I'm not sure it is related to the recent OpenSSL upgrades but yesterday
outgoing mail was suddenly all stuck with the error message:
Jun 19 16:02:30 ritchie sendmail[6381]: STARTTLS=client: 6381:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3449:
Jun 19 16:02:30 ritchie sendmail[6381]: ruleset=tls_server, arg1=SOFTWARE, relay=postbox.idefix.net, reject=403 4.7.0 TLS handshake.
I couldn't find a definitive reason, but I did notice these in the logs of
sendmail on the home server:
Jun 19 20:59:27 greenblatt sendmail[4747]: STARTTLS=client: 4747:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338:
Jun 19 23:09:24 greenblatt sm-mta[20569]: STARTTLS=server, error: cannot read DH parameters(/etc/mail/tls/sendmail-common.prm): error:0906D06C:PEM routines:PEM_read_bio:no start line
I did notice
/etc/mail/tls/sendmail-common.prm was 0 bytes
large on the server which could be a source of the problem. This is
the Diffie-Hellman parameter file used by the submission client. I
regenerated this file to a 2048 bit Diffie-Hellman dhparam file. Mail
is flowing again, but I'm not sure this was the cause of the problem.
The first errors were from:
Jun 15 13:00:52 greenblatt sendmail[26472]: STARTTLS=client: 26472:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338:
Jun 15 13:00:52 greenblatt sendmail[26472]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
And that was right after an openssl update. Why it took until 19 June for the
mailflow to stop completely is strange to me.
Update:
The only thing I can think of is that sendmail wasn't restarted after OpenSSL
was updated. I checked the same update today on another system and the update
of OpenSSL does not set triggers to restart ssl-using daemons.