• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk + Postfix = Mail Problems on MAC with Update 10.10.4

futureweb

futureweb

Regular Pleskian
Hey there,

it seems that Apple tightened their Security requirements for Mail-Servers (and other SSL/TLS Services).
iOS 8.4 and OS X v10.10.4 provide increased security against the "Logjam" vulnerability - server administrators must use a group size of 2048 bits or greater when using Diffie-Hellman key exchange (https://support.apple.com/en-us/HT204932)
So since 10.10.4 Update Mac Users can't send E-Mail over TLS/SSL SMTP Outbound on our Plesk Servers anymore ...

I was able to fix Sendmail Servers - so MAC Users can again send outbound E-Mail ... but had no luck with Plesk + Postfix yet! :-/

How to solve it with Sendmail:

Code: 
Create 2048 Bit DH Param File:
     openssl gendh -out dh_2048.pem -2 2048

Add this File within Configuration:
     vi /etc/mail/sendmail.mc
          dnl # Added to resolve issues with Mac Mail
          define(`confDH_PARAMETERS',`/etc/mail/certs/dh_2048.pem')

     make -C /etc/mail

     service sendmail restart
Info found here: https://discussions.apple.com/thread/7104500?start=60&tstart=0

For Postfix I tried it with

Code: 
     vi /etc/postfix/main.cf
          smtpd_tls_dh1024_param_file = ${config_directory}/dh_2048.pem
          smtpd_tls_dh512_param_file = ${config_directory}/dh_512.pem
          smtpd_tls_eecdh_grade = strong
          tls_preempt_cipherlist = yes

But did not help ... Mac Users still can't send out Mails ... :-/
Maybe someone here knows a solution?

Thank you, bye from Austria
Andreas Schnederle-Wagner
 
Last edited:
As far as I was able to find out - it's Version independent ....
Our Plesk Servers are Centos/RHEL 6.6 with 12.0.18 Update #55
 
Well ... KB125741 killed proFTPd on all of my Plesk Servers ...

Jul 22 10:14:53 kdnx xinetd[15911]: START: ftp pid=16118 from=::ffff:000.000.00.00
Jul 22 10:14:53 kdnx proftpd[16118]: processing configuration directory '/etc/proftpd.d'
Jul 22 10:14:53 kdnx proftpd[16118]: fatal: TLSDHParamFile: '=' does not exist on line 4 of '/etc/proftpd.d/60-nosslv3.conf'
Jul 22 10:14:53 kdnx xinetd[15911]: EXIT: ftp status=1 pid=16118 duration=0(sec)

in /etc/proftpd.d/60-nosslv3.conf Line 4: TLSDHParamFile = /usr/local/psa/etc/dhkey.pem
but correct is: TLSDHParamFile /usr/local/psa/etc/dhkey.pem

No FTP connection to Server possible until this Config Line is changed ...
 
also Courier is broken after Patch ... you need to change:
TLS_DHPARAMS= /usr/local/psa/etc/dhkey.pem to
TLS_DHPARAMS=/usr/local/psa/etc/dhkey.pem
otherwise you get Error: /etc/courier-imap/imapd-ssl: line 237: /usr/local/psa/etc/dhkey.pem: Permission denied and TLS Connections no longer work ...

Even if you say this Patch is not well tested ... that much Bugs in an official released Bugfix is ... well ... embarrassing

Andreas
 
You must log in or register to reply here.

Similar threads

D
Resolved Problem with Plesk and Mailrelay, Mails gone
Replies
1
Views
2K
daanse
D
Back
Top