Atomicorp

Updated to openssl-1.0.1e-30.el6.11.x86_64 the other day and I think my problems are related.

In maillog I get:

qmail: 1434568520.705346 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_XXX.YYY.ZZZ.XXX./

Any suggestions how to fix this? I've got an angry customer who's emails is not delivered...

Newer versions of OpenSSL reject Diffie Hellman groups below 768 bits to prevent a possible downgrade attack. Your mail server is most likely using a weak cipher to connect to another mail server with a weak Diffie Hellman group.

Not sure about the correct TLS settings in Qmail for maximum compatibility though.

Thanks a lot! I tried to use the Odin script so generate a new, stronger DH encryption, but it screwed up all connectivity for example from OS X based email clients (both incoming and outgoing email). I found some solutions in the odin-forums, which got it working, but still suffered from the short key problem. To fix that I have excluded the domain from TLS-encryption by using the option notlshosts/FQDN.

What I really cannot find is the place to change which DH pem to use...

Were you able to get the notlshost working for you? I haven't had any luck with that and wondered how you did it.

I tried this...
mkdir /var/qmail/control/notlshost
touch /var/qmail/control/notlshost/somedomain.com
touch /var/qmail/control/notlshost/someotherdomain.com

Restarted qmail and still getting the same errors in the log and messages remaining in the queue.

qmail: 1436649830.795551 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_69.94.125.39./

So the FQDN used above I got from running host 69.94.125.39 and used the name that was returned.. Did I do something wrong?

Yes, it works! But you forgot an s!

/var/qmail/control/notlshosts

biggles wrote:Yes, it works! But you forgot an s!

/var/qmail/control/notlshosts

oops.. I only forgot it in my post. I actually used notlshosts and it isn't working.. What should the permissions be? I have this

drwxr-xr-x 2 root root 4.0K Jul 11 14:51 notlshosts/

and

-rw-r--r-- 1 root root 0 Jul 11 13:45 170.49.86.239
-rw-r--r-- 1 root root 0 Jul 11 14:50 170.49.86.240
-rw-r--r-- 1 root root 0 Jul 11 13:39 173.247.244.100
-rw-r--r-- 1 root root 0 Jul 11 14:49 biz100.inmotionhosting.com
-rw-r--r-- 1 root root 0 Jul 11 13:37 bsnf.com
-rw-r--r-- 1 root root 0 Jul 11 14:50 ftwwdimsp006.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp007.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp008.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 13:42 hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 14:48 mail.hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 13:46 server2.samuels.com

Sorry for my late reply. Yes, I have root:root as well.