Andy,

Would you mind sharing your tcprules files and smtp/smtps run scripts?

Eric


On 8/16/2018 3:03 PM, Andrew Swartz wrote:
Eric,

I already had smtps installed.  The new package seems to have
overwritten the prior files.

However, that was minimally problematic because I have smtps configured
a little differently than standard.  I have supervise/smtps/run specify
a separate tcprules.d file for smtps. This allows me to have a much
stricter cipherlist for mail submission than for relay.  The rationale
being that I can mandate that submission clients are up to date and
using TLSv1.2.  But for relay, I have to support all the old servers
(like qmail on centos-5) having an inability to do anything better than
SSLv3.

I'm not wild about the cipherlist which installed, but that was easy to
change.  My understanding is that the order of the ciphers in the list
is important in that openssl interprets the list in a most-preferred to
least-preferred order.  The list which installed has several SSLv3
ciphers very early in the list.

While one can specify exact ciphers, openssl also allows specifying the
cipher "suites" instead
(https://www.openssl.org/docs/manmaster/man1/ciphers.html).  I think
this is much more intuitive. I'm currently playing around with 'openssl
cipherlist' to get my preferred content and order correct.  I'm
currently leaning toward:

'TLSv1.2:SSLv3:!eNULL:!aNULL'   for smtp

and

'TLSv1.2:!eNULL:!aNULL'         for smtps

The important effect of my smtp list is that all of the TLSv1.2 ciphers
are preferred/attempted before reverting to SSLv3 ciphers.

Here is a paste-able command with human readable output to see the
content and order of the results (you will need to widen the terminal
window to see it correctly):

openssl ciphers -v 'TLSv1.2:SSLv3:!eNULL:!aNULL' | awk '{ printf "%-29s
%-9s  %-13s  %-10s  %-17s  %-s\n",$1,$2,$3,$4,$5,$6 }'

Playing with this has taught me some interesting things (which I do
vaguely remember reading elsewhere at some point).  First, there are no
TLSv1.1 ciphers.  Also, the TLSv1 ciphers are the same ciphers as SSLv3.
  Therefore listing 'TLSv1:!SSLv3' yields no ciphers. The take-home
message is that you either get TLSv1.2 or SSLv3; there is no in-between
for the ciphers.  That's why my above lists omit TLSv1.1 and TLSv1. My
understanding is that TLSv1 and TLSv1.1 had improvements in the protocol
but not the ciphers.

I refuse to use ALL, LOW, etc for creating the cipher list because they
are extremely opaque.  If a notice comes out saying "no one should use
SSLv3", these vague terms do not tell me if I'm using that.  I see no
downside to explicitly specifying the cipher suites.  If you want to be
insecure, you could specify SSLv2.  When the new openssl 1.1.1 comes out
and supports TLSv1.3 (which should happen any day), then I'll explicitly
add that to my cipherlist. If nothing else, it will prompt me to review
the list occasionally.

That merely addresses the ciphers.  There is also significance to the
SSL and TLS protocols, but there appears to be no qmail setting for
those.  It would be far better to use TLSv1 protocol than SSLv3 protocol
even though the ciphers are identical.  I'm gonna do some testing with
changing my qmail cipherlist and connecting via s_client with explicit
protocols and see how much effect the specified cipherlist has upon the
protocol.

This was intended to be a short email.  Sorry.  "I'm sorry this letter
is so long, I didn't have time to compose a short one."

I've had a lot of time this last week to work on this, but I now have
very little time until next week.  I'll consider testing 1.03-3.1 when I
get another chunk of time.

-Andy



On 8/16/2018 9:35 AM, Eric Broch wrote:
Thanks, Andy.

It installed SMTPS, correct?

If you felt bold, I needed some folks to test 1.03-3.1. ;-)

Eric


On 8/16/2018 11:28 AM, Andrew Swartz wrote:
Eric,

Thanks for the help.  I installed qmail-1.03-3.qt.el7.x86_64.rpm without
difficulty and it seems to be fully functional.

-Andy


On 8/15/2018 9:01 AM, Eric Broch wrote:
I ran this 1.03-3 version for several months with no issues, and haven't
heard anything from the community on it.

I personally upgraded to 1.03-3.1 (in the development tree) now on my
own production machine. In this version I take all the patches (below),
carrying over some, updating some and adding extras, and apply them in
an orderly fashion instead of using one big patch because IMHO opinion
patching will be easier to maintain this way. I'm going to create
1.03-3.2 in which I'll add to qmail-smtpd more extensive logging mainly
to indicate a message's having been queued. And, I'd also like to
possibly add logging to qmail-remote.

I was motivated to update/add patches by the work of

Roberto Puzzanghera <https://notes.sagredo.eu/>,
<https://www.fehcom.de/>

Erwin Hoffmann <https://www.fehcom.de/>,

Frederik Vermeulen <http://inoa.net/qmail-tls/>

Manvendra Bhangui <http://www.indimail.org/>

Kyle Wheeler <http://www.memoryhole.net/qmail/>

among others.



Patches
01 - netqmail-1.06 patch (Change qmail-1.03 to netqmail-1.06,
http://www.qmail.org/netqmail/) - update
02 - chkuser 2.09 patch (Check 'mail from' and 'rcpt to',
http://opensource.interazioni.it/qmail/chkuser/download.html) -
carryover
03 - change location of vpopmail development libraries - carryover
04 - big concurrency (allows greater number of deliveries by qmail,
above 255) - new
05 - big concurrency fix (fixes compiler error if number of
concurrencies is set above 509) - new
06 - custom patch (adds error logging to simscan) - carryover
07 - maildir++ patch (adds quota support to qmail-pop3d and qmail-local)
- carryover
08 - tap extended (Email Archive) - update
09 - spf (Security Policy Framework) - carryover
10 - warlord (Filter Windows Executables) - carryover
11 - canonical rcpt patch (log real evelope recipient) - carryover
12 - qregex (pattern, badhelo and etc..., matching) - carryover
13 - tls patch 20160918v - (SMTP SSL/TLS) Frederik Vermeulen - carryover
14 - auth 0.83 - Erwin Hoffmann (SMTP Authentication) - update
15 - force tls patch - Marcel Telka (Force TLS before authentication)
- new
16 - chkusr patch (Extends chkusr functionality) - carryover
17 - smtpd spf qq reject logging (Extended logging for SMTP message
failure...spf, looping, bad mime, and etc...) - carryover
18 - srs patch, most recent (Sender Rewriting Scheme) - update
19 - big dns patch (Large DNS packets) - carryover
20 - smtp line feed patch (Accept email terminated with lf in addition
to standard crlf) - carryover
21 - eMPF patch (eMail Messaging Policy Framework) - carryover
22 - uids patch (Adds uids to log) - carryover
23 - remove cname lookup from qmail-remote
(https://lists.gt.net/qmail/users/138190) - carryover
24 - maildir++ fix patch (fixes quota calculation) - new
25 - smtp addparse
(http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)

- new
26 - exttodo patch (Silly Qmail Syndrome) - new
27 - qmail remote rfc2821 compliance
(http://www.memoryhole.net/qmail/#rfc2821) - new
28 - qmail smtpd 502 to 500 rfc2821 compliance
(http://www.memoryhole.net/qmail/#rfc2821) - new
29 - qmail remote crlf (http://opensource.sf-tec.de/qmail/) - new
30 - reread concurrency
(http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#reread)

new
31 - smtpd pidqplog (Logs pid so you can track transaction in log,
http://iain.cx/qmail/patches.html#smtpd_pidqp) - new
32 - smtpd relay reject (http://qmail.org/qmail-smtpd-relay-reject) -
new
33 - double bounce trim (http://qmail.org/doublebounce-trim.patch) - new
34 - qmail inject null sender -
(http://notes.sagredo.eu/qmail-notes-185/qmail-inject-sieve-vacationreject-messages-trouble-133.html)

- new


On 8/15/2018 10:18 AM, Andrew Swartz wrote:
Eric,

Thanks.

What is the proper destination folder for the rpm (to allow the 'yum
localupdate' command)?

-Andy


On 8/15/2018 7:25 AM, Eric Broch wrote:
wget https://www.qmailtoaster.org/qmail-1.03-3.qt.el7.x86_64.rpm

yum localupdate qmail-1.03-3.qt.el7.x86_64.rpm


On 8/15/2018 9:22 AM, Andrew Swartz wrote:
I just realized that the qt-install script did not install
qmail-1.03-3
on my new centos-7 toaster.

Does anyone have experience with the qmail-1.03-3 update?

-Andy

--
Eric Broch
White Horse Technical Consulting (WHTC)


--
Eric Broch
White Horse Technical Consulting (WHTC)


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to