From owner-freebsd-stable@FreeBSD.ORG  Thu Jun 18 15:26:18 2015
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6E027F4F
 for <freebsd-stable@hub.freebsd.org>; Thu, 18 Jun 2015 15:26:18 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca
 [IPv6:2607:f3e0:0:1::12])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 36D2BEE7
 for <freebsd-stable@freebsd.org>; Thu, 18 Jun 2015 15:26:18 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca
 [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a])
 by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t5IFQHQp037585
 for <freebsd-stable@freebsd.org>; Thu, 18 Jun 2015 11:26:18 -0400 (EDT)
 (envelope-from mike@sentex.net)
Message-ID: <5582E31B.1050705@sentex.net>
Date: Thu, 18 Jun 2015 11:26:19 -0400
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
Subject: Re: sendmail: TLS interop
References: <CAAoTqft7wRi9Ov_oiCk64HwbT+rXn-AvkOd-+VeFhq_s8bE7NA@mail.gmail.com>
 <CAAoTqfvchXndzgCRDyJXCz+UOi93w1v-vvKvoLMgPLk6cHh4Dw@mail.gmail.com>
 <5582C749.9060801@sentex.net> <20150618144326.GA29275@x2.esmtp.org>
In-Reply-To: <20150618144326.GA29275@x2.esmtp.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.75
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 15:26:18 -0000

On 6/18/2015 10:43 AM, Claus Assmann wrote:
> On Thu, Jun 18, 2015, Mike Tancsa wrote:
> 
>> But we also have been seeing the odd site that cannot accept mail now
>> with opportunistic encryption, so we had to disable TLS for them :(
> 
> Do you have a list of those?
> Are those sites having problems with larger DH primes?

Actually, Looking at the error message, I guess its on our end.

STARTTLS=client, error: connect failed=-1, reason=dh key too small,
SSL_error=1, errno=0, retry=-1

I added
define(`confDH_PARAMETERS', `2')
to this particular server

	---Mike






-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/