1300 367 823

Network Presence Blog

TLS/SSL config updates to Sendmail for recent OpenSSL versions

Recent SSL updates to the OpenSSL package have removed old DH parameters which are built into Sendmail mail server software, so the following are configuration updates to Sendmail (sendmail.cf) to enable the use of a longer DH Parameter to TLS/SSL activity of Sendmail.

First, create a longer DH Parameter file with:

openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 1024

Then configure the use of this dhparams.pem file into sendmail.cf with the following added to the ‘Options’ section of your sendmail.cf file:

O DHParameters=/etc/pki/tls/certs/dhparams.pem

And then restart sendmail after making that sendmail.cf update.

This should remove TLS/SSL based email sending errors, which have maillog entries like:

STARTTLS=server: 1867:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1092:SSL alert number 47