Unable to send mail out to a certain domain with Qmail. There are errors like the following in
Aug 31 10:22:36 smtp15 sendmail: STARTTLS=client: 5616:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:
Issue is caused because the destination server has a Diffie-Hellman key with size less than 768 bit. In the recent version of Open SSL, such keys are considered as insecure.
Address to the administrators of the destination mail server to update the keys to the more secure ones.
If you still want qmail to continue to communicate with the non secure mail servers, then the following solutions can be used:
IMPORTANT: these solutions decrease the server security and might be used only in case of emergency. If the solutions are not applicable due to security reasons, please, contact Odin Technical Support to investigate the issue.
One of the following actions will workaround the problem
Add the server, which bounces mail, to trusted hosts list in Qmail:
# mkdir /usr/local/qmail/shared/control/notlshosts
# touch /usr/local/qmail/shared/control/notlshosts/mail.example.com
Note: Qmail send message without TLS to such domains.
Disable DH keys exchange for Qmail outgoing connections to destination mail servers. To disable the DH keys, execute the following command on the qmail host:
# echo "DEFAULT:!DH" > /usr/local/qmail/shared/control/tlsclientciphers
Note: that this solution affects connections to all mail servers and potentially can lead to connection problems to some servers.