[BlueOnyx:17773] Re: Sendmail TLS Error
Michael Stauber
mstauber at blueonyx.it
Fri Jun 12 13:13:57 -05 2015
Hi Dan,
> ... We don't define a DH key size in BX and as far as I can tell the
> default for Sendmail is 512bits for STARTTLS client which explains this
> all away.
>
> The fix is relatively simple but we need Michael to implement it really
> as editing the Sendmail config manually can lead to problems.
>
> Generate a larger DH key with the command:
> openssl dhparam -out dhparams.pem 2048
>
> And edit /etc/mail/sendmail.mc to include the line:
> O DHParameters={path to dhparams.pem}
We've been doing some of this for some time now. As is I had 5106R
calculate 1024 DH parameters during setup and updates of base-email.
EL6 based BlueOnyx were already using stronger DH parameters by default.
I didn't raise them to 2048 bits right away, as that might (at that
time) have raised compatibility issues with some mailservers or email
clients. It still might if we do that now, but let's try it.
So what's missing is to bump them all the way to 2048 bits and to add
the provisions in sendmail.mc, which may or may not be necessary. But
it's better to have it redundantly than needing it and not having it.
I'll look into it.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list