IMAP Error dh key too small

Technical assistance
1
  • Used Zammad version: 3.3
  • Used Zammad installation source: package
  • Operating system: CentOS 8
  • Browser + version: Any

Expected behavior:

  • emails could be received

Actual behavior:

Production Log:

(eval):1:in `_start_job'
/opt/zammad/app/models/scheduler.rb:287:in `eval'
/opt/zammad/app/models/scheduler.rb:287:in `_start_job'
/opt/zammad/app/models/scheduler.rb:239:in `block (2 levels) in start_job'
/opt/zammad/app/models/scheduler.rb:237:in `loop'
/opt/zammad/app/models/scheduler.rb:237:in `block in start_job'
/opt/zammad/vendor/bundle/ruby/2.5.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
I, [2020-03-23T03:33:22.862446 #10121-70334931321340]  INFO -- : ended Channel.fetch took: 0.044817488 seconds.
I, [2020-03-23T03:33:31.012675 #10121-47387577075200]  INFO -- : Scheduler running...
I, [2020-03-23T03:33:31.018686 #10121-47387577075200]  INFO -- : Running job thread for 'Import OTRS diff load' (Import::OTRS.diff_worker) status is: sleep
I, [2020-03-23T03:33:31.018743 #10121-47387577075200]  INFO -- : Running job thread for 'Process escalation tickets' (Ticket.process_escalation) status is: sleep
I, [2020-03-23T03:33:31.018777 #10121-47387577075200]  INFO -- : Running job thread for 'Check Channels' (Channel.fetch) status is: sleep
I, [2020-03-23T03:33:31.018804 #10121-47387577075200]  INFO -- : Running job thread for 'Generate Session data' (Sessions.jobs) status is: sleep
I, [2020-03-23T03:33:31.018830 #10121-47387577075200]  INFO -- : Running job thread for 'Check streams for Channel' (Channel.stream) status is: sleep
I, [2020-03-23T03:33:31.018997 #10121-47387577075200]  INFO -- : Running job thread for 'Execute jobs' (Job.run) status is: sleep
I, [2020-03-23T03:33:52.867527 #10121-70334931321340]  INFO -- : execute Channel.fetch (try_count 0)...
I, [2020-03-23T03:33:52.868963 #10121-70334931321340]  INFO -- : fetching imap (Host/User port=993,ssl=true,starttls=false,folder=Zammad,keep_on_server=true)
E, [2020-03-23T03:33:52.900544 #10121-70334931321340] ERROR -- : Can't use Channel::Driver::Imap: #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: dh key too small>
E, [2020-03-23T03:33:52.900608 #10121-70334931321340] ERROR -- : SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError)
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/net/imap.rb:1531:in `start_tls_session'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/net/imap.rb:1092:in `initialize'
/opt/zammad/app/models/channel/driver/imap.rb:107:in `new'
/opt/zammad/app/models/channel/driver/imap.rb:107:in `block in fetch'
/opt/zammad/app/models/channel/driver/imap.rb:517:in `block in timeout'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/timeout.rb:33:in `block in catch'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/timeout.rb:108:in `timeout'
/opt/zammad/app/models/channel/driver/imap.rb:516:in `timeout'
/opt/zammad/app/models/channel/driver/imap.rb:106:in `fetch'
/opt/zammad/app/models/channel.rb:56:in `fetch'
/opt/zammad/vendor/bundle/ruby/2.5.0/gems/activerecord-5.2.4.1/lib/active_record/relation/delegation.rb:71:in `each'
/opt/zammad/vendor/bundle/ruby/2.5.0/gems/activerecord-5.2.4.1/lib/active_record/relation/delegation.rb:71:in `each'
/opt/zammad/app/models/channel.rb:30:in `fetch'

I cannot link my email account because the dh key is too small.

Does anyone have any idea how to solve the problem?
Thank you in advance.

Best regards Marc

2

I had a quick google search, because this error message is not exactly Zammad related.
Seems like your mail server configuration is using very weak ciphers?

You might want to check the following sites, it might help:

3

How does Zammad handle the Cipher-Suites?
Does Zammad use the specified ciphers within the /opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/openssl/ssl.rb file? And does the /opt/zammad/vendor/ruby-2.5.5/lib/ruby/2.5.0/net/imap.rb component references to this file? The connection to the Mail-Server is working with ECDHE-XXX and the cipher is present in the ssl.rb but Zammad is not able to fetch emails.

4

Maybe @martini can give feedback on this.

5

Hi Marc,

Zammad is using default setting from ruby open_ssl/ssl integration. So in Zammad context there is no limitation to certain cipers.

In the last years I never have seen this kind of error message in Zammad context.

After doing some research I found informations like the following hints:

It seems your openssl is to new. Or your SSL setup of mail server is too old.

Greetings.

-Martin

6

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.