Unable to send mail out to a certain domain with Qmail: SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small

Created:

2016-11-16 12:56:58 UTC

Modified:

2017-04-24 11:23:57 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Unable to send mail out to a certain domain with Qmail: SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small

Applicable to:

  • Plesk 12.0 for Linux

Symptoms

Unable to send mail out to a certain domain with Qmail. There are errors like the following in /var/log/maillog :

Aug 31 10:22:36 smtp15 sendmail[5616]: STARTTLS=client: 5616:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:

Cause

Issue is caused because the destination server has a Diffie-Hellman key with size less than 768 bit. In the recent version of Open SSL, such keys are considered as insecure.

Resolution

Address to the administrators of the destination mail server to update the keys to the more secure ones.

If you still want qmail to continue to communicate with the non secure mail servers, then the following solutions can be used:

IMPORTANT: these solutions decrease the server security and might be used only in case of emergency. If the solutions are not applicable due to security reasons, please, contact Odin Technical Support to investigate the issue.

One of the following actions will workaround the problem

  • Add the server, which bounces mail, to trusted hosts list in Qmail:

    # mkdir /usr/local/qmail/shared/control/notlshosts
    # touch /usr/local/qmail/shared/control/notlshosts/mail.example.com

    Note: Qmail send message without TLS to such domains.

  • Downgrade openssl package.

  • Disable DH keys exchange for Qmail outgoing connections to destination mail servers. To disable the DH keys, execute the following command on the qmail host:

    # echo "DEFAULT:!DH" > /usr/local/qmail/shared/control/tlsclientciphers

    Note: that this solution affects connections to all mail servers and potentially can lead to connection problems to some servers.

Have more questions? Submit a request
Please sign in to leave a comment.