From owner-freebsd-security@FreeBSD.ORG  Thu Mar 12 00:35:15 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B7653E24;
 Thu, 12 Mar 2015 00:35:15 +0000 (UTC)
Received: from fw.ax.cz (fw.ax.cz [IPv6:2a00:1aa8:1:1000::2])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47FF37B9;
 Thu, 12 Mar 2015 00:35:14 +0000 (UTC)
Received: from [172.20.1.29] (host10.hide.ax.cz [172.20.1.29])
 by fw.ax.cz (8.14.5/8.14.5) with ESMTP id t2C0Z7kV038195;
 Thu, 12 Mar 2015 01:35:09 +0100 (CET) (envelope-from dan@obluda.cz)
Message-ID: <5500DF36.9070904@obluda.cz>
Date: Thu, 12 Mar 2015 01:35:02 +0100
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
 rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32.1
MIME-Version: 1.0
To: Julian Elischer <julian@freebsd.org>
Subject: Re: sendmail broken by libssl in current
References: <54FFE774.50103@freebsd.org>
 <6BD2AE7F-8EC5-4EBC-A183-E03EC54456BC@vpnc.org> <55005753.3070306@obluda.cz>
 <550092DD.9030808@freebsd.org>
In-Reply-To: <550092DD.9030808@freebsd.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Cc: freebsd security <freebsd-security@freebsd.org>,
 Paul Hoffman <paul.hoffman@vpnc.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 00:35:15 -0000

Julian Elischer wrote:
>>> Can you say which email servers *other* than unpatched Ironport fail?

> well my problem is that I don't know what the other ends are running
> exactly, but they are pretty big institution.

Just side note - you need not to wait for a source patch. Just disable
TLS for those destinations as a instant workaround.

Users of 8.4/9.3 need to disable TLS to those destinations supporting
TLSv1.2 only (as TLSv1.2 is not supported by sendmail on 8.4/9.3-R), so
you will not be alone with such kind of workaround ;-)

Dan