FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
30 June, 2015 by errata-notices@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-15:08.sendmail Errata Notice The FreeBSD Project Topic: sendmail TLS/DH Interoperability Improvement Category: contrib Module: sendmail Announced: 2015-06-18; Last revised on 2015-06-30. Credits: Frank Seltzer, Gregory Shapiro Affects: All supported versions of FreeBSD. Corrected: 2015-06-25 01:49:44 UTC (stable/10, 10.1-STABLE) 2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14) 2015-06-25 01:53:45 UTC (stable/9, 9.3-STABLE) 2015-06-30 23:21:48 UTC (releng/9.3, 9.3-RELEASE-p18) 2015-06-25 01:56:36 UTC (stable/8, 8.4-STABLE) 2015-06-30 23:21:59 UTC (releng/8.4, 8.4-RELEASE-p32) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.freebsd.org/>. 0. Revision history v1.0 2015-06-18 Initial release. v1.1 2015-06-30 Revised patch for non-existent DH parameter file. I. Background Sendmail supports STARTTLS encrypted connections using DHE_EXPORT ciphers. As part of that support, by default, Sendmail employs 1024-bit DH parameters for server connections but 512-bit DH parameters if configured to use a DH parameter file that does not exist. II. Problem Description In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and other encryption packages have begun rejecting 512-bit and lower DH parameters during negotiation, thereby reducing interoperability. III. Impact In its default FreeBSD configuration, client connections from Sendmail to other SMTP servers will not be able to negotiate a STARTTLS encrypted session with SMTP servers that reject 512-bit DH parameters. This may cause mail deliverability issues for outbound mail. IV. Workaround Systems that do not use Sendmail are not affected. To work around this interoperability, Sendmail can be configured to use a 1024 or 2048 bit DH parameter using these steps: 1. Edit /etc/mail/`hostname`.mc 2. If a setting for confDH_PARAMETERS does not exist or exists and is set to a string beginning with '5', replace it with '1' for 1024-bit or '2' for 2048-bit. 3. If a setting for confDH_PARAMETERS exists and is set to a file path, create a new file with: openssl dhparam -out /path/to/file 2048 for 2048-bit or: openssl dhparam -out /path/to/file 1024 for 1024-bit. 4. Rebuild the .cf file: cd /etc/mail/; make; make install 5. Restart sendmail: cd /etc/mail/; make restart V. Solution A change to the raise the default for Sendmail connections to use 1024-bit DH parameters if the configured DH parameters file does not exist has been committed. Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc # gpg --verify sendmail.patch.asc # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch.asc # gpg --verify sendmail.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the Sendmail daemon(s), or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r284790 releng/8.4/ r284987 stable/9/ r284788 releng/9.3/ r284986 stable/10/ r284786 releng/10.1/ r284985 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References The latest revision of this Errata Notice is available at https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.5 (FreeBSD) iQIcBAEBCgAGBQJVkyZLAAoJEO1n7NZdz2rnsdsP/2+xJUiaNWialSFlTwE75sHC vN/CrkceLw6QrUi5U0PpQdI7xP/y8Cspj/vDCNUbHlkK8WfA5G8J6WhyyaVxMREG aZTPHFBn0/IeP2vxlyf0PLq6hL1KtasOQNjDEasUMb4uclaE+hn3QxrWk+KGoe8B 8rZHYS6Y9gOfWLJj7Rvf6T6TEtKf8Mz1cBfn7lRQbF7yDwkvNDpmNv7BhTQOM5rw /2q2i4ZjuZT4AX0IaSzZLC1dEyxuUKqAxMV1D+F1WYBQqMUwnoJLMAETmWXphuSa QGDNU0w3PbAJrgK06qeLSswVo/r/5h+kjra5eL17MPKZPO+sWHv9E1jS7wUsbsFB RE7kcafgWcN9S0TBldyuFo9g8nwjsWq4uooSLrf8pG8y7U6FtXbgyitS3BNVKT7i 9GqzTi89HKPefnPQR5wfJIl9YXgKvWJ/FNei7MpGTl2LGKHSd2P/21+OoIjfNeQl hYOP9uWDrk3Uf7gJVrJOobMfme5Zb1/LDSQegTIFjzQ0Iac1p4nqj53rzG2Nufyx /Y93rKOz280NCS193buARcl4KmFp9oGaJTjVG9Cthu8FUFlCkCeZl13ZrhDufKBS z2ZEwkIYFamOFjbhCUJ5wm3gsozV7bzAOSRQEFEzzLDlYGPv2RPDAlgREcuzxr8N OhK1HFcIqXbXRthWN7Sp =ibhZ -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"