Articles in this section

See more

Unable to send mail out to certain domain with Qmail: SSL_routines: SSL3_CHECK_CERT_AND_ALGORITHM: dh_key_too_small

Avatar
Renan Moreira
Updated
Follow
Plesk for Linux kb: technical ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  1. Unable to send mail out from Plesk to certain domain with Qmail.

  2. Errors in /var/log/maillog :

    CONFIG_TEXT: sendmail[5616]: STARTTLS=client: 5616:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:

    CONFIG_TEXT: sendmail[5616]: STARTTLS=client: 5616:error:SSL_routines: SSL3_CHECK_CERT_AND_ALGORITHM: dh_key_too_small

    CONFIG_TEXT: qmail: delivery deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_203.0.113.2/

CONFIG_TEXT: TLS connect failed: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocolZConnected to 203.0.113.2 but connection died. (#4.4.2)

Cause

Different security settings on the servers: destination mail server has a Diffie-Hellman key having a length less than 768 bit, but recent versions of OpenSSL in Plesk consider such keys as insecure.

Resolution

Use either of the following solutions:

  • Switch to Postfix

  • If Qmail still needed, contact administrators of the destination mail server in order to update the keys to the more secure ones.

    Warning: this will decrease the server security and might be used only in case of emergency!

click here to view the options

Option I: Force Qmail sending messages without SSL/TLS encryption to the affected domain:

  1. Log in to Plesk server using SSH

  2. Find 'MX' records for the affected domain

    # dig -t mx +short example.com
    10 mail.example.com

  3. Add the affected domain name into notlshosts list

    # mkdir -p /var/qmail/control/notlshosts
    # touch /var/qmail/control/notlshosts/mail.example.com

    Note: Qmail will start sending messages without TLS encryption to such domains.

Option II: Disable DH keys exchange for Qmail outgoing connections to destination mail servers:

  1. Log in to Plesk server using SSH

  2. Run the following command:

    # echo 'DEFAULT:!DH' > /var/qmail/control/tlsclientciphers

  3. Restart Qmail to apply the changes:

    # service qmail restart

    Note: this solution affects connections to all mail servers and potentially can lead to connection problems to some servers.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles