10.1-RELEASE-p12 broke sendmail. 10.1-RELEASE-p13 didn't fix sendmail.

Matthew Seaman matthew at freebsd.org
Wed Jun 24 09:10:46 UTC 2015 

On 06/24/15 06:00, Chris Stankevitz wrote:
> On Tue, Jun 23, 2015 at 8:04 PM, Jesse Gooch <lists at gooch.io> wrote:
>> I recommend reading /usr/src/UPDATING and any relevant Errata Notices
>> and/or Security Advisories BEFORE updating your system so you don't get
>> bit like this again.
>>
>> https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.asc
> 
> Hi Jesse,
> 
> The whole point of my OP was to say that I read the errata.  I was
> surprised that the update did not fix the problem.  I tried the
> "workaround" (why I need to "work around" it if there was an update is
> not clear) but as I followed the steps I got stumped.  Then I gave
> specific examples of where I got stumped following the errata.
> 
> Why is it that I don't get it, but everyone else does?  I'm certain
> the documentation is good.  I have a good command of the english
> language.  Nevertheless I don't get it...

Hi, Chris,

You are correct -- the OS update didn't fix the problem.  FreeBSD
Security Advisories and Errata Notices are usually very reliable in
terms of accurately describing how to solve the problems they address,
but they aren't infallible.  This was a rare case where things went
pear-shaped.

However, the work-around given in the errata notice was in fact the
missing piece that did solve the problem.  Or at least, the core of the
given instructions was.

Now, the EN was written by Greg Shapiro, who is the maintainer for
sendmail in the FreeBSD base system.  He explains here how things went
wrong:

https://lists.freebsd.org/pipermail/freebsd-stable/2015-June/082547.html

but essentially he was confused by an update to the sendmail standard
config and startup scripts that had added autogeneration of TLS
certificates but not all the other parameters that could be used with
TLS.  I think this led to the work-around instructions being overly
complicated.  As you saw, it could be condensed down to:

    openssl dhparam -out /etc/mail/certs/dh.param 2048
    service sendmail restart

I could work that out for myself from what was written in the errata
notice, but that's because I've been dealing with sendmail config in
FreeBSD for years.  I think that summary, or commands pretty much like
them, got posted to various mailing lists fairly soon after the EN came out.

There will probably be a revision to the EN fairly soon.  It will likely
be released as a bundle with other SA's or EN's when those are ready to
go, to prevent excessive churn for people tracking release branches.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150624/630bdd30/attachment.bin>

More information about the freebsd-questions mailing list