From owner-freebsd-stable@FreeBSD.ORG Sun Jun 14 17:50:35 2015 Return-Path: Delivered-To: freebsd-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 66214996 for ; Sun, 14 Jun 2015 17:50:35 +0000 (UTC) (envelope-from frank_s@bellsouth.net) Received: from fmailhost02.isp.att.net (fmailhost02.isp.att.net [204.127.217.102]) by mx1.freebsd.org (Postfix) with ESMTP id 5189794D for ; Sun, 14 Jun 2015 17:50:34 +0000 (UTC) (envelope-from frank_s@bellsouth.net) Received: from ace.nina.org (adsl-74-178-59-239.gnv.bellsouth.net[74.178.59.239]) by isp.att.net (frfwmhc02) with SMTP id <20150614175119H02004q2see>; Sun, 14 Jun 2015 17:51:20 +0000 X-Originating-IP: [74.178.59.239] Date: Sun, 14 Jun 2015 13:50:32 -0400 (EDT) From: Frank Seltzer X-X-Sender: frank_s@Ace.nina.org To: Gregory Shapiro cc: freebsd-stable@freebsd.org Subject: Re: Sendmail problem after upgrade to r284296 In-Reply-To: <20150614165507.GD95564@minime.local> Message-ID: References: <20150614165507.GD95564@minime.local> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2015 17:50:35 -0000 On Sun, 14 Jun 2015, Gregory Shapiro wrote: > The new OpenSSL eliminated small DHParam support. That leaves two possibilities: > > 1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting. Both machines are on my home network. Both have default settings. > 2. Your side is using a small value. Double check your setting: > >> grep DHParam /etc/mail/sendmail.cf > # DHParameters (only required if DSA/DH is used) > #O DHParameters # DHParameters (only required if DSA/DH is used) O DHParameters=/etc/mail/certs/dh.param # DHParameters (only required if DSA/DH is used) O DHParameters=/etc/mail/certs/dh.param Again, default values, no changes to the installed files made. > If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS. > > Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version. root@Shop:/etc/mail/certs # openssl version OpenSSL 1.0.1n-freebsd 11 Jun 2015 root@Shop:/etc/mail/certs # svnlite info /usr/src/ Path: /usr/src Working Copy Root Path: /usr/src URL: svn://ace/src/stable/10 Relative URL: ^/stable/10 Repository Root: svn://ace/src Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 284296 Node Kind: directory Schedule: normal Last Changed Author: jkim Last Changed Rev: 284285 Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015) oot@Ace:/usr/ports # openssl version OpenSSL 1.0.1n-freebsd 11 Jun 2015 root@Ace:/usr/ports # svnlite info /usr/src/ Path: /usr/src Working Copy Root Path: /usr/src URL: svn://ace/src/stable/10 Relative URL: ^/stable/10 Repository Root: svn://ace/src Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 284296 Node Kind: directory Schedule: normal Last Changed Author: jkim Last Changed Rev: 284285 Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015) Has anything changed since then? Does this revision have the openssl changes?