Qmail fails due to dh key length

[deltatech]

I have been seeing these in my log and received complaints from customers not able to get their mail out. These messages just stay in the queue and go no where.

Can anyone post what they are successfully using as a tlsserverciphers and tlsclientciphers? Maybe it the dh key being too small. How can this be fixed on Qmail?


qmail: 1436646171.830486 delivery 6: deferral: TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_to_170.49.86.238.

 

[IgorG]

https://talk.plesk.com/threads/plesk-12-odin-script-to-disable-sslv3-problems.333574/

 

[deltatech]

https://talk.plesk.com/threads/plesk-12-odin-script-to-disable-sslv3-problems.333574/

I have already read that thread. It didn't help. We are able to do TLS just fine with most servers but there are some that gives that error about dh_key_too_small.

So it seems that TLS is working mostly but not for servers that require a 2048 bit dh key. Is there a way to have qmail use a 2048 bit dhparms key? If not, is there a patch coming soon? I am wondering if we need to move to postfix to fix this.