I just realized that the plain text line-wrapped the script, so here is an unwrapped version in case anyone else wants to use it. Also, I made it multiline so you can cut and paste it into a terminal and accomplish this in about 3 seconds with netstat confirming success (it should print a single line showing tcpserver listening on 465).
rfc8314 <https://tools.ietf.org/html/rfc8314> in Jan of this year reinstates port 465/tls because starttls (port 587) is broken beyond repair (from a security perspective). So eventually everyone may eventually need to go back to port 465. But since servers get to dictate setting to their clients without creating interoperability issues, it will likely be many years before this occurs. The critical flaw in starttls is that some ISP's and/or governments have been caught filtering out the STARTTLS packet and thus preventing the initiation of encryption (a "starttls downgrade attack"). In that case, the client's username and password are sent in the clear. And if an eavesdropper gets those, they can wreak havoc on your your life (i.e. by resetting the password for your bank or other online accounts, etc). With port 465/tls, the client connection either establishes encryption or fails; it cannot be tricked into using clear-text. Anyway, here is the paste-able script: qmailctl stop; \ cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps; \ chown -R qmaill:qmail /var/qmail/supervise/smtps; \ sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' /var/qmail/supervise/smtps/run; \ sed -i 's/587/465/' /var/qmail/supervise/smtps/run; \ sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run; \ sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2!SSLv3/' /etc/tcprules.d/tcp.smtp; \ qmailctl cdb; \ qmailctl start; \ netstat -lnp | grep 465 -Andy On 8/13/2018 7:32 PM, Remo Mattei wrote: > Cool! I remember I did it like Eric described but the bottom line is > it works either way. I do not offer 465 any longer :) > > *dal mio iPhone X* > > Il giorno 13 ago 2018, alle ore 20:25, Andrew Swartz > <awswa...@acsalaska.net <mailto:awswa...@acsalaska.net>> ha scritto: > >> I eventually figured this out, and accomplished the same result though I >> went about it slightly differently. It is now fully functional. Below >> is the script which I created and accomplishes this in very few lines. >> It copies the supervise/smtp directory to supervise/smtps and it then >> edits a few values in two files files (plus editing the cipher list in >> tcp.smtp). >> >> >> qmailctl stop >> cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps >> chown -R qmaill:qmail /var/qmail/supervise/smtps >> sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' >> /var/qmail/supervise/smtps/run >> sed -i 's/587/465/' /var/qmail/supervise/smtps/run >> sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run >> sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2/' >> /etc/tcprules.d/tcp.smtp >> qmailctl cdb >> qmailctl start >> >> >> Thanks for confirming that I did it right, >> Andy >> >> >> On 8/13/2018 7:06 PM, Eric Broch wrote: >>> Stock CentOS 7 does not have SMTPS standard. You must create the >>> supervise scripts. >>> >>> You could stop qmail >>> >>> # qmailctl stop >>> >>> and copy smtp supervise scripts to smtps (make sure qmail is stopped or >>> else you'll have a mess): >>> >>> # cp -Rp /var/qmail/supervise/smtp /var/qmail/supervise/smtps >>> >>> Then change two files: >>> >>> /var/qmail/supervise/smtps/run >>> >>> <run> >>> >>> #!/bin/sh >>> QMAILDUID=`id -u vpopmail` >>> NOFILESGID=`id -g vpopmail` >>> MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` >>> SMTPD="/var/qmail/bin/qmail-smtpd" >>> TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" >>> HOSTNAME=`hostname` >>> VCHKPW="/home/vpopmail/bin/vchkpw" >>> export SMTPS=1 >>> >>> exec /usr/bin/softlimit -m 128000000 \ >>> /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c >>> "$MAXSMTPD" \ >>> -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ >>> $SMTPD $VCHKPW /bin/true 2>&1 >>> >>> </run> >>> >>> & >>> >>> /var/qmail/supervise/smtps/log/run >>> >>> <run> >>> >>> #!/bin/sh >>> LOGSIZE=`cat /var/qmail/control/logsize` >>> LOGCOUNT=`cat /var/qmail/control/logcount` >>> exec /usr/bin/setuidgid qmaill /usr/bin/multilog \ >>> t s$LOGSIZE n$LOGCOUNT /var/log/qmail/smtps 2>&1 >>> >>> </run> >>> >>> Start qmail (# qmailctl start) >>> >>> >>> On 8/11/2018 6:36 PM, Andrew Swartz wrote: >>>> I just installed qmailtoaster onto CentOS-7. The qt_install script >>>> opened port 465 on the firewall. However, s_client cannot connect to >>>> port 465 and netstat shows that nothing is listening on port 465. >>>> >>>> Can anyone point me at appropriate instructions for setting up >>>> listening >>>> on port 465 which are specific (or applicable) to qmailtoaster? I >>>> searched wiki.qmailtoaster.com <http://wiki.qmailtoaster.com> and >>>> found nothing. I did some general >>>> googling and found several somewhat conflicting descriptions but I'm >>>> unsure which apply to the configuration used in qmailtoaster. >>>> >>>> My interest is because 465 has been reinstated (in Jan 2018) as the >>>> preferred submission port due to security problems with STARTTLS >>>> (https://tools.ietf.org/html/rfc8314). >>>> >>>> Thanks, >>>> -Andy >>>> >>>> >>> >> >> -- >> Andrew W. Swartz, MD >> Departments of Emergency Medicine, Family Medicine, and Surgery >> Yukon-Kuskokwim Delta Regional Hospital >> Bethel, Alaska >> -- Andrew W. Swartz, MD Departments of Emergency Medicine, Family Medicine, and Surgery Yukon-Kuskokwim Delta Regional Hospital Bethel, Alaska
Description: S/MIME Cryptographic Signature