Sendmail problem after upgrade to r284296
Matthew Seaman
matthew at FreeBSD.org
Sun Jun 14 15:26:39 UTC 2015
On 14/06/2015 10:57, Frank Seltzer wrote:
> Because of a recent alert I updated both of my FreeBSD computers (both
> running 10.1-STABLE and built from /etc/src) to r284296 and am having a
> problem with sendmail. Sendmail is giving me the following error every
> 30 minutes:
>
> Jun 14 09:50:04 Ace sm-mta[10430]: STARTTLS=server, error: accept
> failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0,
> retry=-1, relay=localhost [127.0.0.1]
>
> If I restart it I get these errors:
>
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect
> failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server,
> arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
>
> I have made no changes to sendmail's configuration and all files in
> /etc/mail are dated Mar 16 so apparently mergemaster didn't see anything
> new to install and rebuild. There is no entry in /usr/src/UPDATING
> about any change in sendmail either.
>
> I first noticed this on the second machine on my home network. This
> machine has an entry in /etc/mail/aliases forwarding root's email to me
> on the primary. I noticed the day after the upgrade that I didn't get
> the nightly email from the /etc/periodic/daily/ run or from rkhunter. I
> checked my main machine and found that I am not getting these emails
> from it either and am getting the same errors in /var/log/maillog. It
> can't even email itself.
>
> Am I the only one seeing this? Did I get caught between revisions?
Looks like your sendmail is trying to use SSLv3 a.k.a TLSv1 and that may
not be supported in whichever version of OpenSSL you're linking to any
more. TLSv1 has some known deficiencies, and the TLSv1.1 or TLSv1.2
ciphers are generally preferred nowadays[*]
There's some config-fu at https://weakdh.org/sysadmin.html which will
allow you to configure your sendmail to use the most up to date and
believed still to be secure ciphers for preference, plus disallow
anything known to be insecure. This works for me in general, but it
might cause you problems if you need to exchange e-mail with some
particularly old machines.
Cheers,
Matthew
[*] Not least because they implement 'Perfect Forward Secrecy' which
means the NSA has to keep breaking your crypto over and over again,
rather than just once...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150614/881da868/attachment.sig>
More information about the freebsd-stable
mailing list