|
RHEL6/Centos6 (and presumably RHEL7/Centos7) machines with the latest openssl packages now refuse SSL connections with DH keys shorter than 768 bits. Consider RHEL6 sendmail operating as a client, sending mail out to a target server. If the target server advertises STARTTLS, sendmail will try to negotiate a secure connection. This negotiation uses openssl, which will now refuse to connect to mail servers that have 512 bit DH keys. The maillog will contain entries with “reject=403 4.7.0 TLS handshake failed”.
If your mail server advertises STARTTLS, but only has a 512 bit DH key, you won’t receive any email from anyone running RHEL6 or other systems with that openssl logjam fix.
Read more details in the OpenSSL Blog on this issue.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
RHEL5/Centos5 systems with all the current updates have 512 bit DH keys. If a server key has been generated on such a system (to enable SMTP/STARTTLS), then the DH key needs to be manually updated.
openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 2048
Then add
define(`confDH_PARAMETERS’,`/etc/pki/tls/certs/dhparam.pem’)
to /etc/mail/sendmail.mc, and
(cd /etc/mail; make; service sendmail restart)