sendmail, 4th Edition

For Ephemeral Diffie-Hellman encoding, the server first sends either a RSA or a DSA public key. The server then generates, signs, and sends the Diffie-Hellman (DH) parameters and the DH public value.

The DH parameters that are sent are generated or read from a file. The location of that file is defined with this DHParameters option:

O DHParameters= param configuration file (V8.11 and later) -ODHParameters= param command line (V8.11 and later) define(`confDH_PARAMETERS',` param') mc configuration (V8.11 and later)

Here, param is one of the items shown in Table 24-17. Note that only the first character is examined, so 5 and 512 are equivalent. Also note that the default is 1024 for the server, and 512 for the client.

Table 24-17. DHParameters parameter items

If you list the /path/file item, the file referenced must live in a safe path, one that is writable only by root .

If you use an item that is not in the table, one of the following errors will print and be logged, depending on whether sendmail is in the role of a client or server:

STARTTLS=client, error: illegal value ' bad item ' for DHParam STARTTLS=server, error: illegal value ' bad item ' for DHParam

This option should be defined only if a cipher suite containing DSA/DH is used. Otherwise, you should leave it undefined.

The DHParameters option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.