Hi Eric, Hi Jaime, thanks for your suggestions. I tested if the file was there, if it is a valid certificate, I have a script to create the file on renewals, all that is done. What I have unusual is: My certfile is a link. When testing the certificate by: openssl x509 -noout -in /var/qmail/control/servercert.pem -dates and get: Certificate: Data: Version: 3 (0x2) Serial Number: 03:05:e5:90:e9:e7:50:85:52:24:f8:10:3a:29:c7:24:bb:e9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Jun 12 21:01:00 2017 GMT Not After : Sep 10 21:01:00 2017 GMT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The certificate is there, is valid. I copied the servercert.pem to /var/qmail/control/ now, restartet qmail and tested, now it works with STARTTLS Must have been an issue with owner and/or rights. Thanks a lot for pointing me in the correct direction. I am always very happy to see how quick problems can be solved on this list- Once again, many thanks Andreas > Just throwing a +1 for Eric asking about the servercert.pem file. You have > to copy the Let's Encrypt cert over to there (and also have it copy it > over > each time the cert is renewed, approximately every 90 days). I have some > shell scripts I'm running weekly to handle making sure the Let'sEncrypt > cert > is renewed and the servercert.pem file is updated.... > > From: Eric Broch <ebr...@whitehorsetc.com> > Reply-To: <qmailtoaster-list@qmailtoaster.com> > Date: Thursday, June 22, 2017 at 10:17 AM > To: <qmailtoaster-list@qmailtoaster.com> > Subject: Re: [qmailtoaster] STARTTLS on CENT-6.9 > > > > > Hi Andreas, > > > I'm not sure if you're a coder, but here's the section of code in > qmail-smtpd.c that sends STARTTLS upon meeting certain criteria. > > > > <code> > > > #ifdef TLS > if (!ssl && (stat("control/servercert.pem",&st) == 0)) > out("\r\n250-STARTTLS"); > #endif > > > > </code> > > > Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a > certificate. > > > TLS should be compiled into qmail > > > > The first thing I'd check is the presence of a certificate > /var/qmail/control/servercert.pem. If it exists we can start checking the > ssl variable. > > > Eric > > > > > > > > On 6/22/2017 5:13 AM, Andreas Galatis wrote: > > >> >> >> >> Hello List, >> >> >> >> since some time my qmailserver does not offer STARTTLS on ports 25 and >> 587 >> >> >> >> Dovecot offers STARTTLS, everything is fine. >> >> Qmail does not. >> >> >> >> I have another qmailserver with on CENT working fine and offering >> STARTTLS, >> tlsserverciphers are the same, same openssl- 1.0.1e-57 >> >> Both servers have certificates from LetsEncrypt, issued this month. >> >> >> >> I cannot find the difference >> >> Here the answer when connecting: >> >> telnet localhost 25 >> >> Trying 127.0.0.1... >> >> Connected to localhost. >> >> Escape character is '^]'. >> >> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP >> >> ehlo mail.unet.de >> >> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server >> >> 250-STARTTLS >> >> 250-PIPELINING >> >> 250-8BITMIME >> >> 250-SIZE 20000000 >> >> 250 AUTH LOGIN PLAIN CRAM-MD5 >> >> >> >> telnet localhost 25 >> >> Trying 127.0.0.1... >> >> Connected to mail.unet.de. >> >> Escape character is '^]'. >> >> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP >> >> ehlo mail.unet.de >> >> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server >> >> 250-PIPELINING >> >> 250-8BITMIME >> >> 250-SIZE 20000000 >> >> 250 AUTH LOGIN PLAIN CRAM-MD5 >> >> >> >> Any help is very appreceated >> >> >> >> Andreas >> >> >> >> >> >> >> >> >> >> >> >> > > > -- > Eric Broch > White Horse Technical Consulting (WHTC) > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com