Sendmail: DH Too Small

by J. Edward Durrett

Sendmail/FreeBSD/OpenSSL

After upgrading openssl, sendmail might not work and complain in
/var/log/maillog like this:


sendmail[12302]: STARTTLS=client, error: connect failed=-1, reason=dh
key too small, SSL_error=1, errno=0, retry=-1

Here is how to fix it:

openssl dhparam -out /etc/mail/certs/dh.param -2 2048

After restarting, sendmail will work just like it always does.
Small Diffie-Hellman keys, less then 768 bits, are not allowed.







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.