Re: Last openssl update brakes localhost email sending
> All of my 10.1-RELEASE-p13 systems are affected, some 20 boxes. Sendmail > is used only for sending daily and security run outputs, but I am > starting to feel unconfortable as it will soon be two weeks since I > received them. > > All those systems are without source code on them, and it is quite > inconvenient for me to rebuild from source. Is binary update for this > coming soon? Is it coming at all? It is coming, the commit for the stable branches was last night. The Security and RE teams are working on the releng branches next to produce the binary patches. A workaround is available: openssl dhparam -out /etc/mail/certs/dh.param 2048 cd /etc/mail/; make restart ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Last openssl update brakes localhost email sending
> I'm curious... Why is localhost delivery encrypted by default in the first > place? sendmail, when acting as a client, employs opportunistic encryption by default. Local mail submission done via command line uses the MSP configuration /etc/mail/submit.cf to send the mail. That submit.cf is built to relay the mail to an MTA host, localhost by default, but can be configured to use a central mail server as well if desired (e.g., for a centralized mail hub, centralized queue management, etc.). The standard submit.cf makes no assumptions about the location of the MTA host and therefore doesn't disable encryption. > The only reason I can think of is if there is some unencrypted TCP > relayed 'tunnel', that has been set up not using ssh or some other > encrypted transport. One other use case (likely not a concern) is to prevent other privileged users from easily snooping localhost traffic (`tcpdump -i lo0 -X -s 0 port 25`). ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
> I'll post a patch here by tomorrow for those willing to assist in testing.
As promised, there are two patches attached to this email, only one of which is
needed (see below). This fixes the case where the DHParameters option is set
to a file which doesn't exist, which is the case on newer versions of FreeBSD
which enable STARTTLS by default by auto-creating TLS certificates.
The first attachment, new.patch, is just the change since the one committed to
svn for the errata (i.e., if you have an up to date svn checkout, use this
one). The second attachment, full.patch, is the full set of changes needed
(i.e., the ones from the first errata to tls.c and the new one to sendmail.h
for the outstanding fix). You only need one, don't try to apply both. Since
the change is to a .h file, be sure to build carefully (either do a make depend
or a make clean if not using a full buildworld).
If testing, please try before Monday and drop me a note (no need to reply-all)
letting me know if you were successful or not.
Index: contrib/sendmail/src/sendmail.h
===
--- contrib/sendmail/src/sendmail.h (revision 284661)
+++ contrib/sendmail/src/sendmail.h (working copy)
@@ -1935,7 +1935,7 @@
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */
Index: contrib/sendmail/src/tls.c
===
--- contrib/sendmail/src/tls.c (revision 283856)
+++ contrib/sendmail/src/tls.c (working copy)
@@ -650,7 +650,7 @@
** 1024generate 1024 bit parameters
** 2048generate 2048 bit parameters
** /file/name read parameters from /file/name
- ** default is: 1024 for server, 512 for client (OK? XXX)
+ ** default is: 1024
*/
if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "1";
+ req |= TLS_I_DH1024;
}
else if (*dhparam == '/')
{
Index: contrib/sendmail/src/sendmail.h
===
--- contrib/sendmail/src/sendmail.h (revision 283856)
+++ contrib/sendmail/src/sendmail.h (working copy)
@@ -1935,7 +1935,7 @@
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
> I'll probably fix this by changing /etc/rc.d/sendmail to do the above. > > I'll also look into the sendmail source behavior when the file doesn't > exist (it should revert to it's defaults). As a quick update, the sendmail open source team have completed a set of changes to address these issues. I'll be testing a new change this weekend for a revised Errata Notice. I'll post a patch here by tomorrow for those willing to assist in testing. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
> I never changed or generated anything in the mail configuration > on these servers, they use the default mc/cf files: > > $ grep DHParam /etc/mail/sendmail.cf > # DHParameters (only required if DSA/DH is used) > O DHParameters=/etc/mail/certs/dh.param > > $ ls -l /etc/mail/certs > total 12 > lrwxr-xr-x 1 root wheel10 31 Aug 2014 4bc0b037.0 -> cacert.pem > -rw-r--r-- 1 root wheel 1326 31 Aug 2014 cacert.pem > -rw-r--r-- 1 root wheel 1375 31 Aug 2014 host.cert > -rw--- 1 root wheel 1704 31 Aug 2014 host.key I found what is breaking it. This commit made locally to FreeBSD: Revision 256982 Modified Wed Oct 23 16:55:20 2013 UTC (19 months, 3 weeks ago) by jmg MFC r256773: Enable the automatic creation of a certificate (if one does not exists) and enable the usage by sendmail if sendmail is enabled. sets DHParameters to that file but nothing else generates that file. We'll have to rev the Errata (and patch) to create that file. In the mean time, generating the file will fix the problem: openssl dhparam -out /etc/mail/certs/dh.param 2048 I'll probably fix this by changing /etc/rc.d/sendmail to do the above. I'll also look into the sendmail source behavior when the file doesn't exist (it should revert to it's defaults). ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
> > Did you (re)generate your dh.params file as noted in the Workaround section? > > No, because of this text under Solution: > " > A change to the raise the default for sendmail client connections to > 1024-bit DH parameters has been committed. > " > > As I understand it this would remove the need for generating > the dh.params file? You do not need to regenerate dh.params with the patch unless you have specifically set DHParameters in /etc/mail/sendmail.cf to a lower strength. What is the output of: grep DHParam /etc/mail/sendmail.cf If it is set to a string beginning with '5' or a filename and that file was generated using 512-bit strength, then remove that setting. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Last openssl update brakes localhost email sending
> We ran into this as well. There are notes in UPDATING now that have the > instructions on what changes need to be done to the locale .mc file. Even better than UPDATING: https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail problem after upgrade to r284296
The change of default has been committed to HEAD and will be MFC'ed in the next
day or two. Likewise, UPDATING from HEAD has been updated with:
20150615:
The fix for the issue described in the 20150614 sendmail entry
below has been been committed in revision 284436. The work
around described in that entry is no longer needed unless the
default setting is overridden by a confDH_PARAMETERS configuration
setting of '5' or pointing to a 512 bit DH parameter file.
On Mon, Jun 15, 2015 at 08:22:24AM -0400, Frank Seltzer wrote:
> On Sun, 14 Jun 2015, Gregory Shapiro wrote:
>
> >>I created it per your instructions. See above about it not existing
> >>previously.
> >
> >Oh, sorry for the confusion. Seems an emergency patch is in order to change
> >the default.
> >
> >Would you be willing to test this patch (apply, build, install, remove
> >dh.params file, and restart)?
> >
> >The patch changes the client and server default to 2048 (previous 512 and
> >1024) to help mitigate LogJam/WeakDH.
> >
> >Index: src/tls.c
> >===
> >--- src/tls.c(revision 284402)
> >+++ src/tls.c(working copy)
> >@@ -676,8 +676,8 @@
> > }
> > if (dhparam == NULL)
> > {
> >-dhparam = srv ? "1" : "5";
> >-req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
> >+dhparam = "2";
> >+req |= TLS_I_DH2048;
> > }
> > else if (*dhparam == '/')
> > {
>
> Do you mean just build and install sendmail or world and kernel? I can do
> world and kernel if you want me to, it only takes about 2 hours to build
> world and 20 minutes to build the kernel so it's no big deal. I'll need
> instruction on how to patch the file though, I've never done it before.
>
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail problem after upgrade to r284296
On Sun, Jun 14, 2015 at 08:23:33PM -0700, Gregory Shapiro wrote: > > I created it per your instructions. See above about it not existing > > previously. > > Oh, sorry for the confusion. Seems an emergency patch is in order to change > the default. For now, I've add an UPDATING entry: +20150614: + The import of openssl to address the FreeBSD-SA-15:10.openssl + security advisory includes a change which rejects handshakes + with DH parameters below 768 bits. sendmail releases prior + to 8.15.2 (not yet released), defaulted to a 512 bit + DH parameter setting for client connections. To work around + this interoperability, sendmail can be configured to use a + 2048 bit DH parameter by: + + 1. Edit /etc/mail/`hostname`.mc + 2. If a setting for confDH_PARAMETERS does not exist or + exists and is set to a string beginning with '5', + replace it with '2'. + 3. If a setting for confDH_PARAMETERS exists and is set to + a file path, create a new file with: + openssl dhparam -out /path/to/file 2048 + 4. Rebuild the .cf file: + cd /etc/mail/; make; make install + 5. Restart sendmail: + cd /etc/mail/; make restart + + A sendmail patch is coming, at which time this file will be + updated. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail problem after upgrade to r284296
> I created it per your instructions. See above about it not existing
> previously.
Oh, sorry for the confusion. Seems an emergency patch is in order to change
the default.
Would you be willing to test this patch (apply, build, install, remove
dh.params file, and restart)?
The patch changes the client and server default to 2048 (previous 512 and 1024)
to help mitigate LogJam/WeakDH.
Index: src/tls.c
===
--- src/tls.c (revision 284402)
+++ src/tls.c (working copy)
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "2";
+ req |= TLS_I_DH2048;
}
else if (*dhparam == '/')
{
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail problem after upgrade to r284296
> After the update I got your email and followed your instructions, except for > moving dh.param because it didn't exist, and sendmail is happy now. Happy to hear sendmail is happy. > I checked and there is still no mention of this in /usr/src/UPDATING so my > question is, when and how is dh.param supposed to be created? Since I'm not > the only one with this problem it doesn't seem to be something I did or > didn't do. What could have caused dh.param to not be generated? That is a good question. If you didn't create it, I don't know what did -- it's not part of the base build (checked on a newly installed snapshot). Are you sure you didn't create it at some point? Not even the mail/sendmail port creates it. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail problem after upgrade to r284296
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
>
> # DHParameters (only required if DSA/DH is used)
> O DHParameters=/etc/mail/certs/dh.param
>
> Again, default values, no changes to the installed files made.
Try recreating those -- I'm not exactly sure where they came from.
/etc/rc.d/sendmail stop
mv /etc/mail/certs/dh.param{,~old}
openssl dhparam -out /etc/mail/certs/dh.param 2048
/etc/rc.d/sendmail start
> root@Shop:/etc/mail/certs # openssl version
> OpenSSL 1.0.1n-freebsd 11 Jun 2015
1.0.1o has the ABI fix. From openssl.org:
12-Jun-2015: New releases to resolve ABI compatibility problems:
12-Jun-2015: OpenSSL 1.0.2c is now available, including bug fixes
12-Jun-2015: OpenSSL 1.0.1o is now available, including bug fixes
It was imported on HEAD in rev 284329.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail problem after upgrade to r284296
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect > failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE, > relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. The new OpenSSL eliminated small DHParam support. That leaves two possibilities: 1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting. 2. Your side is using a small value. Double check your setting: > grep DHParam /etc/mail/sendmail.cf # DHParameters (only required if DSA/DH is used) #O DHParameters If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS. Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail-8.14.7 doesn't work with MS DNS in IPv4 network
Can you put back the original sendmail/conf.c file and try this patch instead
to verify it works? If so, I can plan to commit it to HEAD and MFC to the
various branches (with re permission to the 9.2 branch). This would be a short
term fix until the next sendmail release where we will revisit this section of
code.
--- contrib/sendmail/include/sm/os/sm_os_freebsd.h 2008-08-27
22:53:56.0 -0700
+++ contrib/sendmail/include/sm/os/sm_os_freebsd.h 2013-08-09
10:21:12.0 -0700
@@ -39,3 +39,7 @@
#ifndef SM_CONF_MSG
# define SM_CONF_MSG 1
#endif /* SM_CONF_MSG */
+
+#ifndef SM_IPNODEBYNAME_FLAGS
+# define SM_IPNODEBYNAME_FLAGS AI_DEFAULT|AI_ALL
+#endif /* SM_IPNODEBYNAME_FLAGS */
On Fri, Aug 09, 2013 at 10:34:14AM +0400, Pavel Timofeev wrote:
> I agree with Mark Felder.
>
> 2013/8/8 Pavel Timofeev :
> > I tried to revert mentioned patch, i.e. applied this
> >
> > --- sendmail/conf.c.orig2013-08-08 12:28:40.0 +0400
> > +++ sendmail/conf.c 2013-08-08 12:31:17.0 +0400
> > @@ -4294,12 +4294,7 @@
> > #else /* (SOLARIS > 1 && SOLARIS < 20400) || (defined(SOLARIS) &&
> > SOLARIS < 204) || (defined(sony_news) && defined(__svr4)) */
> > int nmaps;
> > # if NETINET6
> > -# ifndef SM_IPNODEBYNAME_FLAGS
> > -/* For IPv4-mapped addresses, use: AI_DEFAULT|AI_ALL */
> > -# define SM_IPNODEBYNAME_FLAGS AI_ADDRCONFIG
> > -# endif /* SM_IPNODEBYNAME_FLAGS */
> > -
> > - int flags = SM_IPNODEBYNAME_FLAGS;
> > + int flags = AI_DEFAULT|AI_ALL;
> > int err;
> > # endif /* NETINET6 */
> > char *maptype[MAXMAPSTACK];
> >
> > Sendmail started to work
> >
> > 2013/8/7 Gregory Shapiro :
> >>> I found a problem in new FreeBSD 9.2-{BETA2,RC1} which uses
> >>> Sendmail-8.14.7.
> >>> If you try to send email from FreeBSD 9.2 in IPv4 network with MS DNS
> >>> you won't receive it.
> >>> But in same time email passes from FreeBSD 9.1-RELEASE which uses
> >>> Sendmail-8.14.5.
> >>
> >> The recent release made the following change:
> >>
> >> --- sendmail/conf.c 25 Jan 2011 18:31:30 - 8.1168
> >> +++ sendmail/conf.c 5 Apr 2013 17:39:09 - 8.1182
> >> @@ -4726,7 +4726,12 @@
> >> #else /* (SOLARIS > 1 && SOLARIS < 20400) || (defined(SOLARIS) &&
> >> SOLARIS < 204) || (defined(sony_news) && defined(__svr4)) */
> >> int nmaps;
> >> # if NETINET6
> >> - int flags = AI_DEFAULT|AI_ALL;
> >> +# ifndef SM_IPNODEBYNAME_FLAGS
> >> +/* For IPv4-mapped addresses, use: AI_DEFAULT|AI_ALL */
> >> +# define SM_IPNODEBYNAME_FLAGS AI_ADDRCONFIG
> >> +# endif /* SM_IPNODEBYNAME_FLAGS */
> >> +
> >> + int flags = SM_IPNODEBYNAME_FLAGS;
> >> int err;
> >> # endif /* NETINET6 */
> >> char *maptype[MAXMAPSTACK];
> >>
> >> Which is described in this release note:
> >>
> >> Drop support for IPv4-mapped IPv6 addresses to prevent the MTA
> >> from using a mapped address over a legitimate IPv6 address
> >> and to enforce the proper semantics over the IPv6
> >> connection. Problem noted by Ulrich Sporlein.
> >>
> >> It looks like that SERVFAIL from Microsoft's DNS server is getting
> >> in the way of that. I can look at adding this exception to
> >> WorkAroundBroken as a possibility for a future release.
> >>
> >> I'd also like to hear feedback on whether the above change (changing
> >> getipnodebyname() flags from 'AI_DEFAULT | AI_ALL' to 'AI_ADDRCONFIG' went
> >> too far and what the accepted norm is for getipnodebyname().
> >>
>
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Sendmail-8.14.7 doesn't work with MS DNS in IPv4 network
> I found a problem in new FreeBSD 9.2-{BETA2,RC1} which uses Sendmail-8.14.7.
> If you try to send email from FreeBSD 9.2 in IPv4 network with MS DNS
> you won't receive it.
> But in same time email passes from FreeBSD 9.1-RELEASE which uses
> Sendmail-8.14.5.
The recent release made the following change:
--- sendmail/conf.c 25 Jan 2011 18:31:30 - 8.1168
+++ sendmail/conf.c 5 Apr 2013 17:39:09 - 8.1182
@@ -4726,7 +4726,12 @@
#else /* (SOLARIS > 1 && SOLARIS < 20400) || (defined(SOLARIS) && SOLARIS
< 204) || (defined(sony_news) && defined(__svr4)) */
int nmaps;
# if NETINET6
- int flags = AI_DEFAULT|AI_ALL;
+# ifndef SM_IPNODEBYNAME_FLAGS
+/* For IPv4-mapped addresses, use: AI_DEFAULT|AI_ALL */
+# define SM_IPNODEBYNAME_FLAGS AI_ADDRCONFIG
+# endif /* SM_IPNODEBYNAME_FLAGS */
+
+ int flags = SM_IPNODEBYNAME_FLAGS;
int err;
# endif /* NETINET6 */
char *maptype[MAXMAPSTACK];
Which is described in this release note:
Drop support for IPv4-mapped IPv6 addresses to prevent the MTA
from using a mapped address over a legitimate IPv6 address
and to enforce the proper semantics over the IPv6
connection. Problem noted by Ulrich Sporlein.
It looks like that SERVFAIL from Microsoft's DNS server is getting
in the way of that. I can look at adding this exception to
WorkAroundBroken as a possibility for a future release.
I'd also like to hear feedback on whether the above change (changing
getipnodebyname() flags from 'AI_DEFAULT | AI_ALL' to 'AI_ADDRCONFIG' went
too far and what the accepted norm is for getipnodebyname().
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: sendmail vs ipv6 broken after upgrade to 9.1
> How can I unstupid sendmail here?
I don't think sendmail is being stupid here as it is doing what it has been
doing under 8.x and 9.1 (the code is the same). I think something changed with
the upgrade to 9.1. As far as tracking it down, the sendmail code does:
getipnodebyname("acme.spoerlein.net", AF_INET6, AI_DEFAULT|AI_ALL, &err);
This will only return an IPv4 mapped address if:
1. There are no IPv6 addresses configured on the interfaces. How are your IPv6
addresses assigned? If auto-configured (DHCPv6, RTADV), is it possible
sendmail is being started before autoconfiguration has completed? Restarting
the MTA after boot and seeing if it still gets the mapped address will say
whether or not this is the cause.
2. The query for an record for acme.spoerlein.net failed. This doesn't
appear to be the case for dns based on your dig output (assuming you ran that
dig command on the same machine that is exhibiting the problem). However, your
nsswitch.conf lists hosts before dns and there have been broken name resolution
implementations that, with 'hosts' listed first in nsswitch.conf have given
back bad info if the first hostname match didn't have the IPv6 address. You
could try switching the order in /etc/hosts to see if this helps. (Note, the
broken implementation was not FreeBSD.)
You can also test theory #2 by writing a small C program to do the
getipnodebyname() call shown above and see what you get. If it gives the same
bad address, then you need to look outside of sendmail. In the mean time,
although not optimal, you can work around the issue by using the IPv6 address
instead of the hostname in the Addr= equate.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: sleep(3) sometimes too sleepy on FreeBSD 8.0?
> After checking with jhb@ re appropriate value of __FreeBSD_version for > the test, I have submitted a build configuration patch to the sendmail > folks so that a sendmail build on FreeBSD >= 30 will use > nanosleep(). The patch has been accepted by sendmail and is attached > for reference. Thanks for all of your work on this. I'll make the necessary changes in the base system in the next day or two. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: building system's libmilter with poll() support?
> What's the procedure to configure buildworld to get sendmail to build > libmilter using poll() instead of select()? Add this to /etc/make.conf: SENDMAIL_CFLAGS+=-D_FFR_WORKERS_POOL And then rebuild/reinstall libmilter: cd /usr/src/lib/libmilter/ make clean make depend make make install Note that bug 118824 has already asked for this to be part of the base. I will likely make that the case for the HEAD and then give it some testing time before MFC'ing. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: building system's libmilter with poll() support?
>> SENDMAIL_CFLAGS+=-D_FFR_WORKERS_POOL > > Do I want this one or just -DSM_CONF_POLL ? It would probably be safest to just use -DSM_CONF_POLL as that has had more testing and will get by the select() limits on fd_set. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
HEADS UP: No longer need to recompile milters when upgrading
The libmilter ABI breakage which required recompiling mail filters (milters) has been fixed in the RELENG_[456] branches. It is no longer necessary to recompile mail filters compiled against an older libmilter.so shared library. Additionally, if you did recompile them already, you do not need to recompile them again. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: HEADS UP: Recompile milters after sendmail 8.14 upgrade
> For those of us with RELENG_[456] servers do we just need to buildworld and > installworld? Yes, after the new code is committed (I'll post at that time). ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: HEADS UP: Recompile milters after sendmail 8.14 upgrade
> Unfortunately, this problem (the need to recompile filters) was found > after the MFC. The release engineering team has asked for this notice > instead of doing a full backout of sendmail 8.14 in the RELENG_[456] > branches. Note that I have some new code, currently under review, that eliminates the need to recompile filters by removing fixing the ABI change. I will post another HEADS UP when that change is committed (first to HEAD, then to the RELENG_[456] branches). In the mean time, you may want to delay upgrades until the new code is in place. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
HEADS UP: Recompile milters after sendmail 8.14 upgrade
sendmail has been updated from version 8.13.8 to 8.14.1 in the HEAD and RELENG_[456] branches. This upgrade includes a new libmilter library which requires all dynamically linked milters to be recompiled (no source code changes are required). Unfortunately, this problem (the need to recompile filters) was found after the MFC. The release engineering team has asked for this notice instead of doing a full backout of sendmail 8.14 in the RELENG_[456] branches. I'm sorry for the adverse effects from the change and will be more careful with future sendmail commits. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: sendmail updated -- milters unhappy
> Shouldn't there be a tiny little note in /usr/src/UPDATING just to > mention that sendmail was updated to 8.14.1 in RELENG_6 and that > consequently anyone running any milters out of ports[1] should > recompile all of them? > > [1] assuming SENDMAIL_MILTER_IN_BASE Yes, thanks for bringing it up. I've updated the file. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: named rc.d
> Apologies if posted to wrong list, the rc.d script for named chowns > /etc/namedb to root:wheel if set to bind:bind why is this? A slave > named server running as bind user cannot download new slave zones if > dir ownership is root or update it if file ownerships are root which I > sometimes see. Slave zones should be put in the slave subdirectory which is owned by bind. You want as few directories/files owned by the bind "run as" user as possible to prevent damage if that user becomes compromised. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
