From owner-freebsd-stable@FreeBSD.ORG Thu Jun 18 09:00:56 2015 Return-Path: Delivered-To: freebsd-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A53E7DD; Thu, 18 Jun 2015 09:00:56 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2BBDBEB7; Thu, 18 Jun 2015 09:00:55 +0000 (UTC) (envelope-from timp87@gmail.com) Received: by wibdq8 with SMTP id dq8so79895933wib.1; Thu, 18 Jun 2015 02:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=36N1aHxOz8+HnvFqgvaalQiMgJBUmUno0keAEXpjowI=; b=ypW3FQD9Mmp1ZvyzhcWEGPdBaRudmQmnGEdIsdwMIrDVnwAk/rEdvgWqsnkDiKEMcE 0sGEJWRNPCUqK4yjYZNlm6z/8MmPe37xHy5QnjMSpT569ytp3gVOD8VZ49G/ocmk6VkE wsSHz8xlDiCB+gLWh0jzzIXbUgLtltUeOCCH8f+UqpdmHSUGi6QRvDnZYuzICNlp6C0c o+ipK612RIc0/p6nWu+Ds3ci7mjNviRnXWXMUnT+UnFxjL90OVHMnLfMoD++nDcXaMFq Fa9qXjHGUhHgGeX8SUEi+6WnNlY77+YWxgHC5o6nTmKy8MUqZXTB1tCGhD6hXZOwo++v iBwQ== MIME-Version: 1.0 X-Received: by 10.180.85.8 with SMTP id d8mr42830690wiz.11.1434618009131; Thu, 18 Jun 2015 02:00:09 -0700 (PDT) Received: by 10.28.48.147 with HTTP; Thu, 18 Jun 2015 02:00:09 -0700 (PDT) In-Reply-To: References: Date: Thu, 18 Jun 2015 12:00:09 +0300 Message-ID: Subject: Re: Last openssl update brakes localhost email sending From: Pavel Timofeev To: freebsd-stable stable , Gregory Shapiro Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 09:00:56 -0000 Here is kind of proof that nothing is changed in mail dir since installation. root@pyxis-v:~ # ll /etc/mail total 384 -rw-r--r-- 1 root wheel 6814 Oct 7 2014 Makefile -rw-r--r-- 1 root wheel 2900 Oct 7 2014 README -rw-r--r-- 1 root wheel 632 Oct 7 2014 access.sample -rw-r--r-- 1 root wheel 1691 Oct 7 2014 aliases -rw-r----- 1 root wheel 131072 Aug 6 2014 aliases.db drwxr-xr-x 2 root wheel 512 Aug 6 2014 certs/ -rw-r--r-- 1 root wheel 58400 Oct 7 2014 freebsd.cf -rw-r--r-- 1 root wheel 4537 Oct 7 2014 freebsd.mc -r--r--r-- 1 root wheel 40741 Oct 7 2014 freebsd.submit.cf -r--r--r-- 1 root wheel 898 Oct 7 2014 freebsd.submit.mc -r--r--r-- 1 root wheel 5659 Sep 15 2014 helpfile -rw-r--r-- 1 root wheel 405 Oct 7 2014 mailer.conf -rw-r--r-- 1 root wheel 248 Oct 7 2014 mailertable.sample -rw-r--r-- 1 root wheel 58400 Oct 7 2014 sendmail.cf -r--r--r-- 1 root wheel 40741 Oct 7 2014 submit.cf -rw-r--r-- 1 root wheel 574 Oct 7 2014 virtusertable.sample root@pyxis-v:~ # ll /etc/mail/certs/ total 12 lrwxr-xr-x 1 root wheel 10 Aug 6 2014 6ba511ab.0@ -> cacert.pem -rw-r--r-- 1 root wheel 1285 Aug 6 2014 cacert.pem -rw-r--r-- 1 root wheel 1334 Aug 6 2014 host.cert -rw------- 1 root wheel 1704 Aug 6 2014 host.key 2015-06-18 11:34 GMT+03:00 Pavel Timofeev : > Good day to everybody! ;) > My FreeBSD 10.1-RELEASE-p13 amd64 can't send email to localhost anymore! > > I know that openssl has been updated, and it raises the bar of bit > size of dh parameters. > I know, there is an update for sendmail to catch up it. But. it didn't help. > > Here is one of my servers. > I did not touch anything in /etc/mail after installation of my system. > And of course I didn't create a dh parameters in /etc/mail/certs dir. > > root@pyxis-v:~ # freebsd-version > 10.1-RELEASE-p13 > > root@pyxis-v:~ # echo test | mail -s 'aa' ptimofeev@ocs.ru > > root@pyxis-v:~ # tail -f /var/log/maillog > Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: from=timp, > size=39, class=0, nrcpts=1, > msgid=<201506180819.t5I8J0F1001122@pyxis-v.ocs.ru>, > relay=root@localhost > Jun 18 11:19:00 pyxis-v sendmail[1122]: STARTTLS=client, error: > connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, > retry=-1 > Jun 18 11:19:00 pyxis-v sm-mta[1123]: STARTTLS=server, error: accept > failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, > retry=-1, relay=localhost [127.0.0.1] > Jun 18 11:19:00 pyxis-v sendmail[1122]: ruleset=tls_server, > arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. > Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: > to=ptimofeev@ocs.ru, ctladdr=timp (1001/1001), delay=00:00:00, > xdelay=00:00:00, mailer=relay, pri=30039, relay=[127.0.0.1] > [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake. > Jun 18 11:19:00 pyxis-v sm-mta[1123]: t5I8J0p5001123: localhost > [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to > Daemon0 > > > Why it complains about too small dh key?! I don't have them. No > changes in /etc/mail since installation. What's going on? > > So looks like everybody who updated their systems to p-1(2|3) has to > do some stuff (openssl dhparam -out dh.param 2048). > IMO, it's really, really bad. > Am I wrong, misunderstanding or doing something wrong?