> All of my 10.1-RELEASE-p13 systems are affected, some 20 boxes. Sendmail
> is used only for sending daily and security run outputs, but I am
> starting to feel unconfortable as it will soon be two weeks since I
> received them.
>
> All those systems are without source code on them, and it is qui
> I'm curious... Why is localhost delivery encrypted by default in the first
> place?
sendmail, when acting as a client, employs opportunistic encryption by default.
Local mail submission done via command line uses the MSP configuration
/etc/mail/submit.cf to send the mail. That submit.cf is
> I'll post a patch here by tomorrow for those willing to assist in testing.
As promised, there are two patches attached to this email, only one of which is
needed (see below). This fixes the case where the DHParameters option is set
to a file which doesn't exist, which is the case on newer ver
> I'll probably fix this by changing /etc/rc.d/sendmail to do the above.
>
> I'll also look into the sendmail source behavior when the file doesn't
> exist (it should revert to it's defaults).
As a quick update, the sendmail open source team have completed a set of
changes to address these issue
> I never changed or generated anything in the mail configuration
> on these servers, they use the default mc/cf files:
>
> $ grep DHParam /etc/mail/sendmail.cf
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
>
> $ ls -l /etc/mail/certs
> total 12
> lr
> > Did you (re)generate your dh.params file as noted in the Workaround section?
>
> No, because of this text under Solution:
> "
> A change to the raise the default for sendmail client connections to
> 1024-bit DH parameters has been committed.
> "
>
> As I understand it this would remove the ne
> We ran into this as well. There are notes in UPDATING now that have the
> instructions on what changes need to be done to the locale .mc file.
Even better than UPDATING:
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc
___
free
n Sun, 14 Jun 2015, Gregory Shapiro wrote:
>
> >>I created it per your instructions. See above about it not existing
> >>previously.
> >
> >Oh, sorry for the confusion. Seems an emergency patch is in order to change
> >the default.
> >
> >W
On Sun, Jun 14, 2015 at 08:23:33PM -0700, Gregory Shapiro wrote:
> > I created it per your instructions. See above about it not existing
> > previously.
>
> Oh, sorry for the confusion. Seems an emergency patch is in order to change
> the default.
For now, I
> I created it per your instructions. See above about it not existing
> previously.
Oh, sorry for the confusion. Seems an emergency patch is in order to change
the default.
Would you be willing to test this patch (apply, build, install, remove
dh.params file, and restart)?
The patch changes
> After the update I got your email and followed your instructions, except for
> moving dh.param because it didn't exist, and sendmail is happy now.
Happy to hear sendmail is happy.
> I checked and there is still no mention of this in /usr/src/UPDATING so my
> question is, when and how is dh.para
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
>
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
>
> Again, default values, no changes to the installed files made.
Try recreating those -- I'm not exactly s
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect
> failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE,
> relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
The new OpenSSL elimi
ne SM_IPNODEBYNAME_FLAGS AI_ADDRCONFIG
> > -# endif /* SM_IPNODEBYNAME_FLAGS */
> > -
> > - int flags = SM_IPNODEBYNAME_FLAGS;
> > + int flags = AI_DEFAULT|AI_ALL;
> > int err;
> > # endif /* NETINET6 */
> > char *maptype[MAXMAPSTACK];
> I found a problem in new FreeBSD 9.2-{BETA2,RC1} which uses Sendmail-8.14.7.
> If you try to send email from FreeBSD 9.2 in IPv4 network with MS DNS
> you won't receive it.
> But in same time email passes from FreeBSD 9.1-RELEASE which uses
> Sendmail-8.14.5.
The recent release made the followin
> How can I unstupid sendmail here?
I don't think sendmail is being stupid here as it is doing what it has been
doing under 8.x and 9.1 (the code is the same). I think something changed with
the upgrade to 9.1. As far as tracking it down, the sendmail code does:
getipnodebyname("acme.spoerlei
> After checking with jhb@ re appropriate value of __FreeBSD_version for
> the test, I have submitted a build configuration patch to the sendmail
> folks so that a sendmail build on FreeBSD >= 30 will use
> nanosleep(). The patch has been accepted by sendmail and is attached
> for reference.
> What's the procedure to configure buildworld to get sendmail to build
> libmilter using poll() instead of select()?
Add this to /etc/make.conf:
SENDMAIL_CFLAGS+=-D_FFR_WORKERS_POOL
And then rebuild/reinstall libmilter:
cd /usr/src/lib/libmilter/
make clean
make depend
make
make install
Note
>> SENDMAIL_CFLAGS+=-D_FFR_WORKERS_POOL
>
> Do I want this one or just -DSM_CONF_POLL ?
It would probably be safest to just use -DSM_CONF_POLL as that has
had more testing and will get by the select() limits on fd_set.
___
freebsd-stable@freebsd.org mail
The libmilter ABI breakage which required recompiling mail filters
(milters) has been fixed in the RELENG_[456] branches.
It is no longer necessary to recompile mail filters compiled against an
older libmilter.so shared library. Additionally, if you did recompile
them already, you do not need to
> For those of us with RELENG_[456] servers do we just need to buildworld and
> installworld?
Yes, after the new code is committed (I'll post at that time).
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-
> Unfortunately, this problem (the need to recompile filters) was found
> after the MFC. The release engineering team has asked for this notice
> instead of doing a full backout of sendmail 8.14 in the RELENG_[456]
> branches.
Note that I have some new code, currently under review, that eliminate
sendmail has been updated from version 8.13.8 to 8.14.1 in the HEAD and
RELENG_[456] branches. This upgrade includes a new libmilter library
which requires all dynamically linked milters to be recompiled (no
source code changes are required).
Unfortunately, this problem (the need to recompile fil
> Shouldn't there be a tiny little note in /usr/src/UPDATING just to
> mention that sendmail was updated to 8.14.1 in RELENG_6 and that
> consequently anyone running any milters out of ports[1] should
> recompile all of them?
>
> [1] assuming SENDMAIL_MILTER_IN_BASE
Yes, thanks for bringing i
> Apologies if posted to wrong list, the rc.d script for named chowns
> /etc/namedb to root:wheel if set to bind:bind why is this? A slave
> named server running as bind user cannot download new slave zones if
> dir ownership is root or update it if file ownerships are root which I
> sometimes see
25 matches
Mail list logo