DH Key too small

Po aktualizacji do FreeBSD 10.1-p12, przestaje działać SSL w sendmailu. Przykładowy log:

Jun 15 16:19:36 host sendmail[13157]: t5FEJa3J013157: from=user, size=49, class=0, nrcpts=1, msgid=<201506151419.t5FEJa3J013157@host.domain.pl>, relay=root@localhost
Jun 15 16:19:36 host sendmail[13157]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Jun 15 16:19:36 host sm-mta[13158]: STARTTLS=server, error: accept failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0, retry=-1, relay=localhost [127.0.0.1]
Jun 15 16:19:36 host sendmail[13157]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
Jun 15 16:19:36 host sm-mta[13158]: t5FEJakl013158: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0
Jun 15 16:19:36 host sendmail[13157]: t5FEJa3J013157: to=recipent@domain.com.pl, ctladdr=user (10002/10002), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.

Przyczyna jest tutaj:

Jun 15 16:19:36 host sendmail[13157]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1

Aby to poprawić, należy wygenerować nowy klucz DH, o długości 1024 bitów lub więcej:

cd /etc/mail/certs
openssl dhparam -out dh.param 4096
cd /etc/mail && make restart

Źródło: FreeBSD Forums