Date: Sun, 14 Jun 2015 11:26:07 -0400 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: Sendmail problem after upgrade to r284296 Message-ID: <557D9D0F.1050201@FreeBSD.org> In-Reply-To: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org> References: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ML8Kv4xcDUO26TgB0PLUjT0DUFvRLPs4J Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 14/06/2015 10:57, Frank Seltzer wrote: > Because of a recent alert I updated both of my FreeBSD computers (both > running 10.1-STABLE and built from /etc/src) to r284296 and am having a= > problem with sendmail. Sendmail is giving me the following error every > 30 minutes: >=20 > Jun 14 09:50:04 Ace sm-mta[10430]: STARTTLS=3Dserver, error: accept > failed=3D0, reason=3Dsslv3 alert handshake failure, SSL_error=3D1, errn= o=3D0, > retry=3D-1, relay=3Dlocalhost [127.0.0.1] >=20 > If I restart it I get these errors: >=20 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=3Dclient, error: conn= ect > failed=3D-1, reason=3Ddh key too small, SSL_error=3D1, errno=3D0, retry= =3D-1 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=3Dtls_server, > arg1=3DSOFTWARE, relay=3D[127.0.0.1], reject=3D403 4.7.0 TLS handshake.= >=20 > I have made no changes to sendmail's configuration and all files in > /etc/mail are dated Mar 16 so apparently mergemaster didn't see anythin= g > new to install and rebuild. There is no entry in /usr/src/UPDATING > about any change in sendmail either. >=20 > I first noticed this on the second machine on my home network. This > machine has an entry in /etc/mail/aliases forwarding root's email to me= > on the primary. I noticed the day after the upgrade that I didn't get > the nightly email from the /etc/periodic/daily/ run or from rkhunter. = I > checked my main machine and found that I am not getting these emails > from it either and am getting the same errors in /var/log/maillog. It > can't even email itself. >=20 > Am I the only one seeing this? Did I get caught between revisions? Looks like your sendmail is trying to use SSLv3 a.k.a TLSv1 and that may not be supported in whichever version of OpenSSL you're linking to any more. TLSv1 has some known deficiencies, and the TLSv1.1 or TLSv1.2 ciphers are generally preferred nowadays[*] There's some config-fu at https://weakdh.org/sysadmin.html which will allow you to configure your sendmail to use the most up to date and believed still to be secure ciphers for preference, plus disallow anything known to be insecure. This works for me in general, but it might cause you problems if you need to exchange e-mail with some particularly old machines. Cheers, Matthew [*] Not least because they implement 'Perfect Forward Secrecy' which means the NSA has to keep breaking your crypto over and over again, rather than just once... --ML8Kv4xcDUO26TgB0PLUjT0DUFvRLPs4J Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJVfZ0WXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATWg4QAK4BOvtLBMZ0nycchAS9/Umh 4lSKw4Kj23bPkH/zPFFH4+IpfLlvuNy8YuOxJuIRj+EsYSNbWEaExJZaxOr8+ozf 5LG8pUuTLXh/sX+W8eydTzpFDKrRpajZ3V8gaz8o5ScsFAc9tlbVINlK2mdndF7m SjzGKO+Z9Pu0UtwvfgwUyQEQ1H+7+S1VwJYNhiIzUU8v+bdc9ObWEGcz9EXIkGkB XeE97M2Rz6X9r0/2lVZgcyGPsAAWc9v60NQzJLQKbzrAud0GtlboIfS+OycLQC2L 9VAtvx2J9TAhOmyA7mq6W2GRI4f9z8TikxmshICQ1EmXwY5+XzJyy1tuzZkwW3k3 wsC8li+MhcSHyslmLlB5aDGJCLxWDNRgUK4jn1FjVAa8ZRUO4T1tgL2L2cxJR800 rUG28500Vsgs853obRlT4k6t2UcR28b63TTzFl6JJni9SMwCs7urBqJEHXiRBOmY ZyiK88hlAk92MSrPXqY+h44byZc4x+DDbWUFnm9QcDgz0UZ9sjyiQcvBMrDIKx8Z 1tyg9e/QlRMOjsnRdqNOPrBYaiO4VS/9MAoEsrknZ5VjzKn9CvofkAcKDKP2FzSw kQmDnhsmkX9zAlMbgznxKBu2kqQy2qDMdwEu2fIvsxrGFHGz3kMutr1YLTbtNSi2 G+IEkHlU5KNEE3vMwV2h =INrJ -----END PGP SIGNATURE----- --ML8Kv4xcDUO26TgB0PLUjT0DUFvRLPs4J--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557D9D0F.1050201>