Date: Thu, 18 Jun 2015 12:00:09 +0300 From: Pavel Timofeev <timp87@gmail.com> To: freebsd-stable stable <freebsd-stable@freebsd.org>, Gregory Shapiro <gshapiro@freebsd.org> Subject: Re: Last openssl update brakes localhost email sending Message-ID: <CAAoTqfvchXndzgCRDyJXCz%2BUOi93w1v-vvKvoLMgPLk6cHh4Dw@mail.gmail.com> In-Reply-To: <CAAoTqft7wRi9Ov_oiCk64HwbT%2BrXn-AvkOd-%2BVeFhq_s8bE7NA@mail.gmail.com> References: <CAAoTqft7wRi9Ov_oiCk64HwbT%2BrXn-AvkOd-%2BVeFhq_s8bE7NA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is kind of proof that nothing is changed in mail dir since installation. root@pyxis-v:~ # ll /etc/mail total 384 -rw-r--r-- 1 root wheel 6814 Oct 7 2014 Makefile -rw-r--r-- 1 root wheel 2900 Oct 7 2014 README -rw-r--r-- 1 root wheel 632 Oct 7 2014 access.sample -rw-r--r-- 1 root wheel 1691 Oct 7 2014 aliases -rw-r----- 1 root wheel 131072 Aug 6 2014 aliases.db drwxr-xr-x 2 root wheel 512 Aug 6 2014 certs/ -rw-r--r-- 1 root wheel 58400 Oct 7 2014 freebsd.cf -rw-r--r-- 1 root wheel 4537 Oct 7 2014 freebsd.mc -r--r--r-- 1 root wheel 40741 Oct 7 2014 freebsd.submit.cf -r--r--r-- 1 root wheel 898 Oct 7 2014 freebsd.submit.mc -r--r--r-- 1 root wheel 5659 Sep 15 2014 helpfile -rw-r--r-- 1 root wheel 405 Oct 7 2014 mailer.conf -rw-r--r-- 1 root wheel 248 Oct 7 2014 mailertable.sample -rw-r--r-- 1 root wheel 58400 Oct 7 2014 sendmail.cf -r--r--r-- 1 root wheel 40741 Oct 7 2014 submit.cf -rw-r--r-- 1 root wheel 574 Oct 7 2014 virtusertable.sample root@pyxis-v:~ # ll /etc/mail/certs/ total 12 lrwxr-xr-x 1 root wheel 10 Aug 6 2014 6ba511ab.0@ -> cacert.pem -rw-r--r-- 1 root wheel 1285 Aug 6 2014 cacert.pem -rw-r--r-- 1 root wheel 1334 Aug 6 2014 host.cert -rw------- 1 root wheel 1704 Aug 6 2014 host.key 2015-06-18 11:34 GMT+03:00 Pavel Timofeev <timp87@gmail.com>: > Good day to everybody! ;) > My FreeBSD 10.1-RELEASE-p13 amd64 can't send email to localhost anymore! > > I know that openssl has been updated, and it raises the bar of bit > size of dh parameters. > I know, there is an update for sendmail to catch up it. But. it didn't help. > > Here is one of my servers. > I did not touch anything in /etc/mail after installation of my system. > And of course I didn't create a dh parameters in /etc/mail/certs dir. > > root@pyxis-v:~ # freebsd-version > 10.1-RELEASE-p13 > > root@pyxis-v:~ # echo test | mail -s 'aa' ptimofeev@ocs.ru > > root@pyxis-v:~ # tail -f /var/log/maillog > Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: from=timp, > size=39, class=0, nrcpts=1, > msgid=<201506180819.t5I8J0F1001122@pyxis-v.ocs.ru>, > relay=root@localhost > Jun 18 11:19:00 pyxis-v sendmail[1122]: STARTTLS=client, error: > connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, > retry=-1 > Jun 18 11:19:00 pyxis-v sm-mta[1123]: STARTTLS=server, error: accept > failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, > retry=-1, relay=localhost [127.0.0.1] > Jun 18 11:19:00 pyxis-v sendmail[1122]: ruleset=tls_server, > arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. > Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: > to=ptimofeev@ocs.ru, ctladdr=timp (1001/1001), delay=00:00:00, > xdelay=00:00:00, mailer=relay, pri=30039, relay=[127.0.0.1] > [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake. > Jun 18 11:19:00 pyxis-v sm-mta[1123]: t5I8J0p5001123: localhost > [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to > Daemon0 > > > Why it complains about too small dh key?! I don't have them. No > changes in /etc/mail since installation. What's going on? > > So looks like everybody who updated their systems to p-1(2|3) has to > do some stuff (openssl dhparam -out dh.param 2048). > IMO, it's really, really bad. > Am I wrong, misunderstanding or doing something wrong?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAoTqfvchXndzgCRDyJXCz%2BUOi93w1v-vvKvoLMgPLk6cHh4Dw>