I have an OpenBSD system with sendmail/TLS configured according to starttls(8) which calls for DSA keys.
I have a situation where an MS Exchange Server contacts my sendmail in an attempt to transfer a message. The transfer fails with "no shared cypher". This sendmail handles over 10k messages per day, so DSA is clearly supported by most in email-land. About twice a year, this shared cypher issue comes up. I am not a full time administrator and am not wise to the ways of all things email and crypto, so my question is: Why does starttls(8) describe only DSA ? Is this just because nobody has updated the man page, and are there reasons to prefer one over the other? I am being pressured to "fix" this. Should I dig into this and figure out how to use both? It looks like the easy thing to do is regenerate the certs with RSA alone. Is that advisable? Thanks, Ray
