Great guide! I was also not a fan of downgrading OpenSSL especially with the last upgrades required.
It seems this is a remote issue then where mail servers have Diffie Helmann keys in a smaller size than required by newer OpenSSL versions. It may be a good idea to notify those domains with a quick mail to postmaster at least. Upgrading those keys isn't hard and takes seconds. Thanks for the workaround! I am sure others will find it useful! Sent from my iPhone > On 30 Jul 2015, at 08:00, Linux <[email protected]> wrote: > > Thanks guys, I supposed that one option was to return to my old version of > openssl but this contains some security problems, the solution I found was to > share them if they occur: > > > To resolve the issue I made an exception ssl check for these remote hots. > > I leave the steps in case help someone: > > mkdir /var/qmail/control/notlshosts > touch /var/qmail/control/notlshosts/domain.com > (If you do not know the mx record of the domain you can use: "dig mx > domain.com") > > touch /var/qmail/control/notlshosts/mail.domain.com > > qmailctl restart > > Done! --> @4000000055943b8f3a664b64 delivery 1: success: > IP_accepted_message./Remote_host_said:_250_2.0.0_t61JC5iW004986_Message_accepted_for_delivery/ > Best regards, > > Paul > > > > 2015-07-25 1:31 GMT-03:00 Nicholas Chua <[email protected]>: >> Hi, >> >> Try >> >> yum downgrade openssl-devel openssl >> >> You might need to downgrade a second time which will allow this issue to >> solve >> >> Regards >> nic >> >> >> From: [email protected] >> Date: Tue, 21 Jul 2015 17:58:17 -0300 >> To: [email protected] >> Subject: [qmailtoaster] error sending : SSL3_CHECK_CERT_AND_ALGORITHM:dh key >> too small >> >> >> Hello friends, I have QmailToaster + centos 5.9 and sending emails I've been >> getting some failure notice: >> >> >> -------------------------------------------------------------- >> [email protected]" >> <[email protected]> escribió: >> >> Hi. This is the qmail-send program at dominio.com >> I'm afraid I wasn't able to deliver your message to the following >> addresses. >> This is a permanent error; I've given up. Sorry it didn't work out. >> >> <[email protected]>: >> TLS connect failed: error:14082174:SSL >> routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small; connected to >> 191.8.4.132. >> I'm not going to try again; this message has been in the queue too long. >> ------------------------------- >> >> >> anyone knows of that is? >> >> Best regards, >> >> Paul >
