Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Thanks, Dan. On 7/3/2018 7:38 AM, Dan McAllister - QMT DNS wrote: I'm normally just a lurker around here anymore -- Eric does such a GREAT job helping you guys! Before I forget, GREAT WORK on getting the updated OpenSSL package installation instructions out there! So, I'm going to add my 2-cents worth in today as an EXPLANATION of WHY you need to update your QMail server... and I hope you'll see why. People using OLD versions of Qmail, or any other mail server, are likely to have connectivity issues -- especially after June 30! Why? Because the IEFT and PCI councils have recommended the SHUTDOWN of SSL (all versions -- even SSLv3) by June 30, and moving to REQUIRE TLS v1.1 or higher. *MANY ISPs ARE ALREADY REQUIRING TLS 1.2 or HIGHER!* So, if you're using an OpenSSL stack from CentOS 3, 4, or 5, that's going to be a problem unless you are able to upgrade your OpenSSL package. Why are the old SSL versions being SHUTDOWN? Because they have known vulnerabilities and we (the server admin community) have had SEVERAL YEARS now to address them. I just thought you (gentle readers) might want to know the reason WHY your 15-year-old QMT installation is starting to fail! LOL Dan McAllister QMT DNS Admin -Original Message- From: Eric Broch [mailto:ebr...@whitehorsetc.com] Sent: Wednesday, June 27, 2018 12:09 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. On 6/26/2018 11:44 PM, Brian Ghidinelli wrote: I'm running into the same SMTP TLS connection errors as reported by Sean Murphy in this email here: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html Same scenario: old, reliable CentOS 5 box. We need a few more months to transition off this box and we're getting an increasing number of TLS failures that are hard to fix with notls FQDNs. I have upgraded our openssl so I'm wondering if it's possible, using the source rpm for my very old install, to recompile and provide a new SSL library path? I am not very experienced with rpmbuild and have toyed with the qmail-toaster.spec file but I believe I ran into a problem that openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any suggestions for a short term fix? I believe I would need to recompile and then replace just qmail-smtpd and qmail-remote, yes? Brian - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
I'm normally just a lurker around here anymore -- Eric does such a GREAT job helping you guys! Before I forget, GREAT WORK on getting the updated OpenSSL package installation instructions out there! So, I'm going to add my 2-cents worth in today as an EXPLANATION of WHY you need to update your QMail server... and I hope you'll see why. People using OLD versions of Qmail, or any other mail server, are likely to have connectivity issues -- especially after June 30! Why? Because the IEFT and PCI councils have recommended the SHUTDOWN of SSL (all versions -- even SSLv3) by June 30, and moving to REQUIRE TLS v1.1 or higher. *MANY ISPs ARE ALREADY REQUIRING TLS 1.2 or HIGHER!* So, if you're using an OpenSSL stack from CentOS 3, 4, or 5, that's going to be a problem unless you are able to upgrade your OpenSSL package. Why are the old SSL versions being SHUTDOWN? Because they have known vulnerabilities and we (the server admin community) have had SEVERAL YEARS now to address them. I just thought you (gentle readers) might want to know the reason WHY your 15-year-old QMT installation is starting to fail! LOL Dan McAllister QMT DNS Admin -Original Message- From: Eric Broch [mailto:ebr...@whitehorsetc.com] Sent: Wednesday, June 27, 2018 12:09 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. On 6/26/2018 11:44 PM, Brian Ghidinelli wrote: > > I'm running into the same SMTP TLS connection errors as reported by > Sean Murphy in this email here: > > https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html > > > Same scenario: old, reliable CentOS 5 box. We need a few more months > to transition off this box and we're getting an increasing number of > TLS failures that are hard to fix with notls FQDNs. > > I have upgraded our openssl so I'm wondering if it's possible, using > the source rpm for my very old install, to recompile and provide a new > SSL library path? > > I am not very experienced with rpmbuild and have toyed with the > qmail-toaster.spec file but I believe I ran into a problem that > openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any > suggestions for a short term fix? > > I believe I would need to recompile and then replace just qmail-smtpd > and qmail-remote, yes? > > > Brian > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
