Unable to send mail out to a certain domain with Qmail: SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small

Created:

2016-11-16 13:07:18 UTC

Modified:

2017-08-08 13:14:50 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Unable to send mail out to a certain domain with Qmail: SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small

Applicable to:

  • Plesk for Linux

Symptoms

Unable to send mail out to a certain domain with Qmail. There are errors like the following in /var/log/maillog :

Jun 16 12:48:02 xcp qmail: 1434451682.055439 delivery 190193: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_1.1.1.1/

Cause

The issue is caused by different security settings (e.g. destination server has a Diffie-Hellman key with less size) or openssl packages installed on source and destination servers are different versions.

Resolution

Note: Please consider switching to Postfix as the fastest and easiest way to resolve the issue.

IMPORTANT: this solution decreases the server security and might be used only in case of emergency. If the solution is not applicable due to security reasons, please, contact Plesk Technical Support to investigate the issue.

  1. Downgrade openssl package.

  2. Add the server, which bounces mail, to trusted hosts list in Qmail:

    # mkdir /var/qmail/control/notlshosts
    # touch /var/qmail/control/notlshosts/mail.example.com

    Note: Qmail sends message without TLS to such domains.

  3. Restart Qmail afterward to make it work:

    # service qmail restart
Have more questions? Submit a request
Please sign in to leave a comment.