Re: [mailop] suddenly sendmail cannot make tls connections

Fri, 24 Jan 2020 09:36:26 -0800 

Hello John,

On Fri, 24 Jan 2020 at 00:01, John Covici via mailop <mailop@mailop.org> wrote:
>
> Hi.  I am using sendmail from my own server and using a virtual
> machine in the cloud as a relay.  That machine all of a sudden several
> days ago keeps getting a message saying
> Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client, error: connect
> failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
>
> Now, in my sendmail.mc (included from starttls.m4 I have
> define(`confDH_PARAMETERS',   `/etc/mail/tls/sendmail-common.prm')dnl
> # <= EDIT and I made sure that the file was regenerated with 2046 bits
> by doing
> openssl dhparam -out  /etc/mail/tls/sendmail-common.prm  2048
> So, what the heck is happening, wnhy do at least some sites say the dh
> key is too small?
>
> Thanks in advance for any suggestions.

Don't randomly change the configuration, you need to be able to
actually test and confirm it.

You can use openssl or testssl.sh [1] for example:

$ openssl s_client -cipher 'DHE' -starttls smtp -crlf -connect
myrelay.example.org:25
[...]
Server Temp Key: DH, 2048 bits
[...]
$

$ ./testssl.sh --starttls smtp myrelay.example.org:25
[...]
 DH group offered:            Unknown DH group (2048 bits)
[...]
 Testing 370 ciphers via OpenSSL plus sockets against the server,
ordered by encryption strength
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits
    Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[...]
$


Lukas

[1] https://testssl.sh/

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to