freebsd stable - Jun 2015 - [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail

On Thu, Jun 18, 2015 at 08:10:33AM -0700, Gregory Shapiro
wrote:
> > > Did you (re)generate your dh.params file as noted in the
Workaround section?
> > 
> > No, because of this text under Solution:
> > "
> > A change to the raise the default for sendmail client connections to
> > 1024-bit DH parameters has been committed.
> > "
> > 
> > As I understand it this would remove the need for generating
> > the dh.params file?
> 
> You do not need to regenerate dh.params with the patch unless you have
> specifically set DHParameters in /etc/mail/sendmail.cf to a lower
> strength.  What is the output of:
> 
> grep DHParam /etc/mail/sendmail.cf
> 
> If it is set to a string beginning with '5' or a filename and that
> file was generated using 512-bit strength, then remove that setting.
I never changed or generated anything in the mail configuration
on these servers, they use the default mc/cf files:

$ grep DHParam /etc/mail/sendmail.cf
# DHParameters (only required if DSA/DH is used)
O DHParameters=/etc/mail/certs/dh.param

$ ls -l /etc/mail/certs
total 12
lrwxr-xr-x  1 root  wheel    10 31 Aug  2014 4bc0b037.0 -> cacert.pem
-rw-r--r--  1 root  wheel  1326 31 Aug  2014 cacert.pem
-rw-r--r--  1 root  wheel  1375 31 Aug  2014 host.cert
-rw-------  1 root  wheel  1704 31 Aug  2014 host.key

Peter Olsson

> I never changed or generated anything in the mail configuration
> on these servers, they use the default mc/cf files:
> 
> $ grep DHParam /etc/mail/sendmail.cf
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
> 
> $ ls -l /etc/mail/certs
> total 12
> lrwxr-xr-x  1 root  wheel    10 31 Aug  2014 4bc0b037.0 -> cacert.pem
> -rw-r--r--  1 root  wheel  1326 31 Aug  2014 cacert.pem
> -rw-r--r--  1 root  wheel  1375 31 Aug  2014 host.cert
> -rw-------  1 root  wheel  1704 31 Aug  2014 host.key
I found what is breaking it.  This commit made locally to FreeBSD:

  Revision 256982 
  Modified Wed Oct 23 16:55:20 2013 UTC (19 months, 3 weeks ago) by jmg 
  MFC r256773:
  Enable the automatic creation of a certificate (if one does not exists)
  and enable the usage by sendmail if sendmail is enabled.

sets DHParameters to that file but nothing else generates that file.
We'll have to rev the Errata (and patch) to create that file.  In the mean
time, generating the file will fix the problem:

openssl dhparam -out /etc/mail/certs/dh.param 2048

I'll probably fix this by changing /etc/rc.d/sendmail to do the above.

I'll also look into the sendmail source behavior when the file doesn't
exist (it should revert to it's defaults).