'DHParameters'' ''''


Parameters for DSA/DH cipher suite V8.11 and later

For Ephemeral Diffie-Hellman encoding, the server first sends either a RSA or a DSA public key. The server then generates, signs, and sends the Diffie-Hellman (DH) parameters and the DH public value.

The DH parameters that are sent are generated or read from a file. The location of that file is defined with this DHParameters option:

O DHParameters=param               configuration file (V8.11 and later) 
-ODHParameters=param               command line (V8.11 and later) 
define(`confDH_PARAMETERS',`param')    mc configuration (V8.11 and later) 

Here, param is one of the items shown in Table 24-17. Note that only the first character is examined, so 5 and 512 are equivalent. Also note that the default is 1024 for the server, and 512 for the client.

Table 24-17. DHParameters parameter items




No parameters, so don't use DH


Generate 512-bit fixed parameters


Generate 1024-bit fixed parameters


Read the parameters from a file

If you list the /path/file item, the file referenced must live in a safe path, one that is writable only by root.

If you use an item that is not in the table, one of the following errors will print and be logged, depending on whether sendmail is in the role of a client or server:

STARTTLS=client, error: illegal value 'bad item' for DHParam
STARTTLS=server, error: illegal value 'bad item' for DHParam

This option should be defined only if a cipher suite containing DSA/DH is used. Otherwise, you should leave it undefined.

The DHParameters option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.

    Part I: Build and Install
    Part II: Administration
    Part III: The Configuration File
    Chapter 21. The D (Define a Macro) Configuration Command
    Chapter 24. The O (Options) Configuration Command