Date: Thu, 18 Jun 2015 05:53:20 GMT From: FreeBSD Errata Notices <errata-notices@freebsd.org> To: FreeBSD Errata Notices <errata-notices@freebsd.org> Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail Message-ID: <201506180553.t5I5rKlO059969@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-15:08.sendmail Errata Notice The FreeBSD Project Topic: sendmail TLS/DH Interoperability Improvement Category: contrib Module: sendmail Announced: 2015-06-18 Credits: Frank Seltzer, Gregory Shapiro Affects: All supported versions of FreeBSD. Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE) 2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13) 2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE) 2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17) 2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE) 2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.freebsd.org/>. I. Background sendmail supports STARTTLS encrypted connections using DHE_EXPORT ciphers. As part of that support, by default, sendmail employs 1024-bit DH parameters for server connections and 512-bit DH parameters for client connections. II. Problem Description In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and other encryption packages have begun rejecting 512-bit and lower DH parameters during negotiation, thereby reducing interoperability. III. Impact In its default configuration, client connections from sendmail to other SMTP servers will not be able to negotiate a STARTTLS encrypted session with SMTP servers which reject 512-bit DH parameters. This may cause mail deliverability issues for outbound mail. IV. Workaround To work around this interoperability, sendmail can be configured to use a 1024 or 2048 bit DH parameter using these steps: 1. Edit /etc/mail/`hostname`.mc 2. If a setting for confDH_PARAMETERS does not exist or exists and is set to a string beginning with '5', replace it with '1' for 1024-bit or '2' for 2048-bit. 3. If a setting for confDH_PARAMETERS exists and is set to a file path, create a new file with: openssl dhparam -out /path/to/file 2048 for 2048-bit or: openssl dhparam -out /path/to/file 1024 for 1024-bit. 4. If you have modified your MSP submission configuration file to enable STARTTLS (not enabled by default), repeat the above steps for /etc/mail/`hostname`.submit.mc. 5. Rebuild the .cf file(s): cd /etc/mail/; make; make install 6. Restart sendmail: cd /etc/mail/; make restart Systems that do not use sendmail are not affected. V. Solution A change to the raise the default for sendmail client connections to 1024-bit DH parameters has been committed. Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc # gpg --verify sendmail.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the sendmail daemon(s), or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r284491 releng/8.4/ r284536 stable/9/ r284488 releng/9.3/ r284536 stable/10/ r284485 releng/10.1/ r284536 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References The latest revision of this Errata Notice is available at https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.5 (FreeBSD) iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd 9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV 3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b 9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY snl4x6f2t36abWYgneaP =mvxv -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506180553.t5I5rKlO059969>