rc.d/sendmail: generate DH parameters when auto-creating certificates
AbandonedPublic
Actions

Authored by dim on Jul 29 2023, 8:03 PM.

Details

Reviewers

emaste
jmg
gshapiro
otis

Summary

Commit ff14d523bb9e5 implemented automatic creation of TLS certificates
for sendmail, if these do not exist in sendmail's configuration. This
was meant to enable usage of STARTTLS by default.

However, this did not create a file with DH parameters, even though such
a file is referenced in the default freebsd.mc template configuration
file, causing messages of the form:

sm-mta[420]: STARTTLS=server: file /etc/mail/certs/dh.param unsafe: No such file or directory

to appear in /var/log/maillog, on fresh installations with sendmail
enabled.

Add generation and saving of DH parameters to rc.d/sendmail, so these
messages go away.

MFC after: 3 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 52890
Build 49781: arc lint + arc unit

Event Timeline

dim created this revision.Jul 29 2023, 8:03 PM

Herald added a subscriber: imp. · View Herald TranscriptJul 29 2023, 8:03 PM

dim requested review of this revision.Jul 29 2023, 8:03 PM

Harbormaster completed remote builds in B52890: Diff 125328.Jul 29 2023, 8:03 PM

otis added inline comments.Jul 29 2023, 9:41 PM

libexec/rc/rc.d/sendmail
198	Shouldn't also the check for dhparam file be here?

dim added inline comments.Jul 30 2023, 10:19 AM

libexec/rc/rc.d/sendmail
198	Maybe, though it is not clear what advantage it would give. If you would add it as the last case, it would mean that all of `host.cert`, `host.key`, and `cacert.pem` did not exist, and if `dh.param` then does exist, you cannot start sendmail anyway. However, it is similar for other files from this list being missing: the whole configuration is only valid if all the files exist. But that is not really what is being tested here.

I think a better way to go, as discussed in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248387 is to just remove the dh.param setting:

I'm tempted to remove the DH_PARAMETERS line from freebsd.mc completely and returning to using the built-in default (added in sendmail 8.15.2 after this line was added to freebsd.mc). However, I want to get John-Mark's input since he added the change in rev 256773:

https://svnweb.freebsd.org/base/head/etc/sendmail/freebsd.mc?revision=256773&view=markup

@jmg: How would you like to proceed?

If we can agree on that, I can make that change.

In D41232#940306, @gshapiro wrote:

I think a better way to go, as discussed in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248387 is to just remove the dh.param setting:

I'm tempted to remove the DH_PARAMETERS line from freebsd.mc completely and returning to using the built-in default (added in sendmail 8.15.2 after this line was added to freebsd.mc). However, I want to get John-Mark's input since he added the change in rev 256773:

https://svnweb.freebsd.org/base/head/etc/sendmail/freebsd.mc?revision=256773&view=markup

@jmg: How would you like to proceed?

If we can agree on that, I can make that change.

Yes, it seems like a good idea do just comment out the DH parameters line. At the moment these parameters do not matter very much, especially since the auto-generated keys are self-signed and thus considered "snake oil" anyway. :)

Leave the line commented it can serve as documentation on where you should put such DH parameters, if you configure a "real" certificate on a system, at some point.

Abandoning this in favor of commenting out the dh.param line from freebsd.mc.

Revision Contents
Changeset List

Path

Size

libexec/

rc/

rc.d/

sendmail

5 lines

Diff 125328

View Options

rc.d/sendmail: generate DH parameters when auto-creating certificatesAbandonedPublicActions