- Plesk 12.0 for Linux
Unable to send mail out to a certain domain with Qmail. There are errors like the following in
CONFIG_TEXT: sendmail: STARTTLS=client: 5616:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:
CONFIG_TEXT: qmail: delivery deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_203.0.113.2/
Different security settings on servers:
- destination mail server has a Diffie-Hellman key with size less than 768 bit
- but recent versions of OpenSSL in Plesk consider such keys as insecure, so Plesk mail server deferrs mail attempt.
Switch to Postfix as it is the fastest and easiest way to resolve the issue: issue is not reproduced in Postfix.
If Qmail still needs to be in use, contact administrators of the destination mail server in order to update the keys to the more secure ones.
Alternatively, it is possible to allow Plesk server to connect to a not secured remote mail server.
Warning: it will decrease the server security and might be used only in case of emergency!
1 Connect to the server using SSH
2 Use any of the following ways to allow Pelsk server to connect to a not secure remote mail server:
- Add the remote mail server to trusted hosts list in Qmail:
# mkdir -p /var/qmail/control/notlshosts
# touch /var/qmail/control/notlshosts/mail.example.com
Note: Qmail will start sending messages without TLS encryption to such domains.
- Disable DH keys exchange for Qmail outgoing connections to destination mail servers. To disable the DH keys, execute the following command on the qmail host:
# echo 'DEFAULT:!DH' > /var/qmail/control/tlsclientciphers
Note: this solution affects connections to all mail servers and potentially can lead to connection problems to some servers.
3 Restart qmail mail server to apply the changes:
# service qmail restart