DH, SSL qmail trouble

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

DH, SSL qmail trouble

Unread post by biggles »

Updated to openssl-1.0.1e-30.el6.11.x86_64 the other day and I think my problems are related.

In maillog I get:
qmail: 1434568520.705346 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_XXX.YYY.ZZZ.XXX./
Any suggestions how to fix this? I've got an angry customer who's emails is not delivered...
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: DH, SSL qmail trouble

Unread post by prupert »

Newer versions of OpenSSL reject Diffie Hellman groups below 768 bits to prevent a possible downgrade attack. Your mail server is most likely using a weak cipher to connect to another mail server with a weak Diffie Hellman group.

Not sure about the correct TLS settings in Qmail for maximum compatibility though.
Last edited by prupert on Thu Jun 18, 2015 6:41 am, edited 3 times in total.
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: DH, SSL qmail trouble

Unread post by biggles »

Thanks a lot! I tried to use the Odin script so generate a new, stronger DH encryption, but it screwed up all connectivity for example from OS X based email clients (both incoming and outgoing email). I found some solutions in the odin-forums, which got it working, but still suffered from the short key problem. To fix that I have excluded the domain from TLS-encryption by using the option notlshosts/FQDN.

What I really cannot find is the place to change which DH pem to use...
lfenison
Forum User
Forum User
Posts: 29
Joined: Mon Jun 14, 2010 8:39 pm

Re: DH, SSL qmail trouble

Unread post by lfenison »

Were you able to get the notlshost working for you? I haven't had any luck with that and wondered how you did it.

I tried this...
mkdir /var/qmail/control/notlshost
touch /var/qmail/control/notlshost/somedomain.com
touch /var/qmail/control/notlshost/someotherdomain.com

Restarted qmail and still getting the same errors in the log and messages remaining in the queue.

qmail: 1436649830.795551 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_69.94.125.39./

So the FQDN used above I got from running host 69.94.125.39 and used the name that was returned.. Did I do something wrong?
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: DH, SSL qmail trouble

Unread post by biggles »

Yes, it works! But you forgot an s!

/var/qmail/control/notlshosts
lfenison
Forum User
Forum User
Posts: 29
Joined: Mon Jun 14, 2010 8:39 pm

Re: DH, SSL qmail trouble

Unread post by lfenison »

biggles wrote:Yes, it works! But you forgot an s!

/var/qmail/control/notlshosts
oops.. I only forgot it in my post. I actually used notlshosts and it isn't working.. What should the permissions be? I have this

drwxr-xr-x 2 root root 4.0K Jul 11 14:51 notlshosts/

and

-rw-r--r-- 1 root root 0 Jul 11 13:45 170.49.86.239
-rw-r--r-- 1 root root 0 Jul 11 14:50 170.49.86.240
-rw-r--r-- 1 root root 0 Jul 11 13:39 173.247.244.100
-rw-r--r-- 1 root root 0 Jul 11 14:49 biz100.inmotionhosting.com
-rw-r--r-- 1 root root 0 Jul 11 13:37 bsnf.com
-rw-r--r-- 1 root root 0 Jul 11 14:50 ftwwdimsp006.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp007.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp008.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 13:42 hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 14:48 mail.hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 13:46 server2.samuels.com
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: DH, SSL qmail trouble

Unread post by biggles »

Sorry for my late reply. Yes, I have root:root as well.
Post Reply