Eric,

Your request prompted me to look more closely at these files.

I believe that installing qmail-1.03-3.qt.el7.x86_64.rpm overwrote my
/var/qmail/supervise/smtps/run with a new one which is missing the
'export REQUIRE_AUTH=1' line.  The new one does correctly have 'export
SMTPS=1'.  The new supervise/smtps/log/run names the log file
"smtp-ssl", whereas I have named it "smtps".  I would argue it should be
the latter for consistency, but it is clearly noncritical.


Here is my /etc/tcprules.d/tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"



Here is my /etc/tcprules.d/tcp.smtps:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private",TLSCIPHERS="TLSv1.2:!eNULL:!aNULL"


They are identical except that the smtp one does not have a TLSCIPHERS
setting.  This is for two reasons:
1.  per my read of the TLS patch, if not present, it defaults to using
qmail/control/tlsserverciphers. This would make qmail-smtpd and
qmail-remote use the same ciphers (because tlsclientciphers is just a
link to tlsserverciphers).  Since both of those are doing relay, that
would seem appropriate for most setups.  Except...
2. Spamdyke does the STARTTLS for incoming (relay) mail. Therefore
specifying a cipher for port 25 is useless.

If I were to continue to have port 587/STARTTLS in addition to 465/TLS,
then I would have the supervise/submission/run script specify
tcp.smtps.cdb so that the cipher rules are the same for these two ports
because they are both handling submission and both not going through
spamdyke.


Here is my /var/qmail/supervise/smtps/run:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtps.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export REQUIRE_AUTH=1
export SMTPS=1

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1


A line had to be added to /etc/rc.d/init.d/qmail (a near copy of line
83, placed right after it) so that /etc/tcprules.d/tcp.smtps gets
compiled to /etc/tcprules.d/tcp.smtps.cdb when running 'qmailctl cdb'.

-Andy


On 8/16/2018 1:33 PM, Eric Broch wrote:
> Andy,
>
> Would you mind sharing your tcprules files and smtp/smtps run scripts?
>
> Eric
>
>
> On 8/16/2018 3:03 PM, Andrew Swartz wrote:
>> Eric,
>>
>> I already had smtps installed.  The new package seems to have
>> overwritten the prior files.
>>
>> However, that was minimally problematic because I have smtps configured
>> a little differently than standard.  I have supervise/smtps/run specify
>> a separate tcprules.d file for smtps. This allows me to have a much
>> stricter cipherlist for mail submission than for relay.  The rationale
>> being that I can mandate that submission clients are up to date and
>> using TLSv1.2.  But for relay, I have to support all the old servers
>> (like qmail on centos-5) having an inability to do anything better than
>> SSLv3.
>>
>> I'm not wild about the cipherlist which installed, but that was easy to
>> change.  My understanding is that the order of the ciphers in the list
>> is important in that openssl interprets the list in a most-preferred to
>> least-preferred order.  The list which installed has several SSLv3
>> ciphers very early in the list.
>>
>> While one can specify exact ciphers, openssl also allows specifying the
>> cipher "suites" instead
>> (https://www.openssl.org/docs/manmaster/man1/ciphers.html).  I think
>> this is much more intuitive. I'm currently playing around with 'openssl
>> cipherlist' to get my preferred content and order correct.  I'm
>> currently leaning toward:
>>
>> 'TLSv1.2:SSLv3:!eNULL:!aNULL'    for smtp
>>
>> and
>>
>> 'TLSv1.2:!eNULL:!aNULL'        for smtps
>>
>> The important effect of my smtp list is that all of the TLSv1.2 ciphers
>> are preferred/attempted before reverting to SSLv3 ciphers.
>>
>> Here is a paste-able command with human readable output to see the
>> content and order of the results (you will need to widen the terminal
>> window to see it correctly):
>>
>> openssl ciphers -v 'TLSv1.2:SSLv3:!eNULL:!aNULL' | awk '{ printf "%-29s
>> %-9s  %-13s  %-10s  %-17s  %-s\n",$1,$2,$3,$4,$5,$6 }'
>>
>> Playing with this has taught me some interesting things (which I do
>> vaguely remember reading elsewhere at some point).  First, there are no
>> TLSv1.1 ciphers.  Also, the TLSv1 ciphers are the same ciphers as SSLv3.
>>   Therefore listing 'TLSv1:!SSLv3' yields no ciphers. The take-home
>> message is that you either get TLSv1.2 or SSLv3; there is no in-between
>> for the ciphers.  That's why my above lists omit TLSv1.1 and TLSv1. My
>> understanding is that TLSv1 and TLSv1.1 had improvements in the protocol
>> but not the ciphers.
>>
>> I refuse to use ALL, LOW, etc for creating the cipher list because they
>> are extremely opaque.  If a notice comes out saying "no one should use
>> SSLv3", these vague terms do not tell me if I'm using that.  I see no
>> downside to explicitly specifying the cipher suites.  If you want to be
>> insecure, you could specify SSLv2.  When the new openssl 1.1.1 comes out
>> and supports TLSv1.3 (which should happen any day), then I'll explicitly
>> add that to my cipherlist. If nothing else, it will prompt me to review
>> the list occasionally.
>>
>> That merely addresses the ciphers.  There is also significance to the
>> SSL and TLS protocols, but there appears to be no qmail setting for
>> those.  It would be far better to use TLSv1 protocol than SSLv3 protocol
>> even though the ciphers are identical.  I'm gonna do some testing with
>> changing my qmail cipherlist and connecting via s_client with explicit
>> protocols and see how much effect the specified cipherlist has upon the
>> protocol.
>>
>> This was intended to be a short email.  Sorry.  "I'm sorry this letter
>> is so long, I didn't have time to compose a short one."
>>
>> I've had a lot of time this last week to work on this, but I now have
>> very little time until next week.  I'll consider testing 1.03-3.1 when I
>> get another chunk of time.
>>
>> -Andy
>>
>>
>>
>> On 8/16/2018 9:35 AM, Eric Broch wrote:
>>> Thanks, Andy.
>>>
>>> It installed SMTPS, correct?
>>>
>>> If you felt bold, I needed some folks to test 1.03-3.1. ;-)
>>>
>>> Eric
>>>
>>>
>>> On 8/16/2018 11:28 AM, Andrew Swartz wrote:
>>>> Eric,
>>>>
>>>> Thanks for the help.  I installed qmail-1.03-3.qt.el7.x86_64.rpm
>>>> without
>>>> difficulty and it seems to be fully functional.
>>>>
>>>> -Andy
>>>>
>>>>
>>>> On 8/15/2018 9:01 AM, Eric Broch wrote:
>>>>> I ran this 1.03-3 version for several months with no issues, and
>>>>> haven't
>>>>> heard anything from the community on it.
>>>>>
>>>>> I personally upgraded to 1.03-3.1 (in the development tree) now on my
>>>>> own production machine. In this version I take all the patches
>>>>> (below),
>>>>> carrying over some, updating some and adding extras, and apply
>>>>> them in
>>>>> an orderly fashion instead of using one big patch because IMHO
>>>>> opinion
>>>>> patching will be easier to maintain this way. I'm going to create
>>>>> 1.03-3.2 in which I'll add to qmail-smtpd more extensive logging
>>>>> mainly
>>>>> to indicate a message's having been queued. And, I'd also like to
>>>>> possibly add logging to qmail-remote.
>>>>>
>>>>> I was motivated to update/add patches by the work of
>>>>>
>>>>> Roberto Puzzanghera <https://notes.sagredo.eu/>,
>>>>> <https://www.fehcom.de/>
>>>>>
>>>>> Erwin Hoffmann <https://www.fehcom.de/>,
>>>>>
>>>>> Frederik Vermeulen <http://inoa.net/qmail-tls/>
>>>>>
>>>>> Manvendra Bhangui <http://www.indimail.org/>
>>>>>
>>>>> Kyle Wheeler <http://www.memoryhole.net/qmail/>
>>>>>
>>>>> among others.
>>>>>
>>>>>
>>>>>
>>>>> Patches
>>>>> 01 - netqmail-1.06 patch (Change qmail-1.03 to netqmail-1.06,
>>>>> http://www.qmail.org/netqmail/) - update
>>>>> 02 - chkuser 2.09 patch (Check 'mail from' and 'rcpt to',
>>>>> http://opensource.interazioni.it/qmail/chkuser/download.html) -
>>>>> carryover
>>>>> 03 - change location of vpopmail development libraries - carryover
>>>>> 04 - big concurrency (allows greater number of deliveries by qmail,
>>>>> above 255) - new
>>>>> 05 - big concurrency fix (fixes compiler error if number of
>>>>> concurrencies is set above 509) - new
>>>>> 06 - custom patch (adds error logging to simscan) - carryover
>>>>> 07 - maildir++ patch (adds quota support to qmail-pop3d and
>>>>> qmail-local)
>>>>> - carryover
>>>>> 08 - tap extended (Email Archive) - update
>>>>> 09 - spf (Security Policy Framework) - carryover
>>>>> 10 - warlord (Filter Windows Executables) - carryover
>>>>> 11 - canonical rcpt patch (log real evelope recipient) - carryover
>>>>> 12 - qregex (pattern, badhelo and etc..., matching) - carryover
>>>>> 13 - tls patch 20160918v - (SMTP SSL/TLS) Frederik Vermeulen -
>>>>> carryover
>>>>> 14 - auth 0.83 - Erwin Hoffmann (SMTP Authentication) - update
>>>>> 15 - force tls patch - Marcel Telka (Force TLS before authentication)
>>>>> - new
>>>>> 16 - chkusr patch (Extends chkusr functionality) - carryover
>>>>> 17 - smtpd spf qq reject logging (Extended logging for SMTP message
>>>>> failure...spf, looping, bad mime, and etc...) - carryover
>>>>> 18 - srs patch, most recent (Sender Rewriting Scheme) - update
>>>>> 19 - big dns patch (Large DNS packets) - carryover
>>>>> 20 - smtp line feed patch (Accept email terminated with lf in
>>>>> addition
>>>>> to standard crlf) - carryover
>>>>> 21 - eMPF patch (eMail Messaging Policy Framework) - carryover
>>>>> 22 - uids patch (Adds uids to log) - carryover
>>>>> 23 - remove cname lookup from qmail-remote
>>>>> (https://lists.gt.net/qmail/users/138190) - carryover
>>>>> 24 - maildir++ fix patch (fixes quota calculation) - new
>>>>> 25 - smtp addparse
>>>>> (http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)
>>>>>
>>>>>
>>>>> - new
>>>>> 26 - exttodo patch (Silly Qmail Syndrome) - new
>>>>> 27 - qmail remote rfc2821 compliance
>>>>> (http://www.memoryhole.net/qmail/#rfc2821) - new
>>>>> 28 - qmail smtpd 502 to 500 rfc2821 compliance
>>>>> (http://www.memoryhole.net/qmail/#rfc2821) - new
>>>>> 29 - qmail remote crlf (http://opensource.sf-tec.de/qmail/) - new
>>>>> 30 - reread concurrency
>>>>> (http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#reread)
>>>>>
>>>>>
>>>>> new
>>>>> 31 - smtpd pidqplog (Logs pid so you can track transaction in log,
>>>>> http://iain.cx/qmail/patches.html#smtpd_pidqp) - new
>>>>> 32 - smtpd relay reject (http://qmail.org/qmail-smtpd-relay-reject) -
>>>>> new
>>>>> 33 - double bounce trim (http://qmail.org/doublebounce-trim.patch)
>>>>> - new
>>>>> 34 - qmail inject null sender -
>>>>> (http://notes.sagredo.eu/qmail-notes-185/qmail-inject-sieve-vacationreject-messages-trouble-133.html)
>>>>>
>>>>>
>>>>> - new
>>>>>
>>>>>
>>>>> On 8/15/2018 10:18 AM, Andrew Swartz wrote:
>>>>>> Eric,
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> What is the proper destination folder for the rpm (to allow the 'yum
>>>>>> localupdate' command)?
>>>>>>
>>>>>> -Andy
>>>>>>
>>>>>>
>>>>>> On 8/15/2018 7:25 AM, Eric Broch wrote:
>>>>>>> wget https://www.qmailtoaster.org/qmail-1.03-3.qt.el7.x86_64.rpm
>>>>>>>
>>>>>>> yum localupdate qmail-1.03-3.qt.el7.x86_64.rpm
>>>>>>>
>>>>>>>
>>>>>>> On 8/15/2018 9:22 AM, Andrew Swartz wrote:
>>>>>>>> I just realized that the qt-install script did not install
>>>>>>>> qmail-1.03-3
>>>>>>>> on my new centos-7 toaster.
>>>>>>>>
>>>>>>>> Does anyone have experience with the qmail-1.03-3 update?
>>>>>>>>
>>>>>>>> -Andy
>>>>>>>>
>>>>> -- 
>>>>> Eric Broch
>>>>> White Horse Technical Consulting (WHTC)
>>>>>
>


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to