[NOTE: There's no need to send me copies of messages off-list. I do read
replies on-list]
On 24 Jan 2020, at 12:09, John Covici via mailop wrote:
Yep, looks good. But does that help if its the far end that is the
problem?
Not if that message is your Sendmail/OpenSSL complaining about the far
end offering too small a key, but I'm not 100% certain that this is what
that log line indicates. The lack of a "relay=" element identifying the
far end host suggests that this is an entirely local problem.
On Fri, 24 Jan 2020 11:47:12 -0500,
Bill Cole via mailop wrote:
On 23 Jan 2020, at 18:01, John Covici via mailop wrote:
Hi. I am using sendmail from my own server and using a virtual
machine in the cloud as a relay. That machine all of a sudden
several
days ago keeps getting a message saying
Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client, error:
connect
failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Now, in my sendmail.mc (included from starttls.m4 I have
define(`confDH_PARAMETERS',
`/etc/mail/tls/sendmail-common.prm')dnl
# <= EDIT and I made sure that the file was regenerated with 2046
bits
by doing
openssl dhparam -out /etc/mail/tls/sendmail-common.prm 2048
So, what the heck is happening, wnhy do at least some sites say the
dh
key is too small?
Thanks in advance for any suggestions.
In case you have not done so already, actually LOOK at that
file. It should be a PEM-format file containing:
-----BEGIN DH PARAMETERS-----
[6x64-character lines of Base64, last line partial]
-----END DH PARAMETERS-----
Also check the size (424 bytes) permissions (must be readable by
whatever user Sendmail runs as) and if you're using SELinux, make
sure it has the correct file context label. And make sure that
name is right: did you actually use the ".prm" filename extension
in creating it and in your sendmail.mc?
Often the problem with arcane technical issues is actually in the
simplest external details...
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici wb2una
cov...@ccs.covici.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
