Article ID: 127301, created on Nov 1, 2015, last review on Jan 15, 2016

  • Applies to:
  • Operations Automation
  • Plesk 12.0 for Linux


Unable to send mail out to a certain domain with Qmail. There are errors like the following in /var/log/maillog:

Aug 31 10:22:36 smtp15 sendmail[5616]: STARTTLS=client: 5616:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:


Issue is caused because the destination server has a Diffie-Hellman key with size less than 768 bit. In the recent version of Open SSL, such keys are considered as insecure.


Address to the administrators of the destination mail server to update the keys to the more secure ones.

If you still want qmail to continue to communicate with the non secure mail servers, then the following solutions can be used:

IMPORTANT: these solutions decrease the server security and might be used only in case of emergency. If the solutions are not applicable due to security reasons, please, contact Odin Technical Support to investigate the issue.

One of the following actions will workaround the problem

  • Add the server, which bounces mail, to trusted hosts list in Qmail:

    # mkdir /usr/local/qmail/shared/control/notlshosts
    # touch /usr/local/qmail/shared/control/notlshosts/

    Note: Qmail send message without TLS to such domains.

  • Downgrade openssl package.

  • Disable DH keys exchange for Qmail outgoing connections to destination mail servers. To disable the DH keys, execute the following command on the qmail host:

    # echo "DEFAULT:!DH" > /usr/local/qmail/shared/control/tlsclientciphers

    Note: that this solution affects connections to all mail servers and potentially can lead to connection problems to some servers.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 614fd0b754f34d5efe9627f2057b8642 29d1e90fd304f01e6420fbe60f66f838 56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 2a5151f57629129e26ff206d171fbb5f e335d9adf7edffca6a8af8039031a4c7

Email subscription for changes to this article
Save as PDF