The default ebuild for senmail-8.14.9 in gentoo allows to compile in SSL support. However, recent SSL security issues require to harden SSL setup of sendmail&co. In the current build no PFS (perfect forward secretary) support is compiled in spite the fact that this is supported since 8.14.9. Thus I modified the ebuild myself by adding -D_FFR_TLS_EC after "-D_FFR_TLS_!" in the compile options for sendmail. With this enabled one will be able to set define(`confDH_PARAMETERS', `2048')dnl in sendmail.mc. Then connecting via the following openssl call ~ eh$ openssl s_client -connect <host>:25 -starttls smtp [...] SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] one can see and verify that the cipher now is ECDHE* instead of just DHE* which clearly shows that PFS support is now compiled it. For more information on PFS see: https://en.wikipedia.org/wiki/Forward_secrecy
Please upload emerge --info.
Created attachment 398466 [details] emerge --info output Here is the output of emerge --info for my system.
Unfortunatley, there hasn't been any progress is almost two years regarding this ticket. Any chance of getting this integrated any time soon? Do you guys lack a maintainer for the sendmail package? If so, where can I send an improved ebuild file to to see this integrated?
There is more stuff broken with sendmail at the moment, and as far as I can tell from other tickets, a maintainer is needed :-(
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c97bd0e2aa41d659ac1a5f39c241c2093c7f4241 commit c97bd0e2aa41d659ac1a5f39c241c2093c7f4241 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-08-17 02:52:02 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-08-17 03:06:40 +0000 mail-mta/sendmail: bump to 8.16.1 * Bump due to security issue * Add -D_FFR_TLS_EC to compile options which supports ECDHE and PFS * Stop building libmilter separately and introduce dep on mail-filter/libmilter * By depending on mail-filter/libmilter sendmail no longer installs static-libs. * Add -DMAXDAEMONS=64 to fix IPV6 environments * Fix various QA issues with lack of dies. More to be fixed. Bug: https://bugs.gentoo.org/730890 Bug: https://bugs.gentoo.org/681232 Closes: https://bugs.gentoo.org/542370 Closes: https://bugs.gentoo.org/681224 Closes: https://bugs.gentoo.org/724548 Closes: https://bugs.gentoo.org/606490 Acked-by: Sam James <sam@gentoo.org> Signed-off-by: Aaron Bauman <bman@gentoo.org> mail-mta/sendmail/Manifest | 1 + .../files/sendmail-8.14.6-build-system.patch | 73 +------- mail-mta/sendmail/sendmail-8.16.1.ebuild | 208 +++++++++++++++++++++ 3 files changed, 219 insertions(+), 63 deletions(-)
