Re: [qmailtoaster] dh key too small
Problem solved. My crypto policies were set to DEFAULT. Changing them to LEGACY and rebooting fixed the issue. Thank you xaf and Eric. Angus xaf wrote on 12/17/20 4:07 AM: Angus McIntyre a écrit le 16/12/2020 à 21:10 : 2048 bits ought to be enough, I would think. Most of the references to this problem that I was able to find suggested that it kicked in at 768 bits and smaller. So maybe it's the remote server. The remote is e4.echonyc.com (108.60.149.50). openssl s_client -connect e4.echonyc.com:993 -cipher "DH" | grep "Server Temp Key" Server Temp Key: DH, 1024 bits what gives update-crypto-policies --show should show LEGACY if not update-crypto-policies --set LEGACY and reboot xaf - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
# openssl s_client -crlf -connect e4.echonyc.com:25 -starttls smtp -cert /var/qmail/control/servercert.pem |grep DH depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = echonyc.com verify return:1 250 DSN jECbYvbeKEYxcQPMDHortQ4ehEWnJJ5fnUb5qNSCQSACgRRp0g5vLhyU5wcCkHml Server Temp Key: DH, 1024 bits New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Cipher : DHE-RSA-AES256-GCM-SHA384 quit On 12/17/2020 2:07 AM, xaf wrote: openssl s_client -connect e4.echonyc.com:993 -cipher "DH" - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
Angus McIntyre a écrit le 16/12/2020 à 21:10 : > 2048 bits ought to be enough, I would think. Most of the references to > this problem that I was able to find suggested that it kicked in at 768 > bits and smaller. So maybe it's the remote server. > > The remote is e4.echonyc.com (108.60.149.50). openssl s_client -connect e4.echonyc.com:993 -cipher "DH" | grep "Server Temp Key" Server Temp Key: DH, 1024 bits what gives update-crypto-policies --show should show LEGACY if not update-crypto-policies --set LEGACY and reboot xaf - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
you can turn off encryption to that host On 12/16/2020 1:10 PM, Angus McIntyre wrote: 2048 bits ought to be enough, I would think. Most of the references to this problem that I was able to find suggested that it kicked in at 768 bits and smaller. So maybe it's the remote server. The remote is e4.echonyc.com (108.60.149.50). Where's the Diffie-Hellman key used by qmail stored on a CentOS/qmailtoaster server? Thanks, Angus Eric Broch wrote on 12/16/20 2:48 PM: hmmm Ours is 2048 bits. What's the remote server? On 12/16/2020 11:27 AM, Angus McIntyre wrote: CentOS 8 and Qmail Toaster Ver. 1.03-3.3.1.qt.el8. Angus Eric Broch wrote on 12/14/20 11:50 PM: What QMT/CentOS versions? On 12/14/2020 6:53 PM, Angus McIntyre wrote: My new toaster delivers mail just fine to almost all hosts. However, with one destination host I get the error: TLS connect failed: error:141A318A:SSL routines:tls_process_ske_dhe: dh key too small; connected to x.x.x.x I'm not going to try again ... The question is, which host has the undersized Diffie-Hellman key? Is it my server, or the remote host? If it's my server, how do I generate a larger DH key for qmail to use? If it's the other server, how do I tell qmail to accept a lower level of security or no encryption at all for this particular destination? Thanks for any advice, Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
/var/qmail/control/dh2048.pem On 12/16/2020 1:10 PM, Angus McIntyre wrote: 2048 bits ought to be enough, I would think. Most of the references to this problem that I was able to find suggested that it kicked in at 768 bits and smaller. So maybe it's the remote server. The remote is e4.echonyc.com (108.60.149.50). Where's the Diffie-Hellman key used by qmail stored on a CentOS/qmailtoaster server? Thanks, Angus Eric Broch wrote on 12/16/20 2:48 PM: hmmm Ours is 2048 bits. What's the remote server? On 12/16/2020 11:27 AM, Angus McIntyre wrote: CentOS 8 and Qmail Toaster Ver. 1.03-3.3.1.qt.el8. Angus Eric Broch wrote on 12/14/20 11:50 PM: What QMT/CentOS versions? On 12/14/2020 6:53 PM, Angus McIntyre wrote: My new toaster delivers mail just fine to almost all hosts. However, with one destination host I get the error: TLS connect failed: error:141A318A:SSL routines:tls_process_ske_dhe: dh key too small; connected to x.x.x.x I'm not going to try again ... The question is, which host has the undersized Diffie-Hellman key? Is it my server, or the remote host? If it's my server, how do I generate a larger DH key for qmail to use? If it's the other server, how do I tell qmail to accept a lower level of security or no encryption at all for this particular destination? Thanks for any advice, Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
2048 bits ought to be enough, I would think. Most of the references to this problem that I was able to find suggested that it kicked in at 768 bits and smaller. So maybe it's the remote server. The remote is e4.echonyc.com (108.60.149.50). Where's the Diffie-Hellman key used by qmail stored on a CentOS/qmailtoaster server? Thanks, Angus Eric Broch wrote on 12/16/20 2:48 PM: hmmm Ours is 2048 bits. What's the remote server? On 12/16/2020 11:27 AM, Angus McIntyre wrote: CentOS 8 and Qmail Toaster Ver. 1.03-3.3.1.qt.el8. Angus Eric Broch wrote on 12/14/20 11:50 PM: What QMT/CentOS versions? On 12/14/2020 6:53 PM, Angus McIntyre wrote: My new toaster delivers mail just fine to almost all hosts. However, with one destination host I get the error: TLS connect failed: error:141A318A:SSL routines:tls_process_ske_dhe: dh key too small; connected to x.x.x.x I'm not going to try again ... The question is, which host has the undersized Diffie-Hellman key? Is it my server, or the remote host? If it's my server, how do I generate a larger DH key for qmail to use? If it's the other server, how do I tell qmail to accept a lower level of security or no encryption at all for this particular destination? Thanks for any advice, Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- https://raingod.com/ - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
hmmm Ours is 2048 bits. What's the remote server? On 12/16/2020 11:27 AM, Angus McIntyre wrote: CentOS 8 and Qmail Toaster Ver. 1.03-3.3.1.qt.el8. Angus Eric Broch wrote on 12/14/20 11:50 PM: What QMT/CentOS versions? On 12/14/2020 6:53 PM, Angus McIntyre wrote: My new toaster delivers mail just fine to almost all hosts. However, with one destination host I get the error: TLS connect failed: error:141A318A:SSL routines:tls_process_ske_dhe: dh key too small; connected to x.x.x.x I'm not going to try again ... The question is, which host has the undersized Diffie-Hellman key? Is it my server, or the remote host? If it's my server, how do I generate a larger DH key for qmail to use? If it's the other server, how do I tell qmail to accept a lower level of security or no encryption at all for this particular destination? Thanks for any advice, Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
CentOS 8 and Qmail Toaster Ver. 1.03-3.3.1.qt.el8. Angus Eric Broch wrote on 12/14/20 11:50 PM: What QMT/CentOS versions? On 12/14/2020 6:53 PM, Angus McIntyre wrote: My new toaster delivers mail just fine to almost all hosts. However, with one destination host I get the error: TLS connect failed: error:141A318A:SSL routines:tls_process_ske_dhe: dh key too small; connected to x.x.x.x I'm not going to try again ... The question is, which host has the undersized Diffie-Hellman key? Is it my server, or the remote host? If it's my server, how do I generate a larger DH key for qmail to use? If it's the other server, how do I tell qmail to accept a lower level of security or no encryption at all for this particular destination? Thanks for any advice, Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- https://raingod.com/ - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
What QMT/CentOS versions? On 12/14/2020 6:53 PM, Angus McIntyre wrote: My new toaster delivers mail just fine to almost all hosts. However, with one destination host I get the error: TLS connect failed: error:141A318A:SSL routines:tls_process_ske_dhe: dh key too small; connected to x.x.x.x I'm not going to try again ... The question is, which host has the undersized Diffie-Hellman key? Is it my server, or the remote host? If it's my server, how do I generate a larger DH key for qmail to use? If it's the other server, how do I tell qmail to accept a lower level of security or no encryption at all for this particular destination? Thanks for any advice, Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
