10.1-RELEASE-p12 broke sendmail. 10.1-RELEASE-p13 didn't fix sendmail.

Chuck @ Mantis chuck at mantis.biz
Mon Jun 22 17:43:53 UTC 2015

On 6/22/2015 12:17 PM, Chris Stankevitz wrote:
> I updated to 10.1-RELEASE-p12 and my outgoing emails stopped working
> due to FreeBSD-EN-15:08.sendmail.  I've never installed any ports and
> I have as default a setup as one can imagine.  This leads me to
> believe that the documentation is wrong or that cosmic rays have
> corrupted my system.  I have never touched a sendmail conf file.
> "mail root" fails with "dh key too small" in /var/log/maillog, both
> after -p12 and -p13.
> I tried following the errata to solve my problem, but got stuck at
> just about every step:
> - freebsd-update
> freebsd-update succeeded.  I am now at 10.1-RELEASE-p13.  But I still
> have the same problem (sendmail reports DH key too small).  I did not
> reboot my machine (and it will be a pain for me to do so).  Perhaps I
> should try the workaround?  Perhaps I must reboot.
> - workaround
> Should I try the workaround?  My preference is to find "root cause"
> for why freebsd-update failed to solve my problem.  The workaround
> reports many steps, but already at step 1 I am stumped:
>          1. Edit /etc/mail/`hostname`.mc
> That file doesn't exist.  I have a freebsd.mc though.  I'll use that.
>          2. If a setting for confDH_PARAMETERS does not exist or
>             exists and is set to a string beginning with '5',
>             replace it with '1' for 1024-bit or '2' for 2048-bit.
> I have confDH_PARAMETERS defined to CERT_DIR/dh.param.
> /etc/mail/certs/dh.param doesn't exist.
>          3. If a setting for confDH_PARAMETERS exists and is set to
>             a file path, create a new file with:
>                  openssl dhparam -out /path/to/file 2048
>             for 2048-bit or:
>                  openssl dhparam -out /path/to/file 1024
>             for 1024-bit.
> I could try this.  But I would have expected freebsd-upate to
> 10.1-RELEASE-p13 to handle this.
>          4. If you have modified your MSP submission configuration
>             file to enable STARTTLS (not enabled by default), repeat
>             the above steps for /etc/mail/`hostname`.submit.mc.
> Definitely have not done that (or anything else for that matter).
>          5. Rebuild the .cf file(s):
>                  cd /etc/mail/; make; make install
> I could do that...
>          6. Restart sendmail:
>                  cd /etc/mail/; make restart
> I could do that...
> Thank you,
> Chris
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

I've been dealing with this issue as well.

     cd /etc/mail/certs

     openssl dhparam -out dh.param 2048

     service sendmail restart

More information about the freebsd-questions mailing list