Sendmail problem after upgrade to r284296
Gregory Shapiro
gshapiro at gshapiro.net
Mon Jun 15 04:23:05 UTC 2015
On Sun, Jun 14, 2015 at 08:23:33PM -0700, Gregory Shapiro wrote:
> > I created it per your instructions. See above about it not existing
> > previously.
>
> Oh, sorry for the confusion. Seems an emergency patch is in order to change the default.
For now, I've add an UPDATING entry:
+20150614:
+ The import of openssl to address the FreeBSD-SA-15:10.openssl
+ security advisory includes a change which rejects handshakes
+ with DH parameters below 768 bits. sendmail releases prior
+ to 8.15.2 (not yet released), defaulted to a 512 bit
+ DH parameter setting for client connections. To work around
+ this interoperability, sendmail can be configured to use a
+ 2048 bit DH parameter by:
+
+ 1. Edit /etc/mail/`hostname`.mc
+ 2. If a setting for confDH_PARAMETERS does not exist or
+ exists and is set to a string beginning with '5',
+ replace it with '2'.
+ 3. If a setting for confDH_PARAMETERS exists and is set to
+ a file path, create a new file with:
+ openssl dhparam -out /path/to/file 2048
+ 4. Rebuild the .cf file:
+ cd /etc/mail/; make; make install
+ 5. Restart sendmail:
+ cd /etc/mail/; make restart
+
+ A sendmail patch is coming, at which time this file will be
+ updated.
More information about the freebsd-stable
mailing list