Sendmail problem after upgrade to r284296
Gregory Shapiro
gshapiro at gshapiro.net
Sun Jun 14 16:55:14 UTC 2015
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
The new OpenSSL eliminated small DHParam support. That leaves two possibilities:
1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting.
2. Your side is using a small value. Double check your setting:
> grep DHParam /etc/mail/sendmail.cf
# DHParameters (only required if DSA/DH is used)
#O DHParameters
If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS.
Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version.
More information about the freebsd-stable
mailing list