From owner-freebsd-stable@FreeBSD.ORG Thu Jun 18 08:35:24 2015 Return-Path: Delivered-To: freebsd-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D79C0F3C; Thu, 18 Jun 2015 08:35:24 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CB34991; Thu, 18 Jun 2015 08:35:24 +0000 (UTC) (envelope-from timp87@gmail.com) Received: by wiga1 with SMTP id a1so163558347wig.0; Thu, 18 Jun 2015 01:34:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=msu/2wVuIa9V33A+ZMpm+aiVCPtu/7h8J8E1HhDPlTw=; b=I1UdrZyvke5g8Dtzrv+//jh+xmrD4SgkYudffLlRISlrqZpbti5G2oy+239KbnLcJ0 Hb6karYIfDKFeiOPgyrfMK5Y8R1J7Mc3hR6AHcgUqwp+tf3vCCgD9jgc3PieF+AlX53V 0IKVZZUoP4Sv/mNjlM3RpLlbFPRT/wV4t9czy/IkSQdBvJihWM43MgeSTtJhXWjyvTkq APNQx0LZfT3i3wOlH5bzglaPZl1QXhvsm+szfsQ8e2WkJ0o05YebrLh5uHWbi+DWxfTH lshDFNj65DqhxArIJeUAimPYuEKeDNOu4x4QtOa6Y344BRmjcJEr4DU5ru07qo+0CDVq huyA== MIME-Version: 1.0 X-Received: by 10.194.7.97 with SMTP id i1mr13902974wja.107.1434616476334; Thu, 18 Jun 2015 01:34:36 -0700 (PDT) Received: by 10.28.48.147 with HTTP; Thu, 18 Jun 2015 01:34:36 -0700 (PDT) Date: Thu, 18 Jun 2015 11:34:36 +0300 Message-ID: Subject: Last openssl update brakes localhost email sending From: Pavel Timofeev To: freebsd-stable stable , Gregory Shapiro Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 08:35:24 -0000 Good day to everybody! ;) My FreeBSD 10.1-RELEASE-p13 amd64 can't send email to localhost anymore! I know that openssl has been updated, and it raises the bar of bit size of dh parameters. I know, there is an update for sendmail to catch up it. But. it didn't help. Here is one of my servers. I did not touch anything in /etc/mail after installation of my system. And of course I didn't create a dh parameters in /etc/mail/certs dir. root@pyxis-v:~ # freebsd-version 10.1-RELEASE-p13 root@pyxis-v:~ # echo test | mail -s 'aa' ptimofeev@ocs.ru root@pyxis-v:~ # tail -f /var/log/maillog Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: from=timp, size=39, class=0, nrcpts=1, msgid=<201506180819.t5I8J0F1001122@pyxis-v.ocs.ru>, relay=root@localhost Jun 18 11:19:00 pyxis-v sendmail[1122]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 Jun 18 11:19:00 pyxis-v sm-mta[1123]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1] Jun 18 11:19:00 pyxis-v sendmail[1122]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: to=ptimofeev@ocs.ru, ctladdr=timp (1001/1001), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30039, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake. Jun 18 11:19:00 pyxis-v sm-mta[1123]: t5I8J0p5001123: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 Why it complains about too small dh key?! I don't have them. No changes in /etc/mail since installation. What's going on? So looks like everybody who updated their systems to p-1(2|3) has to do some stuff (openssl dhparam -out dh.param 2048). IMO, it's really, really bad. Am I wrong, misunderstanding or doing something wrong?