[Pkg-openssl-devel] Sendmail TLS-issue with libssl 1.1.1b-2 - unable to STARTTLS to some MTAs
Kurt Roeckx
kurt at roeckx.be
Tue May 21 15:10:34 BST 2019
On Tue, May 21, 2019 at 02:16:07PM +0200, Joerg Hinz wrote:
> May 21 14:03:11 lindsey sm-mta[9247]: ruleset=tls_server, arg1=SOFTWARE,
> relay=cluster8.eu.messagelabs.com, reject=403 4.7.0 TLS handshake failed.
> May 21 14:03:11 lindsey sm-mta[9247]: x4LC3Amd009245: to=<xxxx.de>,
> delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=121212,
> relay=cluster8a.eu.messagelabs.com. [18.194.106.207], dsn=4.0.0,
> stat=Deferred: 421 Service Temporarily Unavailable
The failure is:
139733111608384:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2159:
Please see /usr/share/doc/libssl1.1/NEWS.Debian.gz for more
information.
The remote host really should use a larger DH key. I suggest you
try to contact them to fix their DH key.
I also think there is a bug in sendmail. It should retry without
TLS in case TLS fails. sendmail should probably also override the
defaults.
Kurt
More information about the Pkg-openssl-devel
mailing list