Hi Eric,
Hi Jaime,
thanks for your suggestions.
I tested if the file was there, if it is a valid certificate, I have a
script to create the file on renewals, all that is done.
What I have unusual is: My certfile is a link.
When testing the certificate by:
openssl x509 -noout -in /var/qmail/control/servercert.pem -dates
and get:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:05:e5:90:e9:e7:50:85:52:24:f8:10:3a:29:c7:24:bb:e9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jun 12 21:01:00 2017 GMT
Not After : Sep 10 21:01:00 2017 GMT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The certificate is there, is valid.
I copied the servercert.pem to /var/qmail/control/ now, restartet qmail
and tested, now it works with STARTTLS
Must have been an issue with owner and/or rights.
Thanks a lot for pointing me in the correct direction.
I am always very happy to see how quick problems can be solved on this list-
Once again, many thanks
Andreas
> Just throwing a +1 for Eric asking about the servercert.pem file. You have
> to copy the Let's Encrypt cert over to there (and also have it copy it
> over
> each time the cert is renewed, approximately every 90 days). I have some
> shell scripts I'm running weekly to handle making sure the Let'sEncrypt
> cert
> is renewed and the servercert.pem file is updated....
>
> From: Eric Broch <ebr...@whitehorsetc.com>
> Reply-To: <qmailtoaster-list@qmailtoaster.com>
> Date: Thursday, June 22, 2017 at 10:17 AM
> To: <qmailtoaster-list@qmailtoaster.com>
> Subject: Re: [qmailtoaster] STARTTLS on CENT-6.9
>
>
>
>
> Hi Andreas,
>
>
> I'm not sure if you're a coder, but here's the section of code in
> qmail-smtpd.c that sends STARTTLS upon meeting certain criteria.
>
>
>
> <code>
>
>
> #ifdef TLS
> if (!ssl && (stat("control/servercert.pem",&st) == 0))
> out("\r\n250-STARTTLS");
> #endif
>
>
>
> </code>
>
>
> Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a
> certificate.
>
>
> TLS should be compiled into qmail
>
>
>
> The first thing I'd check is the presence of a certificate
> /var/qmail/control/servercert.pem. If it exists we can start checking the
> ssl variable.
>
>
> Eric
>
>
>
>
>
>
>
> On 6/22/2017 5:13 AM, Andreas Galatis wrote:
>
>
>>
>>
>>
>> Hello List,
>>
>>
>>
>> since some time my qmailserver does not offer STARTTLS on ports 25 and
>> 587
>>
>>
>>
>> Dovecot offers STARTTLS, everything is fine.
>>
>> Qmail does not.
>>
>>
>>
>> I have another qmailserver with on CENT working fine and offering
>> STARTTLS,
>> tlsserverciphers are the same, same openssl- 1.0.1e-57
>>
>> Both servers have certificates from LetsEncrypt, issued this month.
>>
>>
>>
>> I cannot find the difference
>>
>> Here the answer when connecting:
>>
>> telnet localhost 25
>>
>> Trying 127.0.0.1...
>>
>> Connected to localhost.
>>
>> Escape character is '^]'.
>>
>> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
>>
>> ehlo mail.unet.de
>>
>> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
>>
>> 250-STARTTLS
>>
>> 250-PIPELINING
>>
>> 250-8BITMIME
>>
>> 250-SIZE 20000000
>>
>> 250 AUTH LOGIN PLAIN CRAM-MD5
>>
>>
>>
>> telnet localhost 25
>>
>> Trying 127.0.0.1...
>>
>> Connected to mail.unet.de.
>>
>> Escape character is '^]'.
>>
>> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
>>
>> ehlo mail.unet.de
>>
>> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
>>
>> 250-PIPELINING
>>
>> 250-8BITMIME
>>
>> 250-SIZE 20000000
>>
>> 250 AUTH LOGIN PLAIN CRAM-MD5
>>
>>
>>
>> Any help is very appreceated
>>
>>
>>
>> Andreas
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
