Applicable to:
- Plesk for Linux
Symptoms
-
Unable to send mail out from Plesk to certain domain with Qmail.
-
Errors in
/var/log/maillog:CONFIG_TEXT: sendmail[5616]: STARTTLS=client: 5616:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:
CONFIG_TEXT: qmail: delivery deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_203.0.113.2/
CONFIG_TEXT: TLS connect failed: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocolZConnected to 203.0.113.2 but connection died. (#4.4.2)
Cause
Different security settings on the servers: destination mail server has a Diffie-Hellman key having a length less than 768 bit, but recent versions of OpenSSL in Plesk consider such keys as insecure.
Resolution
Use either of the following solutions:
-
If Qmail still needed, contact administrators of the destination mail server in order to update the keys to the more secure ones.
Warning: this will decrease the server security and might be used only in case of emergency!
Option I: Force Qmail sending messages without SSL/TLS encryption to the affected domain:
-
Log in to Plesk server using SSH
-
Find 'MX' records for the affected domain
# dig -t mx +short example.com
10 mail.example.com -
Add the affected domain name into
notlshostslist# mkdir -p /var/qmail/control/notlshosts
# touch /var/qmail/control/notlshosts/mail.example.comNote: Qmail will start sending messages without TLS encryption to such domains.
Option II: Disable DH keys exchange for Qmail outgoing connections to destination mail servers:
-
Log in to Plesk server using SSH
-
Run the following command:
# echo 'DEFAULT:!DH' > /var/qmail/control/tlsclientciphers
-
Restart Qmail to apply the changes:
# service qmail restart
Note: this solution affects connections to all mail servers and potentially can lead to connection problems to some servers.
Comments
0 comments
Please sign in to leave a comment.