Date: Wed, 24 Jun 2015 10:10:15 +0100 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-questions@freebsd.org Subject: Re: 10.1-RELEASE-p12 broke sendmail. 10.1-RELEASE-p13 didn't fix sendmail. Message-ID: <558A73F7.6020809@freebsd.org> In-Reply-To: <CAPi0pssZU0BanOd7WrW5ZdOxHBbDEnOXmbYjDzVbBj-W0mFQig@mail.gmail.com> References: <CAPi0pssr54hRtvaQ9G=XNm5OUMO6pwaMmLRMR_vBSJx4qJS5qg@mail.gmail.com> <55884952.8060005@mantis.biz> <CAPi0pss%2Bt5roZ_g7KyJA-bm8cAezYpHfF8GLMibDFK01Ji6Urw@mail.gmail.com> <558A1E40.8080406@gooch.io> <CAPi0pssZU0BanOd7WrW5ZdOxHBbDEnOXmbYjDzVbBj-W0mFQig@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0orSUGqXKEhCIIQ2lx33JH8CG5KfqBT04 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 06/24/15 06:00, Chris Stankevitz wrote: > On Tue, Jun 23, 2015 at 8:04 PM, Jesse Gooch <lists@gooch.io> wrote: >> I recommend reading /usr/src/UPDATING and any relevant Errata Notices >> and/or Security Advisories BEFORE updating your system so you don't ge= t >> bit like this again. >> >> https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.= asc >=20 > Hi Jesse, >=20 > The whole point of my OP was to say that I read the errata. I was > surprised that the update did not fix the problem. I tried the > "workaround" (why I need to "work around" it if there was an update is > not clear) but as I followed the steps I got stumped. Then I gave > specific examples of where I got stumped following the errata. >=20 > Why is it that I don't get it, but everyone else does? I'm certain > the documentation is good. I have a good command of the english > language. Nevertheless I don't get it... Hi, Chris, You are correct -- the OS update didn't fix the problem. FreeBSD Security Advisories and Errata Notices are usually very reliable in terms of accurately describing how to solve the problems they address, but they aren't infallible. This was a rare case where things went pear-shaped. However, the work-around given in the errata notice was in fact the missing piece that did solve the problem. Or at least, the core of the given instructions was. Now, the EN was written by Greg Shapiro, who is the maintainer for sendmail in the FreeBSD base system. He explains here how things went wrong: https://lists.freebsd.org/pipermail/freebsd-stable/2015-June/082547.html but essentially he was confused by an update to the sendmail standard config and startup scripts that had added autogeneration of TLS certificates but not all the other parameters that could be used with TLS. I think this led to the work-around instructions being overly complicated. As you saw, it could be condensed down to: openssl dhparam -out /etc/mail/certs/dh.param 2048 service sendmail restart I could work that out for myself from what was written in the errata notice, but that's because I've been dealing with sendmail config in FreeBSD for years. I think that summary, or commands pretty much like them, got posted to various mailing lists fairly soon after the EN came o= ut. There will probably be a revision to the EN fairly soon. It will likely be released as a bundle with other SA's or EN's when those are ready to go, to prevent excessive churn for people tracking release branches. Cheers, Matthew --0orSUGqXKEhCIIQ2lx33JH8CG5KfqBT04 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVinQAAAoJEABRPxDgqeTng+oP/0MvrTVeD1DXU6JM++/+TW6W BdX9OgF24WEQKYZufxyNnOEctaTERXPdUmOerBshdNF6vWiRCWdo5qkTiayex2GX WKcM6RKwFRO5+fMp2VaJDariYBC5tVua/fVIlbefMOWuLyLjESJc6li6hQY27zIY vuvyi7WwdBsIJIxmKkHOdgi6JrMJrcJ6JDroDwOiyjvArhMYSzpARy5+RGMWbtwZ iAacw/XxGV1teX3b5AZJAdfjriMDHgYPFsOuefV7HJW09Ws7KA6BOz7EpmYQtgK/ mHNeBpzOt1A/VP1me+skse24xnZl8HVZaER52BiInh54XKIddR3KvkIAl3vahXXi /kphkUiYdlCQReigmiR7s6beHFPCZ15VucYYhy3089seE70oUtE7VVgwAePz56Nz Bu9ZSJAzWrmcs1r514mauEsKPFpbZMBtCER5OrqYLWcofViNO6HvYc3FLiSBZkdY nraO8mE0PXW/hNcdRXg5jksxDubOjaZ3xYKdqywTOBcJBH0Ik75fYeJ74bRKiq0x 4K+SdinvWRboWWxg2ZuplbPQH7pSXUh9zLZba+8xGZkPP3n1ZHDJP6TfH1kkAQqI oDofLa6n62XGlLP8+lQrWn7MDPPCwfL11aoSW5zAOMzKBHYVo7CZIMIvg9QW81FL vi+P/jm/ZxSYPLu01rqN =gw3k -----END PGP SIGNATURE----- --0orSUGqXKEhCIIQ2lx33JH8CG5KfqBT04--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?558A73F7.6020809>