[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Diffie Hellman prime sent by the server is not acceptable



On Thu, 08. Nov 2007, 11:44:42 -0600, Ryan C. Underwood wrote:
> As a preface, is there a way to configure msmtp to bounce emails that
> have failed transmission?  Right now I have to resort to checking the
> logfile if it seems an outgoing mail has vanished.  I use msmtp with
> Mutt (version 1.5.16)

No, msmtp implements the sendmail commandline interface. It can only
signal failure by returning an error code. In the default configuration,
Mutt does not put msmtp in the background, so you get an immediate
failure notice.

> So, on to the main question, what is the meaning of this error message I
> suddenly began to receive one day?
> 
> Oct 26 12:10:23 host=smtp.umr.edu tls=on auth=on user=xxx
> from=xxx@...129... recipients=xxy@...129... errormsg='TLS handshake
> failed: The Diffie Hellman prime sent by the server is not acceptable
> (not long enough).' exitcode=EX_PROTOCOL

You upgraded your GnuTLS library recently, right?
Newer GnuTLS version check more strictly for secure TLS session
parameters than older versions, or OpenSSL.

See also this Debian bugreport:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344

In short, you have these options:
- Downgrade to an older GnuTLS version (not recommended)
- Use OpenSSL instead of GnuTLS (not recommended)
- Ask the SMTP server admins to use more secure settings
  (recommended if the admins will listen to you)
- Apply the one-line patch mentioned in the Debian bugreport to msmtp.
  This will relax the default GnuTLS security settings 
  (recommended if fixing the server is not an option)

Future msmtp version will most likely *not* override the GnuTLS default
settings.  The GnuTLS people probably have very good reasons for the
stricter checks.  In addition, if one day some session parameters are
considered insecure that are considered ok today, then a simple GnuTLS
update will fix all applications that don't mess with the settings
themselves.

Martin