HOWTO : Fix sendmail "stat=Deferred: 403 4.7.0 TLS handshake failed."

dummy@example.com (kaiyel) — Sat, 01 Apr 2023 17:13:14 +0000

My Devuan Chimaera sendmail sm-mta installation was having issues performing an email hand-off to a small subset of email systems. The rejection message logged in /var/log/mail.log is "403 4.7.0 TLS handshake failed." which pointed me in the direction of a TLS error. So I tested the cipher negotiation with the target email system using :

openssl s_client -starttls smtp -connect TARGET.SYSTEM.HOSTNAME:25

Among the negotiation details I found the commentary :

140148764513600:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:

This indicates the Diffie-Hellman key on the target system is too short and therefore potentially susceptible to Logjam attacks. The default openssl security level on my Chimaera install is set to level 2 ... which will not negotiate with such systems.

For the administrators I know, I can encourage them to raise their bar and fix that weakness. But the rest of the Internet has no reason to listen to me, and my people still need to email their people. :-(

The only "fix" (if it can be called that) I know to provide is to lower the default security level in openssl on my system to enable it to communicate with theirs by dropping the SECLEVEL in /etc/ssl/openssl.cnf to "1" :

diff /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.orig
362c362
< CipherString = DEFAULT@SECLEVEL=1
---
> CipherString = DEFAULT@SECLEVEL=2

If you know of a better way to resolve this, please chime in. Otherwise, hope this helps someone else,
--K

[EDIT :%s/courier/sendmail/g ]

Dev1 Galaxy Forum / HOWTO : Fix sendmail "stat=Deferred: 403 4.7.0 TLS handshake failed."

HOWTO : Fix sendmail "stat=Deferred: 403 4.7.0 TLS handshake failed."