store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Dec 06, 2019 6:23 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: DH, SSL qmail trouble
Unread postPosted: Wed Jun 17, 2015 3:26 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Updated to openssl-1.0.1e-30.el6.11.x86_64 the other day and I think my problems are related.

In maillog I get:
Quote:
qmail: 1434568520.705346 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_XXX.YYY.ZZZ.XXX./


Any suggestions how to fix this? I've got an angry customer who's emails is not delivered...


Top
 Profile  
Reply with quote  
 Post subject: Re: DH, SSL qmail trouble
Unread postPosted: Thu Jun 18, 2015 4:44 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
Newer versions of OpenSSL reject Diffie Hellman groups below 768 bits to prevent a possible downgrade attack. Your mail server is most likely using a weak cipher to connect to another mail server with a weak Diffie Hellman group.

Not sure about the correct TLS settings in Qmail for maximum compatibility though.

_________________
Lemonbit Internet Dedicated Server Management


Last edited by prupert on Thu Jun 18, 2015 6:41 am, edited 3 times in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: DH, SSL qmail trouble
Unread postPosted: Thu Jun 18, 2015 6:14 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Thanks a lot! I tried to use the Odin script so generate a new, stronger DH encryption, but it screwed up all connectivity for example from OS X based email clients (both incoming and outgoing email). I found some solutions in the odin-forums, which got it working, but still suffered from the short key problem. To fix that I have excluded the domain from TLS-encryption by using the option notlshosts/FQDN.

What I really cannot find is the place to change which DH pem to use...


Top
 Profile  
Reply with quote  
 Post subject: Re: DH, SSL qmail trouble
Unread postPosted: Sat Jul 11, 2015 5:30 pm 
Offline
Forum User
Forum User

Joined: Mon Jun 14, 2010 8:39 pm
Posts: 29
Were you able to get the notlshost working for you? I haven't had any luck with that and wondered how you did it.

I tried this...
mkdir /var/qmail/control/notlshost
touch /var/qmail/control/notlshost/somedomain.com
touch /var/qmail/control/notlshost/someotherdomain.com

Restarted qmail and still getting the same errors in the log and messages remaining in the queue.

qmail: 1436649830.795551 delivery 3: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_69.94.125.39./

So the FQDN used above I got from running host 69.94.125.39 and used the name that was returned.. Did I do something wrong?


Top
 Profile  
Reply with quote  
 Post subject: Re: DH, SSL qmail trouble
Unread postPosted: Sat Jul 11, 2015 6:14 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Yes, it works! But you forgot an s!

/var/qmail/control/notlshosts


Top
 Profile  
Reply with quote  
 Post subject: Re: DH, SSL qmail trouble
Unread postPosted: Sat Jul 11, 2015 6:40 pm 
Offline
Forum User
Forum User

Joined: Mon Jun 14, 2010 8:39 pm
Posts: 29
biggles wrote:
Yes, it works! But you forgot an s!

/var/qmail/control/notlshosts


oops.. I only forgot it in my post. I actually used notlshosts and it isn't working.. What should the permissions be? I have this

drwxr-xr-x 2 root root 4.0K Jul 11 14:51 notlshosts/

and

-rw-r--r-- 1 root root 0 Jul 11 13:45 170.49.86.239
-rw-r--r-- 1 root root 0 Jul 11 14:50 170.49.86.240
-rw-r--r-- 1 root root 0 Jul 11 13:39 173.247.244.100
-rw-r--r-- 1 root root 0 Jul 11 14:49 biz100.inmotionhosting.com
-rw-r--r-- 1 root root 0 Jul 11 13:37 bsnf.com
-rw-r--r-- 1 root root 0 Jul 11 14:50 ftwwdimsp006.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp007.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 14:51 ftwwdimsp008.rails.rwy.bnsf.com
-rw-r--r-- 1 root root 0 Jul 11 13:42 hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 14:48 mail.hendrickslawfirm.com
-rw-r--r-- 1 root root 0 Jul 11 13:46 server2.samuels.com


Top
 Profile  
Reply with quote  
 Post subject: Re: DH, SSL qmail trouble
Unread postPosted: Tue Jul 28, 2015 4:06 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Sorry for my late reply. Yes, I have root:root as well.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group