Date: Sun, 14 Jun 2015 19:26:00 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-stable@freebsd.org Subject: Re: Sendmail problem after upgrade to r284296 Message-ID: <557E1B98.6070402@denninger.net> In-Reply-To: <alpine.BSF.2.20.1506141952140.853@Ace.nina.org> References: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org> <20150614165507.GD95564@minime.local> <alpine.BSF.2.20.1506141333131.852@Ace.nina.org> <20150614180142.GE95564@minime.local> <alpine.BSF.2.20.1506141952140.853@Ace.nina.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms080708000100030106000008
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 6/14/2015 19:21, Frank Seltzer wrote:
> I updated source and rebuilt world and kernel with no change in
> sendmail's behavior. This is the revision I have now:
>
> root@Ace:/etc/mail/certs # svnlite info /usr/src/
> Path: /usr/src
> Working Copy Root Path: /usr/src
> URL: svn://ace/src/stable/10
> Relative URL: ^/stable/10
> Repository Root: svn://ace/src
> Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
> Revision: 284384
> Node Kind: directory
> Schedule: normal
> Last Changed Author: kib
> Last Changed Rev: 284375
> Last Changed Date: 2015-06-14 01:12:48 -0400 (Sun, 14 Jun 2015)
>
> root@Ace:/etc/mail/certs # uname -a
> FreeBSD Ace.nina.org 10.1-STABLE FreeBSD 10.1-STABLE #0 r284384: Sun
> Jun 14 16:40:15 EDT 2015 =20
> frank_s@Ace.nina.org:/usr/obj/usr/src/sys/GENERIC amd64
>
> and openssl:
>
> root@Ace:/etc/mail/certs # openssl version
> OpenSSL 1.0.1o-freebsd 12 Jun 2015
>
> so I'm up to date there as well.
>
>> /etc/rc.d/sendmail stop
>> mv /etc/mail/certs/dh.param{,~old}
>> openssl dhparam -out /etc/mail/certs/dh.param 2048
>> /etc/rc.d/sendmail start
>
> After the update I got your email and followed your instructions,
> except for moving dh.param because it didn't exist, and sendmail is
> happy now.
>
> I checked and there is still no mention of this in /usr/src/UPDATING
> so my question is, when and how is dh.param supposed to be created?=20
> Since I'm not the only one with this problem it doesn't seem to be
> something I did or didn't do. What could have caused dh.param to not
> be generated?
>
> Thanks,
> Frank
>
It only needs to be done once (and now you've done it.)
The reason is a bit obscure but has to do with some vulnerabilities
discovered in DH key negotiation with weak parameter sets. Most mail
servers do not check literally ANYTHING when it comes to SSL
connections, but this is a VERY poor practice. That it's being
tightened up is a good thing to a point, but there will be more of this
sort of problem over time (particularly if people start getting uppity
about broken certification chains or private CAs as a whole LOT of email
servers run self-signed or local-CA-issued SSL certificates!)
Are these potentially breakable too? Yes, with a MITM
(man-in-the-middle) attack -- but that's not the same degree of
vulnerability as the DH key problem, so hopefully the "cranking down of
the screws" will stop before it gets to where it begins to SEVERELY
impact mail exchange.
--=20
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
--------------ms080708000100030106000008
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGXzCC
BlswggRDoAMCAQICASkwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQI
EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM
TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0BCQEWE0N1ZGEg
U3lzdGVtcyBMTEMgQ0EwHhcNMTUwNDIxMDIyMTU5WhcNMjAwNDE5MDIyMTU5WjBaMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEe
MBwGA1UEAxMVS2FybCBEZW5uaW5nZXIgKE9DU1ApMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAuYRY+EB2mGtZ3grlVO8TmnEvduVFA/IYXcCmNSOC1q+pTVjylsjcHKBcOPb9
TP1KLxdWP+Q1soSORGHlKw2/HcVzShDW5WPIKrvML+Ry0XvIvNBu9adTiCsA9nci4Cnf98XE
hVpenER0qbJkBUOGT1rP4iAcfjet0lEgzPEnm+pAxv6fYSNp1WqIY9u0b1pkQiaWrt8hgNOc
rJOiLbc8CeQ/DBP6rUiQjYNO9/aPNauEtHkNNfR9RgLSfGUdZuOCmJqnIla1HsrZhA5p69Bv
/e832BKiNPaH5wF6btAiPpTr2sRhwQO8/IIxcRX1Vxd1yZbjYtJGw+9lwEcWRYAmoxkzKLPi
S6Zo/6z5wgNpeK1H+zOioMoZIczgI8BlX1iHxqy/FAvm4PHPnC8s+BLnJLwr+jvMNHm82QwL
J9hC5Ho8AnFU6TkCuq+P2V8/clJVqnBuvTUKhYMGSm4mUp+lAgR4L+lwIEqSeWVsxirIcE7Z
OKkvI7k5x3WeE3+c6w74L6PfWVAd84xFlo9DKRdU9YbkFuFZPu21fi/LmE5brImB5P+jdqnK
eWnVwRq+RBFLy4kehCzMXooitAwgP8l/JJa9VDiSyd/PAHaVGiat2vCdDh4b8cFL7SV6jPA4
k0MgGUA/6Et7wDmhZmCigggr9K6VQCx8jpKB3x1NlNNiaWECAwEAAaOB9DCB8TA3BggrBgEF
BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly9jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNV
HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8W
HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTFHJQt6cloXBdG1Pv1
o2YgH+7lWTAfBgNVHSMEGDAWgBQkcZudhX383d29sMqSlAOh+tNtNTAdBgNVHREEFjAUgRJr
YXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcNAQELBQADggIBAE9/dxi2YqjCYYhiybp4GKcm
7tBVa/GLW+qcHPcoT4dqmqghlLz8+iUH+HCJjRQATVGyMEnvISOKFVHC6aZIG+Sg7J8bfS4+
fjKDi9smRH2VPPx3bV8+yFYRNroMGHaPHZB/Xctmmvc+PZ9O2W7rExgrODtxIOB3Zs6wkYf+
ty+9r1KmTHlV+rRHI6timH1uiyFE3cPi1taAEBxf0851cJV8k40PGF8G48ewnq8SY9sCf5cv
liXbpdgU+I4ND5BuTjg63WS32zuhLd1VSuH3ZC/QbcncMX5W3oLXmcQP5/5uTiBJy74kdPtG
MSZ9rXwZPwNxP/8PXMSR7ViaFvjUkf4bJlyENFa2PGxLk4EUzOuO7t3brjMlQW1fuInfG+ko
3tVxko20Hp0tKGPe/9cOxBVBZeZH/VgpZn3cLculGzZjmdh2fqAQ6kv9Z9AVOG1+dq0c1zt8
2zm+Oi1pikGXkfz5UJq60psY6zbX25BuEZkthO/qiS4pxjxb7gQkS0rTEHTy+qv0l3QVL0wa
NAT74Zaj7l5DEW3qdQQ0dtVieyvptg9CxkfQJE3JyBMb0zBj9Qhc5/hbTfhSlHzZMEbUuIyx
h9vxqFAmGzfB1/WfOKkiNHChkpPW8ZeH9yPeDBKvrgZ96dREHFoVkDk7Vpw5lSM+tFOfdyLg
xxhb/RZVUDeUMYIE4zCCBN8CAQEwgZYwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9y
aWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBMTEMxHDAa
BgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0BCQEWE0N1ZGEgU3lzdGVt
cyBMTEMgQ0ECASkwCQYFKw4DAhoFAKCCAiEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMTUwNjE1MDAyNjAwWjAjBgkqhkiG9w0BCQQxFgQUSnXgl/5jR/oX
4bfFnsUN0Q3HwEMwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAEC
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDCBpwYJKwYBBAGCNxAEMYGZMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4G
A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl
bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND
dWRhIFN5c3RlbXMgTExDIENBAgEpMIGpBgsqhkiG9w0BCRACCzGBmaCBljCBkDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQ
Q3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqG
SIb3DQEJARYTQ3VkYSBTeXN0ZW1zIExMQyBDQQIBKTANBgkqhkiG9w0BAQEFAASCAgC2LrSl
BG2H6Q6r7GdlC0Rxm1uOpjzyMPN+uha6+H/vHFC+YF8XE0MmDzhGdTT/n81P91oZ2tyrfMyb
awOcLx4No9c0ru6/01qkkne7D69R0lDZ+OtQ+35MYImQKJt5hxV0m5zFl2sQH402HQD0bt83
gOcle4NM50W901pNX65MLep6PL3n5Mqxn4lJ+dyaVzTRstSAXKCNx4w7Rsal0yBwOzOOwwSz
Qv0AM71dfSradn35p88lJXtotuz1r+bJ4lWaYIaWQ6qBqpm8Iz2fLZCne2XQPi2YHbnBWlc4
3GgugDYVbZTN91bjOWd5x4dg9e51sXSW54TamOkLJgLFPZlld3gTpDgJT3n9CQdoemYBLrIc
lOSE/4yxW3yw+CHPBRzwi/TrBWTS7lhxTiBcvMmKpqe69ZydoAvi3u2lJ2G9cXW3RjHQeBE6
DNOx2NB0yisxXEu8Ywxa1p5anHITI+JAi2AYIt15Ya4mNP86N5Nht4jum7M0ws9Ac8+7uHb9
NCEstr/MwBr6eFZw+BxWSvn2sbVM1MrE8SuX+BRezt1XWmuUH0/+0mYqfhy9c9uViK10xdNT
9FrvqjUrBYsYONn5lJG9Dx8yicHr0d/dTBE06so8Fh6WOwnlPL5rlEtP81n2nMVMrL16Ap8P
/mASNe95jz+hHMVn6T4/h3Y3bbUkLwAAAAAAAA==
--------------ms080708000100030106000008--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557E1B98.6070402>