[BlueOnyx:17772] Re: Sendmail TLS Error
Dogsbody
dan at dogsbody.org
Fri Jun 12 04:02:23 -05 2015
Michael, you will like this one ;-)
On 09/06/15 17:50, Richard Sidlin wrote:
> Getting these in the maillog for this recipient. Seems they are having a
> handshake issue. Is there a way to force sendmail to send to this
> recipient without TLS if it fails? Thanks.
I'm seeing the same things and it's really interesting. TLS is
opportunistic (on BX), it should try and use TLS first and then fail
down to clear text but that doesn't seem to be happening for me either.
All of this boils down to this error...
> STARTTLS=client: ... SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Which ties in perfectly with the openssl security update that came out
on the 05 Jun 2015 to fix the Logjam vulnerability and has the following
note...
Note: This update forces the TLS/SSL client implementation in OpenSSL to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Future updates may raise this limit to
1024 bits.
... We don't define a DH key size in BX and as far as I can tell the
default for Sendmail is 512bits for STARTTLS client which explains this
all away.
The fix is relatively simple but we need Michael to implement it really
as editing the Sendmail config manually can lead to problems.
Generate a larger DH key with the command:
openssl dhparam -out dhparams.pem 2048
And edit /etc/mail/sendmail.mc to include the line:
O DHParameters={path to dhparams.pem}
Shout if there are any questions.
I hope that helps
Dan
More information about the Blueonyx
mailing list