SMTP configuration CentOS8 -> dh key too small

Server
1

Steps to reproduce

  1. configured email server settings on CentOS7 / Owncloud 10.5.0.10
  2. configured email server settings on CentOS8 / Owncloud 10.5.0.10
  3. same configuration (Redis, http, certificate, …)

Expected behaviour

no error message and delivered mail

Actual behaviour

When pressing “send email” I get the following error on CentOS8 (host changed):

A problem occurred while sending the email. Please revise your settings. (Error: Connection could not be established with host smtpauths.masked.ch :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small)

Bildschirmfoto 2020-11-04 um 19.13.05
Bildschirmfoto 2020-11-04 um 19.13.052178×864 85.2 KB

Server configuration

Operating system:

uname -a
Linux homeserver 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Web server:

httpd -v
Server version: Apache/2.4.37 (centos)
Server built:   Sep 15 2020 15:41:16

Database:

MariaDB [(none)]> SELECT VERSION();
+-----------------+
| VERSION()       |
+-----------------+
| 10.3.17-MariaDB |
+-----------------+

PHP version:

php -v
PHP 7.2.24 (cli) (built: Oct 22 2019 08:28:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.24, Copyright (c) 1999-2018, by Zend Technologies

ownCloud version:
10.0.1.5 (on both servers -> CentOS7 / CentOS8)

Updated from an older ownCloud or fresh install:
CentOS7 updated from “no idea”
CentOS8 fresh install

Where did you install ownCloud from:
dnf install …

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
No errors have been found.

The content of config/config.php:

  'mail_domain' => 'xxx.xxx',
  'mail_from_address' => 'xxx.xxx',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtpauths.xxxxx.xx',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'xxxxxx',
  'mail_smtppassword' => 'xxxxxx',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauthtype' => 'PLAIN',

List of activated apps:

only install default

Are you using external storage, if yes which one: local/smb/sftp/…
NO

Are you using encryption: yes/no
NO

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
NO

Client configuration

Browser: Safari & Chrome

Operating system: MacOS

ownCloud log (data/owncloud.log)

no entries
2

I found a way, but I guess it should not be the prefered one.

update-crypto-policies --set LEGACY

The difference I have on the two servers is the php version.
CentOS7: 7.2.34
CentOS8: 7.2.24

Or is this an issue of the mail provider ?

Would be nice if someone has an idea and can explain this further.

Thanks

4

Yes I do think that this an issue with the mail provider. Btw you didn’t censor the hostname in the red error message of the screenshot.

If I try connecting with my mail servers on the SMTPS port with openssl s_client -security_debug -connect hostname:port I receive as a final message 220 hostname ESMTP Postfix (Debian/GNU) in a shell and I could essentially play email client on the command line.

If I try the same with your mail server I get the same error message you got and the connection fails:

Security callback: Temp DH key bits=, security bits=80: no
139848412427584:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2149:

So I would recommend to get in touch with your provider.

1 Like
5

Thanks for testing/replying.
Indeed the openssl check works with CentOS7, but not with the default setting in CentOS8, but with the legacy setting …

The good thing, I have another mail provider where the DEFAULT settings work.
So, I will use this one.

Thanks for you help/hint.

6

Clearly they upped the default security settings in OpenSSL going from CentOS7 to CentOS8 to reflect modern security requirements.

1 Like