Hi,
This problem is also present on older Dovecot on centos5 I still have
installed: dovecot-2.0.17-2.qtp
-> the older dovecot does not support the possibility to disable sslv3
Eric in your repo's cos5 downloads I saw a more recent dovecot that
should support this:
dovecot-2.2.7-0.qt.el5.i386.rpm
I tried upgrading to it but encountered a dependency problem:
# rpm -Uvh dovecot-2.2.7-0.qt.el5.i386.rpm
warning: dovecot-2.2.7-0.qt.el5.i386.rpm: Header V3 DSA signature:
NOKEY, key ID 1bde5fd0
error: Failed dependencies:
libcourierauth.so.0 is needed by (installed)
maildrop-toaster-2.0.3-1.3.8.i686
Tips for solving this dependency problem?
If it is a lot of work then maybe its not worth the trouble as I
should be upgrading to cos8 based install anyway...
Best,
Peter
On Fri, Nov 13, 2020 at 6:50 PM Eric Broch <[email protected]> wrote:
>
> And,
>
> QMT Dovecot RPMs
>
> ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/6/testing/x86_64/
>
>
> On 11/13/2020 9:29 AM, Eric Broch wrote:
>
> Janno,
>
> How to
>
> http://wiki.qmailtoaster.com/index.php/Replacing_Courier_IMAP_with_Dovecot_IMAP
>
> https://wiki.dovecot.org/Migration/Courier
>
> Eric
>
> On 11/13/2020 9:19 AM, Janno Sannik wrote:
>
> Hi,
>
> No. Just looked into it. Seems like depencency goes a little grazy if trying
> to compile it on centos6. I should convert to new os & dovecot anyway.
> Also it seems qmail itself (smtp) was not affected since thunderbird could
> send out mail just fine. That would say that qmail itself is using openssl
> latest tls as needed. I did not bother to recheck as it is working.
>
> I should probably dig into courier->dovecot howto that I saw floating aroud
> here already instead.
> I have made one conversion. I just made everyone with outlook to readd their
> mailboxes and I would like to avoid that.
>
> Thanks for help.
>
> Janno
>
> On 13.11.2020 00:01, Eric Broch wrote:
>
> Have you looked at upgrading:
>
> http://www.courier-mta.org/imap/download.html
>
> http://www.courier-mta.org/FAQ.html#rpm
>
>
> On 11/12/2020 12:45 PM, Janno Sannik wrote:
>
> The stackexchange was the first thing I tried, but it seemed just guesswork
> going on in there.
> And of course - it did not work.
>
> Couriertls manpage says that you can use only:
> TLS_PROTOCOL=proto
>
> Set the protocol version. The possible versions are: SSL2, SSL3, TLS1.
>
> Source: http://manpages.org/couriertls
>
> The code reveals:
> ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL2") == 0
> ? SSLv2_method():
> protocol && strcmp(protocol, "SSL3") == 0 ? SSLv23_method():
> TLSv1_method());
>
> Which is what I saw - whatever garbage I put in the TLS_PROTOCOL variable -
> it did not care and defaulted to tlsv1
>
> So looking at the openssl man page:
> https://www.openssl.org/docs/man1.0.2/man3/TLSv1_method.html
>
> Luckyly there were sslv2 and sslv3 so I did not need to know much about c
> coding and could just directly make a replacement since they are also
> absolute.
>
> diff -Nur courier-imap-4.1.2/tcpd/libcouriertls.c
> courier-imap-4.1.2-new/tcpd/libcouriertls.c
> --- courier-imap-4.1.2/tcpd/libcouriertls.c 2006-10-28 20:47:32.000000000
> +0300
> +++ courier-imap-4.1.2-new/tcpd/libcouriertls.c 2020-11-12 21:06:03.338688570
> +0200
> @@ -416,9 +416,9 @@
> memcpy(info_copy, info, sizeof(*info_copy));
> info_copy->isserver=isserver;
>
> - ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL2") == 0
> - ? SSLv2_method():
> - protocol && strcmp(protocol, "SSL3") == 0 ? SSLv23_method():
> + ctx=SSL_CTX_new(protocol && strcmp(protocol, "TLS1_1") == 0
> + ? TLSv1_1_method():
> + protocol && strcmp(protocol, "TLS1_2") == 0 ?
> TLSv1_2_method():
>
>
> rpm was built --with cnt5064 (on centos6 system)
>
> And behold:
>
> openssl s_client -tls1_2 -connect mail.example.com:993
>
> New, TLSv1.2, Cipher is AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : AES256-GCM-SHA384
> Session-ID:
> 175F44FDDE4230DBDD7200B5E276AB1D87206062931B05EAD68A3892DF3CDB68
> Session-ID-ctx:
> Master-Key:
> F9BDA2CCD78802E8FE2AFD7B440C5E3F5EE8AFD286ABF39F7BCB7796B55D89C5D043207BCB5E8F5C70D372EFAF30CC65
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
>
>
> I'm well aware that I'm fixin a dead horse, but just archiving it to myself
> and anyone it might concern of :)
>
>
> On 12.11.2020 20:17, Eric Broch wrote:
>
> Also
>
> qmail with updated ssl
>
> http://repo.whitehorsetc.com/6/development/x86_64/
>
> On 11/12/2020 11:10 AM, Eric Broch wrote:
>
> This may help with Courier IMAP
>
> https://serverfault.com/questions/845162/disabling-sslv2-in-courier-imap
>
>
> On 11/12/2020 10:50 AM, Janno Sannik wrote:
>
>
> Yes. I probably compiled it to centos 6 myself (i have been using qmail from
> start of it's days when compiling it was usual, around 17 years). This
> specific box dates back to that time and is also the reason for this mixed
> setup.
>
> [root@mail]# cat /etc/redhat-release
> CentOS release 6.10 (Final)
>
>
> I was not sure if it will work with latest one. We had a few modifications to
> the qmail, but I can't be 100% sure of all the things. Like autoresponder in
> mysql (so we can have easy change of autoresponders from our own web
> management panel).
> Also I was probably afraid to mess up mailboxes if switching to dovecot.
> Since packages simply compiled it was fast and safe transition
>
> So i'm guessing it's out of scope for you because I have this mixed setup
> what anyone should not even have in a first place.
>
> I'm thinking of making centos 8 box with all latest qmail packages and
> mounting it with nfs in parallel to test things out and use it only as a
> client server (imap,pop). Later on would move on to fully replace old machine
> so that incoming mail would also be handled. Would it work (accessing
> vpopmail fs in parallel that is)?
>
> It's getting night time here and would be good time to make maintenance so
> help is appreciated.
>
> Janno
>
> On 12.11.2020 16:53, Eric Broch wrote:
>
> Are you sure you're running CentOS 6?
>
> On 11/12/2020 7:49 AM, Eric Broch wrote:
>
> Sorry,
>
> The *-toaster designation went out with CentOS 5 and we stopped using Courier
> IMAP altogether in CentOS 6
>
> Eric
>
> On 11/12/2020 7:47 AM, Eric Broch wrote:
>
> So,
>
> The *-toaster designation went out with CentOS 6. Did you compile/build the
> RPMs yourself?
>
> Eric
>
> On 11/12/2020 5:10 AM, Emiliano Lima wrote:
>
> hello friend, I have this same problem ..
>
> Em qui., 12 de nov. de 2020 às 5:46 AM, Janno Sannik <[email protected]> escreveu:
>>
>> Hi,
>>
>>
>> Seems to have hit a problem with new Thunderbird 78 disabling tls lower
>> than v1.2. So now they cannot connect.
>>
>> I run a older box on centos 6. OS supports TLS v1.2, but how to make it
>> available on courier imaps?
>>
>> Running a tool on the imap port reports tls v1.0 only.
>>
>> My qmail version: qmail-toaster-1.03-1.3.22
>>
>> My courier-imap version: courier-imap-toaster-4.1.2-1.3.10
>>
>>
>> Janno
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
