I have the qmail.rm.ht working now Please let me know what you think > On Aug 13, 2018, at 22:45, Andrew Swartz <awswa...@acsalaska.net> wrote: > > I meant "servercert.pem" and NOT "tlsserverciphers". > > > -Andy > > > > > On 8/13/2018 9:43 PM, Andrew Swartz wrote: >> Remo, >> >> I don't think the order matters in tlsserverciphers. I cat'd the cert, the >> key, and the chain into my file, in that order, and it works fine. >> >> Nice bug catch on the cipher list. I made the script on the latest centos-7 >> toaster which installs with a cipher list of "DH:!LOW:!MEDIUM" in tcp.smtp. >> The sed command merely replaces it. If it's not present, or different, >> nothing happens (i.e. it fails gracefully). It did not seem to affect your >> connection, as that was just a cert verify problem. >> >> Do you have a TLSCIPHERS environ. variable in tcp.smtp? In my file, the >> line for remote mail ends with: >> TLSCIPHERS="ECDHE:DHE:ECDH:DH:AES:!SSLv2!SSLv3" >> >> I just checked a centos-5 installation, and there is no TLSCIPHERS variable >> in tcp.smtp. I just connected to that machine with s_client and it >> established a TLSv1.0 connection, so apparently there is a default cipher >> list present in qmail-smtpd (I confirmed that port 587 does not go through >> spamdyke). >> >> Specifying ciphers is merely due to my over paranoia. 99.999% of people >> will likely be happy with the defaults. >> >> -Andy >> >> >> >> On 8/13/2018 9:25 PM, Remo Mattei wrote: >>> I think I need to add the intermediary cert. looks like.. trying to figure >>> that out now.. not sure which order they go. >>> >>> Andrew Swartz wrote on 8/13/18 22:24: >>>> Remo, >>>> >>>> I just did this: >>>> >>>> openssl s_client -starttls smtp -crlf -connect qmail.rm.ht:587 >>>> >>>> and got the same result. >>>> >>>> Therefore you've probably had this problem for a while. >>>> >>>> Are you using the cert with the "full chain"? Apparently bare certs >>>> rarely verify, and I've read several recommendations to provide the >>>> server with the pem file containing the full chain. >>>> >>>> If you read the stuff at the "STARTTLS Everywhere" site, they state that >>>> most mail servers to not require (or even attempt) cert verification, >>>> and changing this is one of their goals. >>>> >>>> -Andy >>>> >>>> >>>> >>>> On 8/13/2018 8:56 PM, Remo Mattei wrote: >>>>> Any suggestions on this Andy? >>>>> >>>>> openssl s_client -crlf -connect qmail.rm.ht:465 >>>>> CONNECTED(00000005) >>>>> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht >>>>> verify error:num=20:unable to get local issuer certificate >>>>> verify return:1 >>>>> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht >>>>> verify error:num=27:certificate not trusted >>>>> verify return:1 >>>>> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht >>>>> verify error:num=21:unable to verify the first certificate >>>>> verify return:1 >>>>> --- >>>>> Certificate chain >>>>> 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=qmail.rm.ht >>>>> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >>>>> RSA Domain Validation Secure Server CA >>>>> --- >>>>> >>>>> >>>>> I do have a valid cert as you can see it’s from COMODO. But not sure >>>>> about the first few lines >>>>> >>>>> Remo >>>>> >>>>>> On Aug 13, 2018, at 21:42, Andrew Swartz <awswa...@acsalaska.net >>>>>> <mailto:awswa...@acsalaska.net> >>>>>> <mailto:awswa...@acsalaska.net> <mailto:awswa...@acsalaska.net>> wrote: >>>>>> >>>>>> I just realized that the plain text line-wrapped the script, so here >>>>>> is an unwrapped version in case anyone else wants to use it. Also, I >>>>>> made it multiline so you can cut and paste it into a terminal and >>>>>> accomplish this in about 3 seconds with netstat confirming success (it >>>>>> should print a single line showing tcpserver listening on 465). >>>>>> >>>>>> rfc8314 <https://tools.ietf.org/html/rfc8314> >>>>>> <https://tools.ietf.org/html/rfc8314> in Jan of this year >>>>>> reinstates port 465/tls because starttls (port 587) is broken beyond >>>>>> repair (from a security perspective). So eventually everyone may >>>>>> eventually need to go back to port 465. But since servers get to >>>>>> dictate setting to their clients without creating interoperability >>>>>> issues, it will likely be many years before this occurs. >>>>>> >>>>>> The critical flaw in starttls is that some ISP's and/or governments >>>>>> have been caught filtering out the STARTTLS packet and thus preventing >>>>>> the initiation of encryption (a "starttls downgrade attack"). In that >>>>>> case, the client's username and password are sent in the clear. And >>>>>> if an eavesdropper gets those, they can wreak havoc on your your life >>>>>> (i.e. by resetting the password for your bank or other online >>>>>> accounts, etc). With port 465/tls, the client connection either >>>>>> establishes encryption or fails; it cannot be tricked into using >>>>>> clear-text. >>>>>> >>>>>> Anyway, here is the paste-able script: >>>>>> >>>>>> qmailctl stop; \ >>>>>> cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps; \ >>>>>> chown -R qmaill:qmail /var/qmail/supervise/smtps; \ >>>>>> sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' >>>>>> /var/qmail/supervise/smtps/run; \ >>>>>> sed -i 's/587/465/' /var/qmail/supervise/smtps/run; \ >>>>>> sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run; \ >>>>>> sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2:!SSLv3/' >>>>>> /etc/tcprules.d/tcp.smtp; \ >>>>>> qmailctl cdb; \ >>>>>> qmailctl start; \ >>>>>> netstat -lnp | grep 465 >>>>>> >>>>>> >>>>>> -Andy >>>>>> >>>>>> PS: If old clients cannot connect, then remove the "!SSLv3" from the >>>>>> cipher list in tcp.smtp >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 8/13/2018 7:32 PM, Remo Mattei wrote: >>>>>>> Cool! I remember I did it like Eric described but the bottom line is >>>>>>> it works either way. I do not offer 465 any longer :) >>>>>>> >>>>>>> *dal mio iPhone X* >>>>>>> >>>>>>> Il giorno 13 ago 2018, alle ore 20:25, Andrew Swartz >>>>>>> <awswa...@acsalaska.net <mailto:awswa...@acsalaska.net> >>>>>>> <mailto:awswa...@acsalaska.net> <mailto:awswa...@acsalaska.net>> ha >>>>>>> scritto: >>>>>>> >>>>>>>> I eventually figured this out, and accomplished the same result though >>>>>>>> I >>>>>>>> went about it slightly differently. It is now fully functional. Below >>>>>>>> is the script which I created and accomplishes this in very few lines. >>>>>>>> It copies the supervise/smtp directory to supervise/smtps and it then >>>>>>>> edits a few values in two files files (plus editing the cipher list in >>>>>>>> tcp.smtp). >>>>>>>> >>>>>>>> >>>>>>>> qmailctl stop >>>>>>>> cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps >>>>>>>> chown -R qmaill:qmail /var/qmail/supervise/smtps >>>>>>>> sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' >>>>>>>> /var/qmail/supervise/smtps/run >>>>>>>> sed -i 's/587/465/' /var/qmail/supervise/smtps/run >>>>>>>> sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run >>>>>>>> sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2/' >>>>>>>> /etc/tcprules.d/tcp.smtp >>>>>>>> qmailctl cdb >>>>>>>> qmailctl start >>>>>>>> >>>>>>>> >>>>>>>> Thanks for confirming that I did it right, >>>>>>>> Andy >>>>>>>> >>>>>>>> >>>>>>>> On 8/13/2018 7:06 PM, Eric Broch wrote: >>>>>>>>> Stock CentOS 7 does not have SMTPS standard. You must create the >>>>>>>>> supervise scripts. >>>>>>>>> >>>>>>>>> You could stop qmail >>>>>>>>> >>>>>>>>> # qmailctl stop >>>>>>>>> >>>>>>>>> and copy smtp supervise scripts to smtps (make sure qmail is stopped >>>>>>>>> or >>>>>>>>> else you'll have a mess): >>>>>>>>> >>>>>>>>> # cp -Rp /var/qmail/supervise/smtp /var/qmail/supervise/smtps >>>>>>>>> >>>>>>>>> Then change two files: >>>>>>>>> >>>>>>>>> /var/qmail/supervise/smtps/run >>>>>>>>> >>>>>>>>> <run> >>>>>>>>> >>>>>>>>> #!/bin/sh >>>>>>>>> QMAILDUID=`id -u vpopmail` >>>>>>>>> NOFILESGID=`id -g vpopmail` >>>>>>>>> MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` >>>>>>>>> SMTPD="/var/qmail/bin/qmail-smtpd" >>>>>>>>> TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" >>>>>>>>> HOSTNAME=`hostname` >>>>>>>>> VCHKPW="/home/vpopmail/bin/vchkpw" >>>>>>>>> export SMTPS=1 >>>>>>>>> >>>>>>>>> exec /usr/bin/softlimit -m 128000000 \ >>>>>>>>> /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c >>>>>>>>> "$MAXSMTPD" \ >>>>>>>>> -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ >>>>>>>>> $SMTPD $VCHKPW /bin/true 2>&1 >>>>>>>>> >>>>>>>>> </run> >>>>>>>>> >>>>>>>>> & >>>>>>>>> >>>>>>>>> /var/qmail/supervise/smtps/log/run >>>>>>>>> >>>>>>>>> <run> >>>>>>>>> >>>>>>>>> #!/bin/sh >>>>>>>>> LOGSIZE=`cat /var/qmail/control/logsize` >>>>>>>>> LOGCOUNT=`cat /var/qmail/control/logcount` >>>>>>>>> exec /usr/bin/setuidgid qmaill /usr/bin/multilog \ >>>>>>>>> t s$LOGSIZE n$LOGCOUNT /var/log/qmail/smtps 2>&1 >>>>>>>>> >>>>>>>>> </run> >>>>>>>>> >>>>>>>>> Start qmail (# qmailctl start) >>>>>>>>> >>>>>>>>> >>>>>>>>> On 8/11/2018 6:36 PM, Andrew Swartz wrote: >>>>>>>>>> I just installed qmailtoaster onto CentOS-7. The qt_install script >>>>>>>>>> opened port 465 on the firewall. However, s_client cannot connect to >>>>>>>>>> port 465 and netstat shows that nothing is listening on port 465. >>>>>>>>>> >>>>>>>>>> Can anyone point me at appropriate instructions for setting up >>>>>>>>>> listening >>>>>>>>>> on port 465 which are specific (or applicable) to qmailtoaster? I >>>>>>>>>> searched wiki.qmailtoaster.com <http://wiki.qmailtoaster.com/> >>>>>>>>>> <http://wiki.qmailtoaster.com/> and >>>>>>>>>> found nothing. I did some general >>>>>>>>>> googling and found several somewhat conflicting descriptions but I'm >>>>>>>>>> unsure which apply to the configuration used in qmailtoaster. >>>>>>>>>> >>>>>>>>>> My interest is because 465 has been reinstated (in Jan 2018) as the >>>>>>>>>> preferred submission port due to security problems with STARTTLS >>>>>>>>>> (https://tools.ietf.org/html/rfc8314 >>>>>>>>>> <https://tools.ietf.org/html/rfc8314>). >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> -Andy >>>>>>>>>> >>>>>>>>>> >>>>>>>> -- >>>>>>>> Andrew W. Swartz, MD >>>>>>>> Departments of Emergency Medicine, Family Medicine, and Surgery >>>>>>>> Yukon-Kuskokwim Delta Regional Hospital >>>>>>>> Bethel, Alaska >>>>>>>> >>>>>> -- >>>>>> Andrew W. Swartz, MD >>>>>> Departments of Emergency Medicine, Family Medicine, and Surgery >>>>>> Yukon-Kuskokwim Delta Regional Hospital >>>>>> Bethel, Alaska >>> >>> -- >>> Sent from Postbox <https://www.postbox-inc.com/> >> -- >> Andrew W. Swartz, MD >> Departments of Emergency Medicine, Family Medicine, and Surgery >> Yukon-Kuskokwim Delta Regional Hospital >> Bethel, Alaska > > -- > Andrew W. Swartz, MD > Departments of Emergency Medicine, Family Medicine, and Surgery > Yukon-Kuskokwim Delta Regional Hospital > Bethel, Alaska
signature.asc
Description: Message signed with OpenPGP