sendmail dh key too small

Logjam broke Sendmail?

Generate new DH keys file:

cd /etc/pki/tls/certs
openssl dhparam -out dhparams.pem 2048



Update and restart:

cd /etc/mail
service sendmail restart

Refer to for other service fixes.

md5 and sha1 digest with openssl

md5 digest:

echo -n 'md5 digest of text' | openssl dgst -md5

sha1 digest:

echo -n 'sha1 digest of text' | openssl dgst -sha1

base64 encoding decoding with openssl

Base64 encoding with openssl:

echo -n 'encode this with base64' | openssl enc -base64

Base64 decoding with openssl:

echo 'ZW5jb2RlIHRoaXMgd2l0aCBiYXNlNjQ=' | openssl enc -base64 -d
encode this with base64

Shadow password hash explained

You can programmatically generate shadow password hash via:

$ openssl passwd -1 -salt G5cYam5w test.123

-1 means md5
G5cYam5w is a random salt (minimum 8)
test.123 is the password

Here is the breakdown:

The first $1 means that it is an md5 hash.
The second $G5cYam5w is a random salt.
The third $z0NDUjMRX4xVBKw9Nb6YL0 is the md5 hash.

Checking Ubuntu Servers for openssh and openssl vulnerable keys

  1. Update openssh and openssl packages
    # apt-get update
    # apt-get install openssh openssl
  2. Install openssh-blacklist and openssl-blacklist
    # apt-get install openssh-blacklist openssl-blacklist
  3. Check all ssh compromised keys via:
    # ssh-vulnkeys -a
  4. Check all ssl keys and certificates via:
    # openssl-vulnkeys *.key *.pem

    Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

Static compile of openssl, apache, mod_ssl and php

As of this writing, the latest versions were:

  • apache_1.3.41
  • php-4.4.8
  • openssl-0.9.8g
  • mod_ssl-2.8.31-1.3.41

Once the files are downloaded and extracted; config, compile and install in the below order:

  1. Install openssl:
    $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
    $ make
    # make install
  2. mod_ssl patch:
    $ ./configure \
    --with-ssl=../openssl-0.9.8g \
  3. Pre-configure apache:
    $ ./configure
  4. Install php:
    $ ./configure \
    --with-gd \
    --with-jpeg-dir \
    --with-png-dir \
    --with-zlib-dir \
    --with-freetype \
    --with-freetype-dir=/usr/lib \
    --enable-gd-native-ttf \
    --enable-memory-limit \
    --with-ldap \
    --with-mysql \
    $ make
    # make install
  5. Install apache
    $ SSL_BASE=../openssl-0.9.8g \
    ./configure \
    --prefix=/usr/local/apache \
    --enable-module=rewrite \
    --enable-module=so \
    --activate-module=src/modules/php4/libphp4.a \


When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from, add the below option in and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget

Add the below line to "/etc/mail/" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

Static compile and install of apache + mod_ssl + php on FC4

Latest Compile with pdo drivers for mysql along with mod_security.

Remove the MySQL-shared rpm else openssl will not work.

# rpm -e MySQL-shared-5.0.20a-0.glibc23

Syndicate content