From owner-freebsd-stable@FreeBSD.ORG Sun Jun 21 06:12:24 2015 Return-Path: Delivered-To: freebsd-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 91ED2917 for ; Sun, 21 Jun 2015 06:12:24 +0000 (UTC) (envelope-from gshapiro@gshapiro.net) Received: from zim.gshapiro.net (zim.gshapiro.net [IPv6:2001:4f8:3:36::224]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.gshapiro.net", Issuer "Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 779BED47 for ; Sun, 21 Jun 2015 06:12:24 +0000 (UTC) (envelope-from gshapiro@gshapiro.net) Received: from minime.local ([IPv6:2601:647:4e01:8f7b:3119:4472:b3b8:15f2]) (authenticated bits=0) by zim.gshapiro.net (8.15.1.30/8.15.1.30) with ESMTPSA id t5L6CJYD076896 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 20 Jun 2015 23:12:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gshapiro.net; s=gatsby.dkim; t=1434867142; bh=ma/G16Xp7Ida5iPBC/IlKuf1lAvlYxIVHXiHcxesuok=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=mUCMJD1YpdRwQWUySV2eAiMp/SnDGcUIYavbL6d7CGaxug7doNUNZo9/HYlSJe1gW EnxjWy3pOV3OdJKrT/zca/UgQqU88pWZkmhN3Nrsj4Ul5/U8vGPJo1TpPNBO6R2k7A Cstgz5dDM280rL4/j60OHSliTNASfhMbRCnKnDLE= Date: Sat, 20 Jun 2015 23:12:19 -0700 From: Gregory Shapiro To: Jamie Landeg-Jones Cc: freebsd-stable@freebsd.org Subject: Re: Last openssl update brakes localhost email sending Message-ID: <20150621061219.GD51738@minime.local> References: <5582C749.9060801@sentex.net> <20150618150404.GA42082@minime.local> <201506182302.t5IN2l82090847@dyslexicfish.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201506182302.t5IN2l82090847@dyslexicfish.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2015 06:12:24 -0000 > I'm curious... Why is localhost delivery encrypted by default in the first place? sendmail, when acting as a client, employs opportunistic encryption by default. Local mail submission done via command line uses the MSP configuration /etc/mail/submit.cf to send the mail. That submit.cf is built to relay the mail to an MTA host, localhost by default, but can be configured to use a central mail server as well if desired (e.g., for a centralized mail hub, centralized queue management, etc.). The standard submit.cf makes no assumptions about the location of the MTA host and therefore doesn't disable encryption. > The only reason I can think of is if there is some unencrypted TCP > relayed 'tunnel', that has been set up not using ssh or some other > encrypted transport. One other use case (likely not a concern) is to prevent other privileged users from easily snooping localhost traffic (`tcpdump -i lo0 -X -s 0 port 25`).