also look into the sendmail source behavior when the file
doesn't
> exist (it should revert to it's defaults).
Thanks for the investigation and explanation. I have now generated
dh.param in both servers and rebooted, and the problem is gone.

Thanks!

Peter Olsson

> I'll probably fix this by changing /etc/rc.d/sendmail to do the above.
> 
> I'll also look into the sendmail source behavior when the file
doesn't
> exist (it should revert to it's defaults).
As a quick update, the sendmail open source team have completed a set of changes
to address these issues.  I'll be testing a new change this weekend for a
revised Errata Notice.

I'll post a patch here by tomorrow for those willing to assist in testing.