On Sun, Jun 14, 2015 at 08:23:33PM -0700, Gregory Shapiro wrote: > > I created it per your instructions. See above about it not existing > > previously. > > Oh, sorry for the confusion. Seems an emergency patch is in order to change > the default.
For now, I've add an UPDATING entry: +20150614: + The import of openssl to address the FreeBSD-SA-15:10.openssl + security advisory includes a change which rejects handshakes + with DH parameters below 768 bits. sendmail releases prior + to 8.15.2 (not yet released), defaulted to a 512 bit + DH parameter setting for client connections. To work around + this interoperability, sendmail can be configured to use a + 2048 bit DH parameter by: + + 1. Edit /etc/mail/`hostname`.mc + 2. If a setting for confDH_PARAMETERS does not exist or + exists and is set to a string beginning with '5', + replace it with '2'. + 3. If a setting for confDH_PARAMETERS exists and is set to + a file path, create a new file with: + openssl dhparam -out /path/to/file 2048 + 4. Rebuild the .cf file: + cd /etc/mail/; make; make install + 5. Restart sendmail: + cd /etc/mail/; make restart + + A sendmail patch is coming, at which time this file will be + updated. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
