1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • dh key too small

    From None@21:1/5 to All on Mon Oct 31 15:26:23 2022
    I have recently upgraded to centos9stream and removed the

    LOCAL_CONFIG
    O CipherList=HIGH
    O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE

    Assuming that the 8.16 has a better default configuration, yet I am
    seeing still a few "dh key too small" errors in the logs.

    The key has been generated with

    openssl dhparam -out dhparams.pem 2048

    Should I still force ciphers, or is there something wrong with a key of
    2048?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to None on Mon Oct 31 12:25:37 2022
    None wrote:

    Assuming that the 8.16 has a better default configuration, yet I am
    seeing still a few "dh key too small" errors in the logs.

    Please post a log entry: is it your system or the other side
    that's complaining?

    AFAIR some Linux distributions use ... "uncommon" settings
    in the OpenSSL compilation -- check the archive for other
    postings about this problem.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From None@21:1/5 to All on Mon Oct 31 20:44:35 2022
    Assuming that the 8.16 has a better default configuration, yet I am
    seeing still a few "dh key too small" errors in the logs.

    Please post a log entry: is it your system or the other side
    that's complaining?

    It is theirs, this is an outgoing, mostly this trendmicro, but also some facebook smtpin

    sendmail[95017]: STARTTLS=client, error: connect failed=-1, reason=dh
    key too small, SSL_error=1, errno=0, retry=-1
    sendmail[95017]: ruleset=tls_server, arg1=SOFTWARE,
    relay=in.hes.trendmicro.eu, reject=403 4.7.0 TLS handshake failed. sendmail[95017]: 29RFGr81082301: to=<xxxxxxx>, delay=2+11:17:23, xdelay=00:00:00, mailer=esmtp, pri=5613815, relay=in.hes.trendmicro.eu. [52.58.62.239], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.


    AFAIR some Linux distributions use ... "uncommon" settings
    in the OpenSSL compilation -- check the archive for other
    postings about this problem.


    I did not expect that in 2022 there still can't be some cipher
    successfully negotiated.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to None on Tue Nov 1 02:32:03 2022
    None wrote:
    I have recently upgraded to centos9stream and removed the

    Which sendmail version and which openssl version?
    sendmail -bt -d0.14 </dev/null

    Should I still force ciphers, or is there something wrong with a key of
    2048?

    No, but it depends on the versions of sendmail, the library, and
    compile time options - hence the request for more info.

    Moreover, check whether your cf file actually references
    the generated data.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From None@21:1/5 to All on Tue Nov 1 12:19:04 2022
    Which sendmail version and which openssl version?
    sendmail -bt -d0.14 </dev/null



    [@~]# sendmail -bt -d0.14 -bt < /dev/null
    Version 8.16.1
    Compiled with: DANE DNSMAP HES_GETMAILHOST IPV6_FULL LDAPMAP
    LDAP_NETWORK_TIMEOUT LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
    MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB=5.3 CDB=1
    PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TLS_EC
    TLS_VRFY_PER_CTX USERDB USE_LDAP_INIT
    OS Defines: ADDRCONFIG_IS_BROKEN HASFCHOWN HASFCHMOD
    HASGETDTABLESIZE HAS_GETHOSTBYNAME2 HASINITGROUPS HASLSTAT
    HASNICE HASRANDOM HASRRESVPORT HASSETREGID HASSETREUID
    HASSETRLIMIT HASSETSID HASSETVBUF HASURANDOMDEV HASSTRERROR
    HASUNAME HASUNSETENV HASWAITPID IDENTPROTO NEEDSGETIPNODE
    REQUIRES_DIR_FSYNC SFS_VFS USE_DOUBLE_FORK USE_SIGLONGJMP
    Kernel symbols: /boot/vmlinux
    Conf file: /etc/mail/submit.cf (default for MSP)
    Conf file: /etc/mail/sendmail.cf (default for MTA)
    Pid file: /var/run/sendmail.pid (default)
    libsm Defines: SM_CONF_LDAP_INITIALIZE SM_CONF_LDAP_MEMFREE
    SM_CONF_LONGLONG SM_CONF_MEMCHR SM_CONF_MSG SM_CONF_SEM
    SM_CONF_SIGSETJMP SM_CONF_SHM SM_CONF_SSIZE_T SM_CONF_STDBOOL_H
    SM_CONF_STDDEF_H SM_CONF_SYS_CDEFS_H SM_CONF_UID_GID
    DO_NOT_USE_STRCPY SM_HEAP_CHECK SM_OS=sm_os_linux SM_VA_STD
    FFR Defines: _FFR_MILTER_CHECK_REJECTIONS_TOO _FFR_QOS
    _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
    OpenSSL: compiled 0x30000000
    OpenSSL: linked 0x30000010


    Conf file: /etc/mail/sendmail.cf (selected)
    Pid file: /var/run/sendmail.pid (selected)




    Should I still force ciphers, or is there something wrong with a key of
    2048?

    No, but it depends on the versions of sendmail, the library, and
    compile time options - hence the request for more info.

    Moreover, check whether your cf file actually references
    the generated data.


    Yes I have even the complete path in sendmail.mc define(`confDH_PARAMETERS',`/etc/mail/dhparams.pem')dnl

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to None on Mon Nov 7 11:13:47 2022
    None wrote:

    sendmail[95017]: STARTTLS=client, error: connect failed=-1, reason=dh
    key too small, SSL_error=1, errno=0, retry=-1

    Do you know how to use openssl s_client to test this?

    H=in.hes.trendmicro.eu
    openssl s_client -connect $H -state -debug -crlf -starttls smtp

    My guess is this might trigger the same error
    which points to the openssl version/setup on your host,
    it rejects the dh key offered by the server.

    Please post the result(s)!

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From None@21:1/5 to All on Tue Nov 8 23:20:39 2022
    sendmail[95017]: STARTTLS=client, error: connect failed=-1, reason=dh
    key too small, SSL_error=1, errno=0, retry=-1

    Do you know how to use openssl s_client to test this?

    H=in.hes.trendmicro.eu
    openssl s_client -connect $H -state -debug -crlf -starttls smtp


    [@]# openssl s_client -connect in.hes.trendmicro.eu -state -debug -crlf -starttls smtp


    809BD080237F0000:error:8000006E:system library:BIO_connect:Connection
    timed out:crypto/bio/bio_sock2.c:125:calling connect() 809BD080237F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:127:
    809BD080237F0000:error:8000006E:system library:BIO_connect:Connection
    timed out:crypto/bio/bio_sock2.c:125:calling connect() 809BD080237F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:127:

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to All on Tue Nov 8 23:34:25 2022
    Sorry, you need to add the port:
    openssl s_client -connect in.hes.trendmicro.eu:25 -state -debug -crlf -starttls smtp
    see also the man page for info.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From None@21:1/5 to All on Wed Nov 9 13:35:32 2022
    openssl s_client -connect in.hes.trendmicro.eu:25 -state -debug -crlf -starttls smtp
    see also the man page for info.


    This is the output, but I am not really sure how this is comparable as
    the dhparams.pem file is only in the /etc/mail/ folder and sendmail is configured for this.


    01c0 - e9 d4 fc df 15 09 ab 9d-0c 82 b6 f0 1a cd 99 3f ...............?
    01d0 - c3 e3 c6 bd 0b 1d 5d 2f-f3 4c e2 44 40 1d 58 54 ......]/[email protected]
    01e0 - 7b f5 cd 31 aa 93 5f 09-31 ac d1 b3 09 4e e0 15 {..1.._.1....N..
    01f0 - 83 a9 5c b2 c9 07 98 0e-a4 0a 6f 9c c7 45 63 05 ..\.......o..Ec.
    0200 - d3 7c 07 70 fd 83 70 60-6b 28 d7 b6 03 05 b4 .|.p..p`k(.....
    write to 0x560e17932310 [0x560e17a1b480] (7 bytes => 7 (0x7))
    0000 - 15 03 03 00 02 02 28 ......(
    ---
    Certificate chain
    0 s:C = US, ST = California, L = Cupertino, OU = BU, O = TREND MICRO INCORPORATED, CN = *.hes.trendmicro.eu
    i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Jan 6 12:59:48 2022 GMT; NotAfter: Feb 7 12:59:48
    2023 GMT
    1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Nov 21 00:00:00 2018 GMT; NotAfter: Nov 21 00:00:00
    2028 GMT
    2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Mar 18 10:00:00 2009 GMT; NotAfter: Mar 18 10:00:00
    2029 GMT
    ---
    Server certificate
    -----BEGIN CERTIFICATE----- MIIHcDCCBligAwIBAgIMbm7K6bCG3F4C+uZbMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to None on Thu Nov 10 05:16:30 2022
    None wrote:

    This is the output, but I am not really sure how this is comparable as
    the dhparams.pem file is only in the /etc/mail/ folder and sendmail is configured for this.

    Because my guess is that it's a problem with the server key --
    I get this from in.hes.trendmicro.eu:

    Server Temp Key: DH, 1024 bits

    which could be considered "too small" by some OpenSSL versions.

    So the easiest is to keep the workarounds :-(

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From None@21:1/5 to All on Mon Aug 28 12:14:28 2023

    This is the output, but I am not really sure how this is comparable as
    the dhparams.pem file is only in the /etc/mail/ folder and sendmail is
    configured for this.

    Because my guess is that it's a problem with the server key --
    I get this from in.hes.trendmicro.eu:

    Server Temp Key: DH, 1024 bits

    which could be considered "too small" by some OpenSSL versions.


    How do you get this dh key? If I do this on my server I get this

    []# openssl s_client -connect xxxxxxxxxx:25 -starttls smtp | grep -i 'key'
    ..
    verify return:1
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
    Server Temp Key: ECDH, prime256v1, 256 bits
    Server public key is 2048 bit
    250 HELP

    and on

    openssl s_client -connect in.hes.trendmicro.eu:25 -starttls smtp | grep
    -i 'key'

    verify return:1
    807B24935D7F0000:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key
    too small:ssl/statem/statem_clnt.c:2092:
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    Server public key is 2048 bit
    Master-Key:

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From None@21:1/5 to All on Mon Aug 28 13:09:49 2023

    Server Temp Key: DH, 1024 bits

    How do you get this dh key? If I do this on my server I get this

    []# openssl s_client -connect xxxxxxxxxx:25 -starttls smtp | grep -i
    'key'

    Maybe you are using a different openssl version (or .cnf file)
    or maybe the server configuration has been changed?

    Indeed! old centos6 gives me the "Server Temp Key: DH, 1024 bits", while
    new centos9 just presents me only with the error.

    Does the original problem still exist?


    yes currently running with try_tls no

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to None on Mon Aug 28 06:43:47 2023
    None wrote:

    Server Temp Key: DH, 1024 bits

    How do you get this dh key? If I do this on my server I get this

    []# openssl s_client -connect xxxxxxxxxx:25 -starttls smtp | grep -i 'key'

    Maybe you are using a different openssl version (or .cnf file)
    or maybe the server configuration has been changed?

    Does the original problem still exist?

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)