Here is what I had to change since by default did not change it..

On my smtps run file I had to change this

export SMTPS=1

To this export SMTPAUTH=“!”

To get it to work.

Remo



> On Aug 16, 2018, at 14:33, Eric Broch <ebr...@whitehorsetc.com> wrote:
> 
> Andy,
> 
> Would you mind sharing your tcprules files and smtp/smtps run scripts?
> 
> Eric
> 
> 
> On 8/16/2018 3:03 PM, Andrew Swartz wrote:
>> Eric,
>> 
>> I already had smtps installed.  The new package seems to have
>> overwritten the prior files.
>> 
>> However, that was minimally problematic because I have smtps configured
>> a little differently than standard.  I have supervise/smtps/run specify
>> a separate tcprules.d file for smtps. This allows me to have a much
>> stricter cipherlist for mail submission than for relay.  The rationale
>> being that I can mandate that submission clients are up to date and
>> using TLSv1.2.  But for relay, I have to support all the old servers
>> (like qmail on centos-5) having an inability to do anything better than
>> SSLv3.
>> 
>> I'm not wild about the cipherlist which installed, but that was easy to
>> change.  My understanding is that the order of the ciphers in the list
>> is important in that openssl interprets the list in a most-preferred to
>> least-preferred order.  The list which installed has several SSLv3
>> ciphers very early in the list.
>> 
>> While one can specify exact ciphers, openssl also allows specifying the
>> cipher "suites" instead
>> (https://www.openssl.org/docs/manmaster/man1/ciphers.html).  I think
>> this is much more intuitive. I'm currently playing around with 'openssl
>> cipherlist' to get my preferred content and order correct.  I'm
>> currently leaning toward:
>> 
>> 'TLSv1.2:SSLv3:!eNULL:!aNULL'        for smtp
>> 
>> and
>> 
>> 'TLSv1.2:!eNULL:!aNULL'              for smtps
>> 
>> The important effect of my smtp list is that all of the TLSv1.2 ciphers
>> are preferred/attempted before reverting to SSLv3 ciphers.
>> 
>> Here is a paste-able command with human readable output to see the
>> content and order of the results (you will need to widen the terminal
>> window to see it correctly):
>> 
>> openssl ciphers -v 'TLSv1.2:SSLv3:!eNULL:!aNULL' | awk '{ printf "%-29s
>> %-9s  %-13s  %-10s  %-17s  %-s\n",$1,$2,$3,$4,$5,$6 }'
>> 
>> Playing with this has taught me some interesting things (which I do
>> vaguely remember reading elsewhere at some point).  First, there are no
>> TLSv1.1 ciphers.  Also, the TLSv1 ciphers are the same ciphers as SSLv3.
>>  Therefore listing 'TLSv1:!SSLv3' yields no ciphers. The take-home
>> message is that you either get TLSv1.2 or SSLv3; there is no in-between
>> for the ciphers.  That's why my above lists omit TLSv1.1 and TLSv1. My
>> understanding is that TLSv1 and TLSv1.1 had improvements in the protocol
>> but not the ciphers.
>> 
>> I refuse to use ALL, LOW, etc for creating the cipher list because they
>> are extremely opaque.  If a notice comes out saying "no one should use
>> SSLv3", these vague terms do not tell me if I'm using that.  I see no
>> downside to explicitly specifying the cipher suites.  If you want to be
>> insecure, you could specify SSLv2.  When the new openssl 1.1.1 comes out
>> and supports TLSv1.3 (which should happen any day), then I'll explicitly
>> add that to my cipherlist. If nothing else, it will prompt me to review
>> the list occasionally.
>> 
>> That merely addresses the ciphers.  There is also significance to the
>> SSL and TLS protocols, but there appears to be no qmail setting for
>> those.  It would be far better to use TLSv1 protocol than SSLv3 protocol
>> even though the ciphers are identical.  I'm gonna do some testing with
>> changing my qmail cipherlist and connecting via s_client with explicit
>> protocols and see how much effect the specified cipherlist has upon the
>> protocol.
>> 
>> This was intended to be a short email.  Sorry.  "I'm sorry this letter
>> is so long, I didn't have time to compose a short one."
>> 
>> I've had a lot of time this last week to work on this, but I now have
>> very little time until next week.  I'll consider testing 1.03-3.1 when I
>> get another chunk of time.
>> 
>> -Andy
>> 
>> 
>> 
>> On 8/16/2018 9:35 AM, Eric Broch wrote:
>>> Thanks, Andy.
>>> 
>>> It installed SMTPS, correct?
>>> 
>>> If you felt bold, I needed some folks to test 1.03-3.1. ;-)
>>> 
>>> Eric
>>> 
>>> 
>>> On 8/16/2018 11:28 AM, Andrew Swartz wrote:
>>>> Eric,
>>>> 
>>>> Thanks for the help.  I installed qmail-1.03-3.qt.el7.x86_64.rpm without
>>>> difficulty and it seems to be fully functional.
>>>> 
>>>> -Andy
>>>> 
>>>> 
>>>> On 8/15/2018 9:01 AM, Eric Broch wrote:
>>>>> I ran this 1.03-3 version for several months with no issues, and haven't
>>>>> heard anything from the community on it.
>>>>> 
>>>>> I personally upgraded to 1.03-3.1 (in the development tree) now on my
>>>>> own production machine. In this version I take all the patches (below),
>>>>> carrying over some, updating some and adding extras, and apply them in
>>>>> an orderly fashion instead of using one big patch because IMHO opinion
>>>>> patching will be easier to maintain this way. I'm going to create
>>>>> 1.03-3.2 in which I'll add to qmail-smtpd more extensive logging mainly
>>>>> to indicate a message's having been queued. And, I'd also like to
>>>>> possibly add logging to qmail-remote.
>>>>> 
>>>>> I was motivated to update/add patches by the work of
>>>>> 
>>>>> Roberto Puzzanghera <https://notes.sagredo.eu/>,
>>>>> <https://www.fehcom.de/>
>>>>> 
>>>>> Erwin Hoffmann <https://www.fehcom.de/>,
>>>>> 
>>>>> Frederik Vermeulen <http://inoa.net/qmail-tls/>
>>>>> 
>>>>> Manvendra Bhangui <http://www.indimail.org/>
>>>>> 
>>>>> Kyle Wheeler <http://www.memoryhole.net/qmail/>
>>>>> 
>>>>> among others.
>>>>> 
>>>>> 
>>>>> 
>>>>> Patches
>>>>> 01 - netqmail-1.06 patch (Change qmail-1.03 to netqmail-1.06,
>>>>> http://www.qmail.org/netqmail/) - update
>>>>> 02 - chkuser 2.09 patch (Check 'mail from' and 'rcpt to',
>>>>> http://opensource.interazioni.it/qmail/chkuser/download.html) -
>>>>> carryover
>>>>> 03 - change location of vpopmail development libraries - carryover
>>>>> 04 - big concurrency (allows greater number of deliveries by qmail,
>>>>> above 255) - new
>>>>> 05 - big concurrency fix (fixes compiler error if number of
>>>>> concurrencies is set above 509) - new
>>>>> 06 - custom patch (adds error logging to simscan) - carryover
>>>>> 07 - maildir++ patch (adds quota support to qmail-pop3d and qmail-local)
>>>>> - carryover
>>>>> 08 - tap extended (Email Archive) - update
>>>>> 09 - spf (Security Policy Framework) - carryover
>>>>> 10 - warlord (Filter Windows Executables) - carryover
>>>>> 11 - canonical rcpt patch (log real evelope recipient) - carryover
>>>>> 12 - qregex (pattern, badhelo and etc..., matching) - carryover
>>>>> 13 - tls patch 20160918v - (SMTP SSL/TLS) Frederik Vermeulen - carryover
>>>>> 14 - auth 0.83 - Erwin Hoffmann (SMTP Authentication) - update
>>>>> 15 - force tls patch - Marcel Telka (Force TLS before authentication)
>>>>> - new
>>>>> 16 - chkusr patch (Extends chkusr functionality) - carryover
>>>>> 17 - smtpd spf qq reject logging (Extended logging for SMTP message
>>>>> failure...spf, looping, bad mime, and etc...) - carryover
>>>>> 18 - srs patch, most recent (Sender Rewriting Scheme) - update
>>>>> 19 - big dns patch (Large DNS packets) - carryover
>>>>> 20 - smtp line feed patch (Accept email terminated with lf in addition
>>>>> to standard crlf) - carryover
>>>>> 21 - eMPF patch (eMail Messaging Policy Framework) - carryover
>>>>> 22 - uids patch (Adds uids to log) - carryover
>>>>> 23 - remove cname lookup from qmail-remote
>>>>> (https://lists.gt.net/qmail/users/138190) - carryover
>>>>> 24 - maildir++ fix patch (fixes quota calculation) - new
>>>>> 25 - smtp addparse
>>>>> (http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)
>>>>> 
>>>>> - new
>>>>> 26 - exttodo patch (Silly Qmail Syndrome) - new
>>>>> 27 - qmail remote rfc2821 compliance
>>>>> (http://www.memoryhole.net/qmail/#rfc2821) - new
>>>>> 28 - qmail smtpd 502 to 500 rfc2821 compliance
>>>>> (http://www.memoryhole.net/qmail/#rfc2821) - new
>>>>> 29 - qmail remote crlf (http://opensource.sf-tec.de/qmail/) - new
>>>>> 30 - reread concurrency
>>>>> (http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#reread)
>>>>> 
>>>>> new
>>>>> 31 - smtpd pidqplog (Logs pid so you can track transaction in log,
>>>>> http://iain.cx/qmail/patches.html#smtpd_pidqp) - new
>>>>> 32 - smtpd relay reject (http://qmail.org/qmail-smtpd-relay-reject) -
>>>>> new
>>>>> 33 - double bounce trim (http://qmail.org/doublebounce-trim.patch) - new
>>>>> 34 - qmail inject null sender -
>>>>> (http://notes.sagredo.eu/qmail-notes-185/qmail-inject-sieve-vacationreject-messages-trouble-133.html)
>>>>> 
>>>>> - new
>>>>> 
>>>>> 
>>>>> On 8/15/2018 10:18 AM, Andrew Swartz wrote:
>>>>>> Eric,
>>>>>> 
>>>>>> Thanks.
>>>>>> 
>>>>>> What is the proper destination folder for the rpm (to allow the 'yum
>>>>>> localupdate' command)?
>>>>>> 
>>>>>> -Andy
>>>>>> 
>>>>>> 
>>>>>> On 8/15/2018 7:25 AM, Eric Broch wrote:
>>>>>>> wget https://www.qmailtoaster.org/qmail-1.03-3.qt.el7.x86_64.rpm
>>>>>>> 
>>>>>>> yum localupdate qmail-1.03-3.qt.el7.x86_64.rpm
>>>>>>> 
>>>>>>> 
>>>>>>> On 8/15/2018 9:22 AM, Andrew Swartz wrote:
>>>>>>>> I just realized that the qt-install script did not install
>>>>>>>> qmail-1.03-3
>>>>>>>> on my new centos-7 toaster.
>>>>>>>> 
>>>>>>>> Does anyone have experience with the qmail-1.03-3 update?
>>>>>>>> 
>>>>>>>> -Andy
>>>>>>>> 
>>>>> --
>>>>> Eric Broch
>>>>> White Horse Technical Consulting (WHTC)
>>>>> 
> 
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
> <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
> <mailto:qmailtoaster-list-h...@qmailtoaster.com>
> 

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to