Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install - figgered it out
Just noticed this update replaces the run /supervise/smtp/run file, so if anyone was running spamdyke, you may need to stop qmail, rename the run file, and copy the the run.spamdyke file to run, and restart qmail. Eric Broch wrote: Now I can go watch the Orioles play, and enjoy a beer. ;-) On 7/5/2018 6:48 PM, South Computers wrote: Did a comparison of /control directories from another toaster, and noticed the link from clientcert.pem -> servercert.pem. And realized I only had a servercert.rpm.new Renamed it. Doh! Working. Thank you to everyone who contributed, and especially you Eric. Next time you're in Miami, I'll buy you a round. Cheers! Scott Eric Broch wrote: Try this command from your CentOS 5 box openssl s_client -starttls smtp -no_ssl3 -no_ssl2 -debug -msg -connect fpl-com.mail.protection.outlook.com:25 What kind of beer? Hopefully not Schlitz. ;-) On 7/5/2018 5:57 PM, South Computers wrote: No worries, I appreciate it. tlsserverciphiers is fine. And checking the mail in the queue that fails with the TLS errors, they are all going to office365 accounts, with 1 going to a hotmail account, but all the mx records point to something.protection.outlook.com, so basically the same. Telnetting to one of them: [root@mail control]# telnet fpl-com.mail.protection.outlook.com 25 Trying 207.46.163.215... Connected to fpl-com.mail.protection.outlook.com (207.46.163.215). Escape character is '^]'. 220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 5 Jul 2018 23:51:00 + ehlo 250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133] 250-SIZE 157286400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8 I see starttls in there, so should be good there, although versions accepted are unknown, Do our toasters drop back to tls 1 if the receiving server doesn;t do 1.2? And sending an email to a gmail account works. Relevant portion showing TLS: Received: from mail.noube.com (mail.noube.com. [75.13.64.133]) by mx.google.com with ESMTPS id a207-v6si3191006itb.75.2018.07.05.16.38.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Jul 2018 16:38:19 -0700 (PDT) Stopping for a beer to contemplate... Eric Broch wrote: Sorry, my mistake, check tlsciphers 'cat /var/qmail/control/tlsserverciphers' mine on CentOS 6 & 7 look like this: DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA On 7/5/2018 2:49 PM, South Computers wrote: Good question, hadn't considered that. Will check it tonight. Eric Broch wrote: What about your dh key, Is it to small? On 7/5/2018 1:28 PM, South Computers wrote: This is a repeat, my first reply went directly to Eric, sorry about that sir. Thank you Eric, might give it a shot later. In the meantime though, since the update, I'm having tls connect problems to certain domains. For certain ofice365 accounts are not going through. deferral: TLS_connect_failed;_connected_to_ I can send to gmail, and in the headers it shows that it is using TLS 1.2. Anyone have any ideas? Thanks! Eric Broch wrote: > If people want qmail-dk (ssl) and have already installed the update (qmail version 1.03-1.3.24) you can do the following to get qmail-dk working with ssl/crypto: > > (i686) > > # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm > > # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm
Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install - figgered it out
Now I can go watch the Orioles play, and enjoy a beer. ;-) On 7/5/2018 6:48 PM, South Computers wrote: Did a comparison of /control directories from another toaster, and noticed the link from clientcert.pem -> servercert.pem. And realized I only had a servercert.rpm.new Renamed it. Doh! Working. Thank you to everyone who contributed, and especially you Eric. Next time you're in Miami, I'll buy you a round. Cheers! Scott Eric Broch wrote: Try this command from your CentOS 5 box openssl s_client -starttls smtp -no_ssl3 -no_ssl2 -debug -msg -connect fpl-com.mail.protection.outlook.com:25 What kind of beer? Hopefully not Schlitz. ;-) On 7/5/2018 5:57 PM, South Computers wrote: No worries, I appreciate it. tlsserverciphiers is fine. And checking the mail in the queue that fails with the TLS errors, they are all going to office365 accounts, with 1 going to a hotmail account, but all the mx records point to something.protection.outlook.com, so basically the same. Telnetting to one of them: [root@mail control]# telnet fpl-com.mail.protection.outlook.com 25 Trying 207.46.163.215... Connected to fpl-com.mail.protection.outlook.com (207.46.163.215). Escape character is '^]'. 220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 5 Jul 2018 23:51:00 + ehlo 250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133] 250-SIZE 157286400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8 I see starttls in there, so should be good there, although versions accepted are unknown, Do our toasters drop back to tls 1 if the receiving server doesn;t do 1.2? And sending an email to a gmail account works. Relevant portion showing TLS: Received: from mail.noube.com (mail.noube.com. [75.13.64.133]) by mx.google.com with ESMTPS id a207-v6si3191006itb.75.2018.07.05.16.38.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Jul 2018 16:38:19 -0700 (PDT) Stopping for a beer to contemplate... Eric Broch wrote: Sorry, my mistake, check tlsciphers 'cat /var/qmail/control/tlsserverciphers' mine on CentOS 6 & 7 look like this: DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA On 7/5/2018 2:49 PM, South Computers wrote: Good question, hadn't considered that. Will check it tonight. Eric Broch wrote: What about your dh key, Is it to small? On 7/5/2018 1:28 PM, South Computers wrote: This is a repeat, my first reply went directly to Eric, sorry about that sir. Thank you Eric, might give it a shot later. In the meantime though, since the update, I'm having tls connect problems to certain domains. For certain ofice365 accounts are not going through. deferral: TLS_connect_failed;_connected_to_ I can send to gmail, and in the headers it shows that it is using TLS 1.2. Anyone have any ideas? Thanks! Eric Broch wrote: > If people want qmail-dk (ssl) and have already installed the update (qmail version 1.03-1.3.24) you can do the following to get qmail-dk working with ssl/crypto: > > (i686) > > # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm > > # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm > > (x86_64) > > # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm > > # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing
Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install - figgered it out
Did a comparison of /control directories from another toaster, and noticed the link from clientcert.pem -> servercert.pem. And realized I only had a servercert.rpm.new Renamed it. Doh! Working. Thank you to everyone who contributed, and especially you Eric. Next time you're in Miami, I'll buy you a round. Cheers! Scott Eric Broch wrote: Try this command from your CentOS 5 box openssl s_client -starttls smtp -no_ssl3 -no_ssl2 -debug -msg -connect fpl-com.mail.protection.outlook.com:25 What kind of beer? Hopefully not Schlitz. ;-) On 7/5/2018 5:57 PM, South Computers wrote: No worries, I appreciate it. tlsserverciphiers is fine. And checking the mail in the queue that fails with the TLS errors, they are all going to office365 accounts, with 1 going to a hotmail account, but all the mx records point to something.protection.outlook.com, so basically the same. Telnetting to one of them: [root@mail control]# telnet fpl-com.mail.protection.outlook.com 25 Trying 207.46.163.215... Connected to fpl-com.mail.protection.outlook.com (207.46.163.215). Escape character is '^]'. 220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 5 Jul 2018 23:51:00 + ehlo 250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133] 250-SIZE 157286400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8 I see starttls in there, so should be good there, although versions accepted are unknown, Do our toasters drop back to tls 1 if the receiving server doesn;t do 1.2? And sending an email to a gmail account works. Relevant portion showing TLS: Received: from mail.noube.com (mail.noube.com. [75.13.64.133]) by mx.google.com with ESMTPS id a207-v6si3191006itb.75.2018.07.05.16.38.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Jul 2018 16:38:19 -0700 (PDT) Stopping for a beer to contemplate... Eric Broch wrote: Sorry, my mistake, check tlsciphers 'cat /var/qmail/control/tlsserverciphers' mine on CentOS 6 & 7 look like this: DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA On 7/5/2018 2:49 PM, South Computers wrote: Good question, hadn't considered that. Will check it tonight. Eric Broch wrote: What about your dh key, Is it to small? On 7/5/2018 1:28 PM, South Computers wrote: This is a repeat, my first reply went directly to Eric, sorry about that sir. Thank you Eric, might give it a shot later. In the meantime though, since the update, I'm having tls connect problems to certain domains. For certain ofice365 accounts are not going through. deferral: TLS_connect_failed;_connected_to_ I can send to gmail, and in the headers it shows that it is using TLS 1.2. Anyone have any ideas? Thanks! Eric Broch wrote: > If people want qmail-dk (ssl) and have already installed the update (qmail version 1.03-1.3.24) you can do the following to get qmail-dk working with ssl/crypto: > > (i686) > > # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm > > # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm > > (x86_64) > > # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm > > # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm > > > If you haven't installed qmail-toaster ssl update (ver