Working around sendmail STARTTLS connection problems

Last week the FreeBSD project released an errata notice for the sendmail service. While the notice itself covers all the technical details, what has essentially happened is OpenSSL and related software have begun rejecting 512-bit and lower DH parameters. This change protects services against the OpenSSL “Logjam” vulnerability and will hopefully make us all a little safer.

The bad news is that sendmail, as it is shipped with FreeBSD, does not make the grade when it comes to the security restrictions. As a result, FreeBSD systems which have been recently upgraded with security patches may no longer be able to send e-mail messages through the sendmail service. Administrators may notice they are no longer receiving status reports via e-mail or local users may not be able to send out mail messages.

The good news is there is an easy fix, we simply need to generate a new DH parameter file on our FreeBSD system and restart the mail service. This can be accomplished with just a few commands from the shell. In a terminal, as the root user, run the following commands:

cd /etc/mail/certs

openssl dhparam -out dh.param 2048

cd ..

make restart

The above commands will create a new DH parameter file with a 2048-bit key and restart the sendmail service. At this point the sendmail service should resume working. Some people have reported on the FreeBSD forums that they also had to reboot their computer after applying the above fix.