I have just updated a server from 10.1-RELEASE-p9 to 10.1-RELEASE-p12. The daily reports should be forwarded to me by email. Since the update, sendmail cannot move mail from the clientmqueue to the mqueue, with errors like:
It seems to me that this problem is related to a recent SSL update and the minimum key size. The day before the update, the above messages looked like this:
...and then it went on to send the email to an external mail server.
This server is a very simple bridging firewall, so there are only a few places to look for keys. The /etc/mail/cert/ directory contained some files which were a year old, but
I do not understand where the 256/256 key size comes from. The next step will be to perform a fresh install. Am I missing something obvious?
Thanks for taking the time to read this.
Code:
Jun 13 03:01:49 motoko sendmail[3050]: t5D31nxX003050: from=root, size=9823, class=0, nrcpts=1, msgid=<201506130301.t5D31nxX003050@motoko.rdls.net>, relay=root@localhost
Jun 13 03:01:49 motoko sendmail[3050]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Jun 13 03:01:49 motoko sendmail[3050]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
Jun 13 03:01:49 motoko sm-mta[3072]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1]
Jun 13 03:01:49 motoko sendmail[3050]: t5D31nxX003050: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=39823, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.
Jun 13 03:01:49 motoko sm-mta[3072]: t5D31nPt003072: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0
Code:
Jun 12 03:01:22 motoko sendmail[39198]: t5C31M4U039198: from=root, size=764, class=0, nrcpts=1, msgid=<201506120301.t5C31M4U039198@motoko.rdls.net>, relay=root@localhost
Jun 12 03:01:22 motoko sm-mta[39239]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 12 03:01:22 motoko sendmail[39198]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jun 12 03:01:22 motoko sendmail[39244]: t5C31MZg039244: from=root, size=2542, class=0, nrcpts=1, msgid=<201506120301.t5C31MZg039244@motoko.rdls.net>, relay=root@localhost
This server is a very simple bridging firewall, so there are only a few places to look for keys. The /etc/mail/cert/ directory contained some files which were a year old, but
openssl x509
showed that they had key lengths of 2048 bits. I regenerated them anyway, by renaming the directory and restarting the sendmail service.I do not understand where the 256/256 key size comes from. The next step will be to perform a fresh install. Am I missing something obvious?
Thanks for taking the time to read this.