Re: Not gettting 250-STARTTLS in ehlo reply

Thu, 02 Apr 2009 17:48:12 -0700 

Jared Smith wrote:

Hugo Monteiro wrote:

Jared Smith wrote:

Hugo Monteiro wrote:

Jared Smith wrote:

I have enabled TLS but still only getting 250-AUTH LOGIN PLAIN.
sjar...@shine:~$ telnet bart 25
Trying 10.111.45.55...
Connected to bart.xxxxxxx.com.
Escape character is '^]'.
220 bart.xxxxxxx.com ESMTP
ehlo test
250-bart.xxxxxxxx.com
250-PIPELINING
250-SIZE 12582912
250-AUTH LOGIN PLAIN
250 8BITMIME


Below are some output to question I have seen within the list
Compiled with these parms: (I have used a slew of different values for TLS* these are just my latest) ------------------------------------------------------------------------------------------------------------------------------------ 
LDAPFLAGS=-DALTQUEUE
LDAPLIBS=-L/usr/local/lib -lldap -llber
LDAPINCLUDES=-I/usr/local/include
TLS=-DTLS_REMOTE -DTLS_SMTPD -DTLSDEBUG
TLSINCLUDES=-I/usr/include/openssl
TLSLIBS=-L/usr/lib -lssl -lcrypto
OPENSSLBIN=/usr/bin/openssl
MNW=-DMAKE_NETSCAPE_WORK
MDIRMAKE=-DAUTOMAILDIRMAKE
HDIRMAKE=-DAUTOHOMEDIRMAKE
SHADOWLIBS=-lcrypt
------------------------------------------------------------------------------------------------------------------------------------ 




mail:~/qmail-ldap# grep ^TLS Makefile
TLS=-DTLS_REMOTE -DTLS_SMTPD
TLSINCLUDES=-I/usr/include
TLSLIBS=-L/usr/lib -lssl -lcrypto
r...@bart:/var/qmail/control# ls -la `cat /var/qmail/control/smtpcert` ------------------------------------------------------------------------------------------------------------------------------------ -rw-r----- 1 qmaild qmail 2002 2009-04-01 10:43 /var/qmail/control/cert.pem ------------------------------------------------------------------------------------------------------------------------------------ 

r...@bart:/var/qmail/control# ldd /var/qmail/bin/qmail-smtpd
------------------------------------------------------------------------------------------------------------------------------------ 
       linux-gate.so.1 =>  (0xffffe000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7f96000) 
       libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e66000)
       /lib/ld-linux.so.2 (0xb7fb1000)
------------------------------------------------------------------------------------------------------------------------------------ 




as you can see, the SSL libs were not linked against qmail-smtpd

mail:~/qmail-ldap# ldd /var/qmail/bin/qmail-smtpd
   linux-gate.so.1 =>  (0xffffe000)
   libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7f62000)
   libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f23000)
   libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7de8000)
   libz.so.1 => /usr/lib/libz.so.1 (0xb7dd4000)
   libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7ca3000)
   libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c9f000)
   /lib/ld-linux.so.2 (0xb7f7e000)


qmail-smtp.rules
------------------------------------------------------------------------------------------------------------------------------------ 127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue" :allow,NOPBS="",SMTPAUTH="TLSREQUIRED",QMAILQUEUE="/var/qmail/bin/qmail-queue",LOGLEVEL="9" ------------------------------------------------------------------------------------------------------------------------------------
:allow,NOPBS="",SMTPAUTH="TLSREQUIRED",AUTHREQUIRED="",SSLCERT="/etc/ssl/certs/server.pem",QMAILQUEUE="/var/qmail/bin/qmail-queue",LOGLEVEL="9" 


Regards,

Hugo Monteiro.
I added that line to qmail-smtp.rules, removed qmail-smtp.cdb, did a make, and tested and got the same results. Looking at the line you sent you added AUTHREQUIRED which I understand will block remote servers sending messages to local users and SSLCERT which I am thinking is the same thing as having /var/qmail/control/smtpcert.
I appreciate the help, I know the answer is staring me in the face like the money in the GEICO commercials, I just can't seem to see it. :) 

Jared



Some other hints:

1 - Make sure that qmaild has read access to the certificate file.
2 - Make sure that your certificate file is a concatenation of the certificate itself and the key. I remember i had some issues with the order of that concatenation. I just don't remember if it was with the crt/key order or it was with the definition of the CA chain i had to include. 

Good luck,

Hugo Monteiro.

Thank you so much for the quick reply.
I used qmail's "make cert" command to create the cert I am using now which gives it the correct user permissions as well as puts the key and cert both in the pem file. 

r...@bart:/var/qmail/control# ls -al cert.pem
-rw-r----- 1 qmaild qmail 2002 2009-04-01 10:43 cert.pem
r...@bart:/var/qmail/control#

Any more thoughts?

Jared








Sorry about not looking to your first message properly in the first place.

Hope it helps to solve your problem.


R's,

Hugo Monteiro.

--
ci.fct.unl.pt:~# cat .signature

Hugo Monteiro
Email    : hugo.monte...@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Centro de Informática
Faculdade de Ciências e Tecnologia da
                   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.ci.fct.unl.pt             ap...@fct.unl.pt

ci.fct.unl.pt:~# _

Reply via email to