-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-15:08.sendmail Errata Notice
The FreeBSD Project
Topic: sendmail TLS/DH Interoperability Improvement
Category: contrib
Module: sendmail
Announced: 2015-06-18; Last revised on 2015-06-30.
Credits: Frank Seltzer, Gregory Shapiro
Affects: All supported versions of FreeBSD.
Corrected: 2015-06-25 01:49:44 UTC (stable/10, 10.1-STABLE)
2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14)
2015-06-25 01:53:45 UTC (stable/9, 9.3-STABLE)
2015-06-30 23:21:48 UTC (releng/9.3, 9.3-RELEASE-p18)
2015-06-25 01:56:36 UTC (stable/8, 8.4-STABLE)
2015-06-30 23:21:59 UTC (releng/8.4, 8.4-RELEASE-p32)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
0. Revision history
v1.0 2015-06-18 Initial release.
v1.1 2015-06-30 Revised patch for non-existent DH parameter file.
I. Background
Sendmail supports STARTTLS encrypted connections using DHE_EXPORT
ciphers. As part of that support, by default, Sendmail employs 1024-bit
DH parameters for server connections but 512-bit DH parameters if
configured to use a DH parameter file that does not exist.
II. Problem Description
In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and
other encryption packages have begun rejecting 512-bit and lower DH
parameters during negotiation, thereby reducing interoperability.
III. Impact
In its default FreeBSD configuration, client connections from Sendmail
to other SMTP servers will not be able to negotiate a STARTTLS encrypted
session with SMTP servers that reject 512-bit DH parameters. This may
cause mail deliverability issues for outbound mail.
IV. Workaround
Systems that do not use Sendmail are not affected.
To work around this interoperability, Sendmail can be configured to use
a 1024 or 2048 bit DH parameter using these steps:
1. Edit /etc/mail/`hostname`.mc
2. If a setting for confDH_PARAMETERS does not exist or
exists and is set to a string beginning with '5',
replace it with '1' for 1024-bit or '2' for 2048-bit.
3. If a setting for confDH_PARAMETERS exists and is set to
a file path, create a new file with:
openssl dhparam -out /path/to/file 2048
for 2048-bit or:
openssl dhparam -out /path/to/file 1024
for 1024-bit.
4. Rebuild the .cf file:
cd /etc/mail/; make; make install
5. Restart sendmail:
cd /etc/mail/; make restart
V. Solution
A change to the raise the default for Sendmail connections to use
1024-bit DH parameters if the configured DH parameters file does not
exist has been committed.
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc
# gpg --verify sendmail.patch.asc
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch.asc
# gpg --verify sendmail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the Sendmail daemon(s), or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r284790
releng/8.4/ r284987
stable/9/ r284788
releng/9.3/ r284986
stable/10/ r284786
releng/10.1/ r284985
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.5 (FreeBSD)
iQIcBAEBCgAGBQJVkyZLAAoJEO1n7NZdz2rnsdsP/2+xJUiaNWialSFlTwE75sHC
vN/CrkceLw6QrUi5U0PpQdI7xP/y8Cspj/vDCNUbHlkK8WfA5G8J6WhyyaVxMREG
aZTPHFBn0/IeP2vxlyf0PLq6hL1KtasOQNjDEasUMb4uclaE+hn3QxrWk+KGoe8B
8rZHYS6Y9gOfWLJj7Rvf6T6TEtKf8Mz1cBfn7lRQbF7yDwkvNDpmNv7BhTQOM5rw
/2q2i4ZjuZT4AX0IaSzZLC1dEyxuUKqAxMV1D+F1WYBQqMUwnoJLMAETmWXphuSa
QGDNU0w3PbAJrgK06qeLSswVo/r/5h+kjra5eL17MPKZPO+sWHv9E1jS7wUsbsFB
RE7kcafgWcN9S0TBldyuFo9g8nwjsWq4uooSLrf8pG8y7U6FtXbgyitS3BNVKT7i
9GqzTi89HKPefnPQR5wfJIl9YXgKvWJ/FNei7MpGTl2LGKHSd2P/21+OoIjfNeQl
hYOP9uWDrk3Uf7gJVrJOobMfme5Zb1/LDSQegTIFjzQ0Iac1p4nqj53rzG2Nufyx
/Y93rKOz280NCS193buARcl4KmFp9oGaJTjVG9Cthu8FUFlCkCeZl13ZrhDufKBS
z2ZEwkIYFamOFjbhCUJ5wm3gsozV7bzAOSRQEFEzzLDlYGPv2RPDAlgREcuzxr8N
OhK1HFcIqXbXRthWN7Sp
=ibhZ
-----END PGP SIGNATURE-----