Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

Thu, 05 Jul 2018 17:05:38 -0700 

Try this command from your CentOS 5 box
openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -debug -msg -connect fpl-com.mail.protection.outlook.com:25 

What kind of beer? Hopefully not Schlitz. ;-)


On 7/5/2018 5:57 PM, South Computers wrote:

No worries, I appreciate it.

tlsserverciphiers is fine.


And checking the mail in the queue that fails with the TLS errors, 
they are all going to office365 accounts, with 1 going to a hotmail 
account, but all the mx records point to 
something.protection.outlook.com, so basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.

220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +0000

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8


I see starttls in there, so should be good there, although versions 
accepted are unknown, Do our toasters drop back to tls 1 if the 
receiving server doesn;t do 1.2?



And sending an email to a gmail account works. Relevant portion 
showing TLS:

Received: from mail.noube.com (mail.noube.com. [75.13.64.133])

        by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

        for <myemailaddr...@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:

Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:


DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:

This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.


In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not 
going through.


 deferral: TLS_connect_failed;_connected_to_


I can send to gmail, and in the headers it shows that it is using 
TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:

> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to get 
qmail-dk working with ssl/crypto:

>
> (i686)
>

> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>

> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>

> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>

> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>

> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>

>> FWIW, I did not update my qmail-dk binary. I was hypothesizing 
it was only used to sign, not to communicate, and therefore the 
version of openssl didn't matter. I might be wrong, but I'm still 
sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>

>>> I don't have the time to look further right now, but disabled 
dk for the time being, and it's working.

>>>
>>> Was getting this in smtp/current when trying to send mail:

>>> @400000005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a 
POSSIBLE BUG!

>>>
>>> etc...
>>>
>>>
>>>
>>>
>>> South Computers wrote:

>>>> Also mostly a lurker these days, but wanted to chime in and 
give a big thanks as well Eric.

>>>>
>>>> Much appreciate all your work to keep this going.
>>>> Scott
>>>>

>>>> Also, if anyone else has neglected to keep their toaster up 
to date and needs to manually install the epel repo, at least for 
x86 on COS5:
>>>> wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

>>>> rpm -Uhv epel-release-5-4.noarch.rpm
>>>>
>>>>
>>>>
>>>> Eric Broch wrote:

>>>>> Instructions for setting up greater than openssl-0.9.8 
CentOS 5, minimal testing done. This is done with openssl-1.01e

>>>>>
>>>>> https://www.qmailtoaster.org/newopensslcnt50.html
>>>>>
>>>>> Eric
>>>>>
>>>>>
>>>>> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>>>>>> Great, thanks for sharing!
>>>>>>
>>>>>> One question:
>>>>>>

>>>>>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with 
the CNAME

>>>>>> lookups removed.
>>>>>>
>>>>>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
>>>>>>

>>>>>> How would one migrate the changes you did to Eric's 
version, as I
>>>>>> would like to have both: newer TLS support + CNAME lookups 
removed?

>>>>>>
>>>>>> Best,
>>>>>> Peter
>>>>>>

>>>>>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
<ebr...@whitehorsetc.com> wrote:

>>>>>>> Thanks, Brian!!!
>>>>>>>
>>>>>>>
>>>>>>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>>>>>>>

>>>>>>> Good news - I seemed to have solved this. It's a combo of 
these old notes

>>>>>>> from 2011 and an upgraded openssl:
>>>>>>>
>>>>>>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>>>>>>>

>>>>>>> I'm attaching my modified qmail-toaster.spec from 1.3.21. 
I installed

>>>>>>> openssl-1.0.2o from source on CentOS 5 and linked:
>>>>>>>
>>>>>>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>>>>>>>
>>>>>>> Then I rebuilt the RPM:
>>>>>>>
>>>>>>> rpmbuild -bb --target i686 --with cnt50
>>>>>>> /usr/src/redhat/SPECS/qmail-toaster.spec
>>>>>>>
>>>>>>> This generated the RPM. I extracted the files:
>>>>>>>
>>>>>>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>>>>>>>

>>>>>>> I backed up my existing qmail-smtpd and qmail-remote.orig, 
and copied
>>>>>>> the new binaries over (from 
/usr/src/redhat/RPMS/i686/var/qmail/bin

>>>>>>> where cpio extracted them to)
>>>>>>>

>>>>>>> And then tested with checktls.com and everything shows TLS 
1.2 now. *whew*

>>>>>>>

>>>>>>> This buys us a little time to complete a migration. Hope 
this helps someone

>>>>>>> else!
>>>>>>>
>>>>>>>
>>>>>>> Brian
>>>>>>>
>>>>>>>
>>>>>>> On 6/27/18 09:09, Eric Broch wrote:
>>>>>>>
>>>>>>> Have a look at this thread:
>>>>>>>

>>>>>>> 
https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

>>>>>>>

>>>>>>> IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

>>>>>>> CentOS 5 box to make this practical.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>

>>>>>>> 
---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>>>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Eric Broch
>>>>>>> White Horse Technical Consulting (WHTC)

>>>>>> 
---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>>>>
>>>>>
>>>>
>>>>

>>>> 
---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>>
>>>>
>>>>
>>>
>>>

>>> 
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>
>>
>>

>> 
---------------------------------------------------------------------
>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>
>



---------------------------------------------------------------------

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com








---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com























					Reply via email to