Page 1 of 1
DH, SSL qmail trouble
Posted: Wed Jun 17, 2015 3:26 pm
by biggles
Updated to openssl-1.0.1e-30.el6.11.x86_64 the other day and I think my problems are related.
In maillog I get:
qmail: 1434568520.705346 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_XXX.YYY.ZZZ.XXX./
Any suggestions how to fix this? I've got an angry customer who's emails is not delivered...
Re: DH, SSL qmail trouble
Posted: Thu Jun 18, 2015 4:44 am
by prupert
Newer versions of OpenSSL reject Diffie Hellman groups below 768 bits to prevent a possible downgrade attack. Your mail server is most likely using a weak cipher to connect to another mail server with a weak Diffie Hellman group.
Not sure about the correct TLS settings in Qmail for maximum compatibility though.
Re: DH, SSL qmail trouble
Posted: Thu Jun 18, 2015 6:14 am
by biggles
Thanks a lot! I tried to use the Odin script so generate a new, stronger DH encryption, but it screwed up all connectivity for example from OS X based email clients (both incoming and outgoing email). I found some solutions in the odin-forums, which got it working, but still suffered from the short key problem. To fix that I have excluded the domain from TLS-encryption by using the option notlshosts/FQDN.
What I really cannot find is the place to change which DH pem to use...
Re: DH, SSL qmail trouble
Posted: Sat Jul 11, 2015 5:30 pm
by lfenison
Were you able to get the notlshost working for you? I haven't had any luck with that and wondered how you did it.
I tried this...
mkdir /var/qmail/control/notlshost
touch /var/qmail/control/notlshost/somedomain.com
touch /var/qmail/control/notlshost/someotherdomain.com
Restarted qmail and still getting the same errors in the log and messages remaining in the queue.
qmail: 1436649830.795551 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_69.94.125.39./
So the FQDN used above I got from running host 69.94.125.39 and used the name that was returned.. Did I do something wrong?
Re: DH, SSL qmail trouble
Posted: Sat Jul 11, 2015 6:14 pm
by biggles
Yes, it works! But you forgot an s!
/var/qmail/control/notlshosts
Re: DH, SSL qmail trouble
Posted: Sat Jul 11, 2015 6:40 pm
by lfenison
biggles wrote:Yes, it works! But you forgot an s!
/var/qmail/control/notlshosts
oops.. I only forgot it in my post. I actually used notlshosts and it isn't working.. What should the permissions be? I have this
drwxr-xr-x 2 root root 4.0K Jul 11 14:51 notlshosts/
and
-rw-r--r-- 1 root root 0 Jul 11 13:45 170.49.86.239
-rw-r--r-- 1 root root 0 Jul 11 14:50 170.49.86.240
-rw-r--r-- 1 root root 0 Jul 11 13:39 173.247.244.100
-rw-r--r-- 1 root root 0 Jul 11 14:49 biz100.inmotionhosting.com
-rw-r--r-- 1 root root 0 Jul 11 13:37 bsnf.com
-rw-r--r-- 1 root root 0 Jul 11 14:50 ftwwdimsp006.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp007.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp008.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 13:42 hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 14:48 mail.hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 13:46 server2.samuels.com
Re: DH, SSL qmail trouble
Posted: Tue Jul 28, 2015 4:06 am
by biggles
Sorry for my late reply. Yes, I have root:root as well.