8

My sendmail server on CentOS 5 started to reject some connections with the following message logged:

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40

When I try to connect to it using openssl from CentOS 6 server I get the following error:

$ openssl s_client -starttls smtp -crlf -connect hostname.example.net:smtp
(...)
error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3331
(...)
Server Temp Key: DH, 512 bits
(...)

Mail on CentOS 6 server is temporarily rejected with Deferred: 403 4.7.0 TLS handshake failed.

What to do to be able to send mail from CentOS 6 / RHEL 6 to CentOS6 / RHEL5 server?

Tometzky
  • 2,649
  • 4
  • 26
  • 32

2 Answers2

10

This is because after a recent update to openssl on CentOS 6, openssl-1.0.1e-30.el6.11.x86_64, programs using this library started to refuse connecting to servers vulnerable to Logjam TLS vulnerability.

You need to configure sendmail to use stronger temporary Diffie–Hellman key — at least 1024 bit. It is not the same key that you use in your TLS certificate, so if your certificate uses 2048 bit key then you can still be vulnerable.

Generate DH parameters file on your server:

openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 1024

Configure sendmail to use this parameters file, and to use only strong ciphers. Add to /etc/mail/sendmail.mc:

LOCAL_CONFIG
O CipherList=HIGH:!ADH
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Then use make -C /etc/mail/ and service sendmail restart.

Tometzky
  • 2,649
  • 4
  • 26
  • 32
  • +1 from me - a nice piece of work, and a life saver. Thanks! – MadHatter Jun 25 '15 at 20:15
  • For clarification, is it the sending or receiving server that needs this change made on it? or both? – Joe Jul 08 '15 at 16:39
  • 1
    @Joe Receiving side. I'm not sure it is still strictly required, as there's a new openssl package for RHEL5/CentOS5 released (`openssl-0.9.8e-36.el5_11`) which might have corrected this problem. It's still recommended though. – Tometzky Jul 08 '15 at 19:23
  • I would not expect 1024 bit DH parameters to be safe for much longer. Start using 2048 bit params now. – Michael Hampton Jul 25 '15 at 04:37
  • Ok, that can fix the server, but how do I make s_client STFU and connect anyway? – Ricky Jul 26 '15 at 07:07
0

Yes, it works:-)

My error was little diferent, but solution is the same:

SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1060:SSL alert number 47

I generate server temporary key: DH file (I haven't any in my configuration, default is 512bits)

openssl dhparam -out /etc/mail/certs/dhparams.pem 2048

(take very, very long time;-)

and I put line into the sendmail.cf

O DHParameters=/etc/mail/certs/dhparams.pem

After restart my sendmail starts to send mails again:-)

zipp
  • 1
  • 1