====== DH Key too small ======
Po aktualizacji do FreeBSD 10.1-p12, przestaje działać SSL w sendmailu. Przykładowy log:
<code>
Jun 15 16:19:36 host sendmail[13157]: t5FEJa3J013157: from=user, size=49, class=0, nrcpts=1, msgid=<201506151419.t5FEJa3J013157@host.domain.pl>, relay=root@localhost
Jun 15 16:19:36 host sendmail[13157]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Jun 15 16:19:36 host sm-mta[13158]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1]
Jun 15 16:19:36 host sendmail[13157]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
Jun 15 16:19:36 host sm-mta[13158]: t5FEJakl013158: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0
Jun 15 16:19:36 host sendmail[13157]: t5FEJa3J013157: to=recipent@domain.com.pl, ctladdr=user (10002/10002), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.
</code>

Przyczyna jest tutaj:
<code>
Jun 15 16:19:36 host sendmail[13157]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
</code>

Aby to poprawić, należy wygenerować nowy klucz DH, o długości 1024 bitów lub więcej:

<code>
cd /etc/mail/certs
openssl dhparam -out dh.param 4096
cd /etc/mail && make restart
</code>

Źródło: [[https://forums.freebsd.org/threads/sendmail-dh-key-too-small.51985/|FreeBSD Forums]]