I just realized that the plain text line-wrapped the script, so here is
an unwrapped version in case anyone else wants to use it. Also, I made
it multiline so you can cut and paste it into a terminal and accomplish
this in about 3 seconds with netstat confirming success (it should print
a single line showing tcpserver listening on 465).

rfc8314 <https://tools.ietf.org/html/rfc8314> in Jan of this year
reinstates port 465/tls because starttls (port 587) is broken beyond
repair (from a security perspective). So eventually everyone may
eventually need to go back to port 465.  But since servers get to
dictate setting to their clients without creating interoperability
issues, it will likely be many years before this occurs.

The critical flaw in starttls is that some ISP's and/or governments have
been caught filtering out the STARTTLS packet and thus preventing the
initiation of encryption (a "starttls downgrade attack").  In that case,
the client's username and password are sent in the clear.  And if an
eavesdropper gets those, they can wreak havoc on your your life (i.e. by
resetting the password for your bank or other online accounts, etc). 
With port 465/tls, the client connection either establishes encryption
or fails; it cannot be tricked into using clear-text.

Anyway, here is the paste-able script:

qmailctl stop; \
cp  -r /var/qmail/supervise/submission /var/qmail/supervise/smtps; \
chown -R qmaill:qmail /var/qmail/supervise/smtps; \
sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/'
/var/qmail/supervise/smtps/run; \
sed -i 's/587/465/' /var/qmail/supervise/smtps/run; \
sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run; \
sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2!SSLv3/'
/etc/tcprules.d/tcp.smtp; \
qmailctl cdb; \
qmailctl start; \
netstat -lnp | grep 465


-Andy







On 8/13/2018 7:32 PM, Remo Mattei wrote:
> Cool! I remember I did it like Eric described but the bottom line is
> it works either way. I do not offer 465 any longer :) 
>
>  *dal mio iPhone X*
>
> Il giorno 13 ago 2018, alle ore 20:25, Andrew Swartz
> <awswa...@acsalaska.net <mailto:awswa...@acsalaska.net>> ha scritto:
>
>> I eventually figured this out, and accomplished the same result though I
>> went about it slightly differently.  It is now fully functional.  Below
>> is the script which I created and accomplishes this in very few lines.
>> It copies the supervise/smtp directory to supervise/smtps and it then
>> edits a few values in two files files (plus editing the cipher list in
>> tcp.smtp).
>>
>>
>> qmailctl stop
>> cp  -r /var/qmail/supervise/submission /var/qmail/supervise/smtps
>> chown -R qmaill:qmail /var/qmail/supervise/smtps
>> sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/'
>> /var/qmail/supervise/smtps/run
>> sed -i 's/587/465/' /var/qmail/supervise/smtps/run
>> sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run
>> sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2/'
>> /etc/tcprules.d/tcp.smtp
>> qmailctl cdb
>> qmailctl start
>>
>>
>> Thanks for confirming that I did it right,
>> Andy
>>
>>
>> On 8/13/2018 7:06 PM, Eric Broch wrote:
>>> Stock CentOS 7 does not have SMTPS standard. You must create the
>>> supervise scripts.
>>>
>>> You could stop qmail
>>>
>>> # qmailctl stop
>>>
>>> and copy smtp supervise scripts to smtps (make sure qmail is stopped or
>>> else you'll have a mess):
>>>
>>> # cp -Rp /var/qmail/supervise/smtp /var/qmail/supervise/smtps
>>>
>>> Then change two files:
>>>
>>> /var/qmail/supervise/smtps/run
>>>
>>> <run>
>>>
>>> #!/bin/sh
>>> QMAILDUID=`id -u vpopmail`
>>> NOFILESGID=`id -g vpopmail`
>>> MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
>>> SMTPD="/var/qmail/bin/qmail-smtpd"
>>> TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
>>> HOSTNAME=`hostname`
>>> VCHKPW="/home/vpopmail/bin/vchkpw"
>>> export SMTPS=1
>>>
>>> exec /usr/bin/softlimit -m 128000000 \
>>>     /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c
>>> "$MAXSMTPD" \
>>>     -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
>>>     $SMTPD $VCHKPW /bin/true 2>&1
>>>
>>> </run>
>>>
>>> &
>>>
>>> /var/qmail/supervise/smtps/log/run
>>>
>>> <run>
>>>
>>> #!/bin/sh
>>> LOGSIZE=`cat /var/qmail/control/logsize`
>>> LOGCOUNT=`cat /var/qmail/control/logcount`
>>> exec /usr/bin/setuidgid qmaill /usr/bin/multilog \
>>>     t s$LOGSIZE n$LOGCOUNT /var/log/qmail/smtps 2>&1
>>>
>>> </run>
>>>
>>> Start qmail (# qmailctl start)
>>>
>>>
>>> On 8/11/2018 6:36 PM, Andrew Swartz wrote:
>>>> I just installed qmailtoaster onto CentOS-7.  The qt_install script
>>>> opened port 465 on the firewall.  However, s_client cannot connect to
>>>> port 465 and netstat shows that nothing is listening on port 465.
>>>>
>>>> Can anyone point me at appropriate instructions for setting up
>>>> listening
>>>> on port 465 which are specific (or applicable) to qmailtoaster?  I
>>>> searched wiki.qmailtoaster.com <http://wiki.qmailtoaster.com> and
>>>> found nothing. I did some general
>>>> googling and found several somewhat conflicting descriptions but I'm
>>>> unsure which apply to the configuration used in qmailtoaster.
>>>>
>>>> My interest is because 465 has been reinstated (in Jan 2018) as the
>>>> preferred submission port due to security problems with STARTTLS
>>>> (https://tools.ietf.org/html/rfc8314).
>>>>
>>>> Thanks,
>>>> -Andy
>>>>
>>>>
>>>
>>
>> -- 
>> Andrew W. Swartz, MD
>> Departments of Emergency Medicine, Family Medicine, and Surgery
>> Yukon-Kuskokwim Delta Regional Hospital
>> Bethel, Alaska
>>

-- 
Andrew W. Swartz, MD
Departments of Emergency Medicine, Family Medicine, and Surgery
Yukon-Kuskokwim Delta Regional Hospital
Bethel, Alaska

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to