Eric,

I already had smtps installed.  The new package seems to have
overwritten the prior files.

However, that was minimally problematic because I have smtps configured
a little differently than standard.  I have supervise/smtps/run specify
a separate tcprules.d file for smtps. This allows me to have a much
stricter cipherlist for mail submission than for relay.  The rationale
being that I can mandate that submission clients are up to date and
using TLSv1.2.  But for relay, I have to support all the old servers
(like qmail on centos-5) having an inability to do anything better than
SSLv3.

I'm not wild about the cipherlist which installed, but that was easy to
change.  My understanding is that the order of the ciphers in the list
is important in that openssl interprets the list in a most-preferred to
least-preferred order.  The list which installed has several SSLv3
ciphers very early in the list.

While one can specify exact ciphers, openssl also allows specifying the
cipher "suites" instead
(https://www.openssl.org/docs/manmaster/man1/ciphers.html).  I think
this is much more intuitive. I'm currently playing around with 'openssl
cipherlist' to get my preferred content and order correct.  I'm
currently leaning toward:

'TLSv1.2:SSLv3:!eNULL:!aNULL'   for smtp

and

'TLSv1.2:!eNULL:!aNULL'         for smtps

The important effect of my smtp list is that all of the TLSv1.2 ciphers
are preferred/attempted before reverting to SSLv3 ciphers.

Here is a paste-able command with human readable output to see the
content and order of the results (you will need to widen the terminal
window to see it correctly):

openssl ciphers -v 'TLSv1.2:SSLv3:!eNULL:!aNULL' | awk '{ printf "%-29s
%-9s  %-13s  %-10s  %-17s  %-s\n",$1,$2,$3,$4,$5,$6 }'

Playing with this has taught me some interesting things (which I do
vaguely remember reading elsewhere at some point).  First, there are no
TLSv1.1 ciphers.  Also, the TLSv1 ciphers are the same ciphers as SSLv3.
 Therefore listing 'TLSv1:!SSLv3' yields no ciphers. The take-home
message is that you either get TLSv1.2 or SSLv3; there is no in-between
for the ciphers.  That's why my above lists omit TLSv1.1 and TLSv1. My
understanding is that TLSv1 and TLSv1.1 had improvements in the protocol
but not the ciphers.

I refuse to use ALL, LOW, etc for creating the cipher list because they
are extremely opaque.  If a notice comes out saying "no one should use
SSLv3", these vague terms do not tell me if I'm using that.  I see no
downside to explicitly specifying the cipher suites.  If you want to be
insecure, you could specify SSLv2.  When the new openssl 1.1.1 comes out
and supports TLSv1.3 (which should happen any day), then I'll explicitly
add that to my cipherlist. If nothing else, it will prompt me to review
the list occasionally.

That merely addresses the ciphers.  There is also significance to the
SSL and TLS protocols, but there appears to be no qmail setting for
those.  It would be far better to use TLSv1 protocol than SSLv3 protocol
even though the ciphers are identical.  I'm gonna do some testing with
changing my qmail cipherlist and connecting via s_client with explicit
protocols and see how much effect the specified cipherlist has upon the
protocol.

This was intended to be a short email.  Sorry.  "I'm sorry this letter
is so long, I didn't have time to compose a short one."

I've had a lot of time this last week to work on this, but I now have
very little time until next week.  I'll consider testing 1.03-3.1 when I
get another chunk of time.

-Andy



On 8/16/2018 9:35 AM, Eric Broch wrote:
> Thanks, Andy.
> 
> It installed SMTPS, correct?
> 
> If you felt bold, I needed some folks to test 1.03-3.1. ;-)
> 
> Eric
> 
> 
> On 8/16/2018 11:28 AM, Andrew Swartz wrote:
>> Eric,
>>
>> Thanks for the help.  I installed qmail-1.03-3.qt.el7.x86_64.rpm without
>> difficulty and it seems to be fully functional.
>>
>> -Andy
>>
>>
>> On 8/15/2018 9:01 AM, Eric Broch wrote:
>>> I ran this 1.03-3 version for several months with no issues, and haven't
>>> heard anything from the community on it.
>>>
>>> I personally upgraded to 1.03-3.1 (in the development tree) now on my
>>> own production machine. In this version I take all the patches (below),
>>> carrying over some, updating some and adding extras, and apply them in
>>> an orderly fashion instead of using one big patch because IMHO opinion
>>> patching will be easier to maintain this way. I'm going to create
>>> 1.03-3.2 in which I'll add to qmail-smtpd more extensive logging mainly
>>> to indicate a message's having been queued. And, I'd also like to
>>> possibly add logging to qmail-remote.
>>>
>>> I was motivated to update/add patches by the work of
>>>
>>> Roberto Puzzanghera <https://notes.sagredo.eu/>,
>>> <https://www.fehcom.de/>
>>>
>>> Erwin Hoffmann <https://www.fehcom.de/>,
>>>
>>> Frederik Vermeulen <http://inoa.net/qmail-tls/>
>>>
>>> Manvendra Bhangui <http://www.indimail.org/>
>>>
>>> Kyle Wheeler <http://www.memoryhole.net/qmail/>
>>>
>>> among others.
>>>
>>>
>>>
>>> Patches
>>> 01 - netqmail-1.06 patch (Change qmail-1.03 to netqmail-1.06,
>>> http://www.qmail.org/netqmail/) - update
>>> 02 - chkuser 2.09 patch (Check 'mail from' and 'rcpt to',
>>> http://opensource.interazioni.it/qmail/chkuser/download.html) -
>>> carryover
>>> 03 - change location of vpopmail development libraries - carryover
>>> 04 - big concurrency (allows greater number of deliveries by qmail,
>>> above 255) - new
>>> 05 - big concurrency fix (fixes compiler error if number of
>>> concurrencies is set above 509) - new
>>> 06 - custom patch (adds error logging to simscan) - carryover
>>> 07 - maildir++ patch (adds quota support to qmail-pop3d and qmail-local)
>>> - carryover
>>> 08 - tap extended (Email Archive) - update
>>> 09 - spf (Security Policy Framework) - carryover
>>> 10 - warlord (Filter Windows Executables) - carryover
>>> 11 - canonical rcpt patch (log real evelope recipient) - carryover
>>> 12 - qregex (pattern, badhelo and etc..., matching) - carryover
>>> 13 - tls patch 20160918v - (SMTP SSL/TLS) Frederik Vermeulen - carryover
>>> 14 - auth 0.83 - Erwin Hoffmann (SMTP Authentication) - update
>>> 15 - force tls patch - Marcel Telka (Force TLS before authentication)
>>> - new
>>> 16 - chkusr patch (Extends chkusr functionality) - carryover
>>> 17 - smtpd spf qq reject logging (Extended logging for SMTP message
>>> failure...spf, looping, bad mime, and etc...) - carryover
>>> 18 - srs patch, most recent (Sender Rewriting Scheme) - update
>>> 19 - big dns patch (Large DNS packets) - carryover
>>> 20 - smtp line feed patch (Accept email terminated with lf in addition
>>> to standard crlf) - carryover
>>> 21 - eMPF patch (eMail Messaging Policy Framework) - carryover
>>> 22 - uids patch (Adds uids to log) - carryover
>>> 23 - remove cname lookup from qmail-remote
>>> (https://lists.gt.net/qmail/users/138190) - carryover
>>> 24 - maildir++ fix patch (fixes quota calculation) - new
>>> 25 - smtp addparse
>>> (http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)
>>>
>>> - new
>>> 26 - exttodo patch (Silly Qmail Syndrome) - new
>>> 27 - qmail remote rfc2821 compliance
>>> (http://www.memoryhole.net/qmail/#rfc2821) - new
>>> 28 - qmail smtpd 502 to 500 rfc2821 compliance
>>> (http://www.memoryhole.net/qmail/#rfc2821) - new
>>> 29 - qmail remote crlf (http://opensource.sf-tec.de/qmail/) - new
>>> 30 - reread concurrency
>>> (http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#reread)
>>>
>>> new
>>> 31 - smtpd pidqplog (Logs pid so you can track transaction in log,
>>> http://iain.cx/qmail/patches.html#smtpd_pidqp) - new
>>> 32 - smtpd relay reject (http://qmail.org/qmail-smtpd-relay-reject) -
>>> new
>>> 33 - double bounce trim (http://qmail.org/doublebounce-trim.patch) - new
>>> 34 - qmail inject null sender -
>>> (http://notes.sagredo.eu/qmail-notes-185/qmail-inject-sieve-vacationreject-messages-trouble-133.html)
>>>
>>> - new
>>>
>>>
>>> On 8/15/2018 10:18 AM, Andrew Swartz wrote:
>>>> Eric,
>>>>
>>>> Thanks.
>>>>
>>>> What is the proper destination folder for the rpm (to allow the 'yum
>>>> localupdate' command)?
>>>>
>>>> -Andy
>>>>
>>>>
>>>> On 8/15/2018 7:25 AM, Eric Broch wrote:
>>>>> wget https://www.qmailtoaster.org/qmail-1.03-3.qt.el7.x86_64.rpm
>>>>>
>>>>> yum localupdate qmail-1.03-3.qt.el7.x86_64.rpm
>>>>>
>>>>>
>>>>> On 8/15/2018 9:22 AM, Andrew Swartz wrote:
>>>>>> I just realized that the qt-install script did not install
>>>>>> qmail-1.03-3
>>>>>> on my new centos-7 toaster.
>>>>>>
>>>>>> Does anyone have experience with the qmail-1.03-3 update?
>>>>>>
>>>>>> -Andy
>>>>>>
>>> -- 
>>> Eric Broch
>>> White Horse Technical Consulting (WHTC)
>>>
> 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to