Re: [qmailtoaster] setting up port 465 listening

This is copied out of qmail/bin/dh_key: openssl dhparam -2 -out /var/qmail/control/dh1024.new 2048 2>&1 > /dev/null chmod 644 /var/qmail/control/dh1024.new 2>&1 > /dev/null chown root:qmail /var/qmail/control/dh1024.new 2>&1 > /dev/null mv -f /var/qmail/control/dh1024.new /var/qmail/control/dh1024

Re: [qmailtoaster] setting up port 465 listening

I just did a quick google Looks like this should work http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch06s06.html > On Aug 13, 2018, at 23:39, Remo Mattei wrote: > > How did y-I gen the dh1024? > > Thanks > > Sent from my iPad > > On Aug 13, 2018, at 11:34 PM, Andrew Swartz

Re: [qmailtoaster] setting up port 465 listening

How did y-I gen the dh1024? Thanks Sent from my iPad > On Aug 13, 2018, at 11:34 PM, Andrew Swartz wrote: > > I just went through the qmail-tls patch > (http://inoa.net/qmail-tls/netqmail-1.05-tls-20060104.patch). > > Lines 65-68 explain that if TLSCIPHERS is not present (in tcp.smtp) then

Re: [qmailtoaster] setting up port 465 listening

I just went through the qmail-tls patch (http://inoa.net/qmail-tls/netqmail-1.05-tls-20060104.patch). Lines 65-68  explain that if TLSCIPHERS is not present (in tcp.smtp) then qmail-smtpd uses the ones in /var/qmail/control/tlsclientciphers.  I interpret that as it not being necessary. Over the l

Re: [qmailtoaster] setting up port 465 listening

I my /var/qmail/control I have a link for /var/qmail/control/tlsserverciphers And contains all of them looks like :) > On Aug 13, 2018, at 22:54, Remo Mattei wrote: > > I have the qmail.rm.ht working now > Please let me know what you think > >> On Aug 13, 2018, at 22:45, Andrew Swartz >

Re: [qmailtoaster] setting up port 465 listening

I have the default one here it is.. should I add the TLS one like you mention below? :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="

Re: [qmailtoaster] setting up port 465 listening

I have both of my qmail servers now running :) with the right certs LOL! That was interesting never paid attention since seemed to work. Thanks Andy, now they have the right inline cert too.. Looks like it was missing the bundle. Remo > On Aug 13, 2018, at 22:54, Remo Mattei wrote: > > I ha

Re: [qmailtoaster] setting up port 465 listening

I have the qmail.rm.ht working now Please let me know what you think > On Aug 13, 2018, at 22:45, Andrew Swartz wrote: > > I meant "servercert.pem" and NOT "tlsserverciphers". > > > -Andy > > > > > On 8/13/2018 9:43 PM, Andrew Swartz wrote: >> Remo, >> >> I don't think the order matters i

Re: [qmailtoaster] setting up port 465 listening

I meant "servercert.pem" and NOT "tlsserverciphers". -Andy On 8/13/2018 9:43 PM, Andrew Swartz wrote: > > Remo, > > I don't think the order matters in tlsserverciphers.  I cat'd the > cert, the key, and the chain into my file, in that order, and it works > fine. > > Nice bug catch on the ciph

Re: [qmailtoaster] setting up port 465 listening

Remo, I don't think the order matters in tlsserverciphers.  I cat'd the cert, the key, and the chain into my file, in that order, and it works fine. Nice bug catch on the cipher list.  I made the script on the latest centos-7 toaster which installs with a cipher list of "DH:!LOW:!MEDIUM" in tcp.s

Re: [qmailtoaster] setting up port 465 listening

Now what’s the full chain order? > On Aug 13, 2018, at 22:24, Andrew Swartz wrote: > > openssl s_client -starttls smtp -crlf -connect qmail.rm.ht:587 signature.asc Description: Message signed with OpenPGP

Re: [qmailtoaster] setting up port 465 listening

I think I need to add the intermediary cert. looks like.. trying to figure that out now.. not sure which order they go. Andrew Swartz wrote on 8/13/18 22:24: Remo, I just did this: openssl s_client -starttls smtp -crlf -connect qmail.rm.ht:587 and got the same result. Therefore you've proba

Re: [qmailtoaster] setting up port 465 listening

Remo, I just did this: openssl s_client -starttls smtp -crlf -connect qmail.rm.ht:587 and got the same result. Therefore you've probably had this problem for a while. Are you using the cert with the "full chain"? Apparently bare certs rarely verify, and I've read several recommendations to pr

Re: [qmailtoaster] setting up port 465 listening

Looks like same issue openssl s_client -starttls smtp -crlf -connect localhost:587 CONNECTED(0003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = Po

Re: [qmailtoaster] setting up port 465 listening

Does it verify with on port 587: openssl s_client -starttls smtp -crlf -connect localhost:587 -Andy On 8/13/2018 8:56 PM, Remo Mattei wrote: > Any suggestions on this Andy? > > openssl s_client -crlf -connect qmail.rm.ht:465 > CONNECTED(0005) > depth=0 OU = Domain Control Validated, OU =

Re: [qmailtoaster] setting up port 465 listening

one more thing sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2:!SSLv3/' /etc/tcprules.d/tcp.smtp; I do not see anything in my tcp.smtp. Remo Remo Mattei wrote on 8/13/18 21:56: sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2:!SSLv3/' /etc/tcprules.d/tcp.smtp; -- Sent from Post

Re: [qmailtoaster] setting up port 465 listening

Any suggestions on this Andy? openssl s_client -crlf -connect qmail.rm.ht:465 CONNECTED(0005) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = Positiv

Re: [qmailtoaster] setting up port 465 listening

Thanks Andy, it worked. Just tested on my server :) Andrew Swartz wrote on 8/13/18 21:42: I just realized that the plain text line-wrapped the script, so here is an unwrapped version in case anyone else wants to use it. Also, I made it multiline so you can cut and paste it into a terminal and

Re: [qmailtoaster] setting up port 465 listening

I just realized that the plain text line-wrapped the script, so here is an unwrapped version in case anyone else wants to use it. Also, I made it multiline so you can cut and paste it into a terminal and accomplish this in about 3 seconds with netstat confirming success (it should print a single li

Re: [qmailtoaster] setting up port 465 listening

Let’s try it now :) Thanks Andy > On Aug 13, 2018, at 21:36, Andrew Swartz wrote: > > qmailctl stop; \ > cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps; \ > chown -R qmaill:qmail /var/qmail/supervise/smtps; \ > sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' > /var

Re: [qmailtoaster] setting up port 465 listening

I just realized that the plain text line-wrapped the script, so here is an unwrapped version in case anyone else wants to use it. Also, I made it multiline so you can cut and paste it into a terminal and accomplish this in about 3 seconds with netstat confirming success (it should print a single li

Re: [qmailtoaster] setting up port 465 listening

Cool! I remember I did it like Eric described but the bottom line is it works either way. I do not offer 465 any longer :)  dal mio iPhone X > Il giorno 13 ago 2018, alle ore 20:25, Andrew Swartz > ha scritto: > > I eventually figured this out, and accomplished the same result though I > we

Re: [qmailtoaster] setting up port 465 listening

I eventually figured this out, and accomplished the same result though I went about it slightly differently. It is now fully functional. Below is the script which I created and accomplishes this in very few lines. It copies the supervise/smtp directory to supervise/smtps and it then edits a few v

Re: [qmailtoaster] Latest update clamav 0.100.1

I'll have it within the week On 8/13/2018 9:04 PM, ChandranManikandan wrote: Hi Friends, Anyone have the latest clamav 0.100.1 for COS 6 32 and 64 bit for qmailtoaster. -- */Thanks & Best Regards, Manikandan.C /* -- Eric Broch White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] setting up port 465 listening

Stock CentOS 7 does not have SMTPS standard. You must create the supervise scripts. You could stop qmail # qmailctl stop and copy smtp supervise scripts to smtps (make sure qmail is stopped or else you'll have a mess): # cp -Rp /var/qmail/supervise/smtp /var/qmail/supervise/smtps Then chan

[qmailtoaster] Latest update clamav 0.100.1

Hi Friends, Anyone have the latest clamav 0.100.1 for COS 6 32 and 64 bit for qmailtoaster. -- *Thanks & Best Regards,Manikandan.C*

Re: [qmailtoaster] Asking the password frequently

Hi Eric, Thank you, Let me try it and update here. On Tue, Aug 14, 2018 at 10:54 AM, Eric Broch wrote: > I've installed certificates on both CentOS 6 & 7 using GoDaddy and > LetsEncrypt. > > On 8/12/2018 9:12 PM, ChandranManikandan wrote: > > Hi Eric, > > I think i already installed the certifi

Re: [qmailtoaster] Asking the password frequently

I've installed certificates on both CentOS 6 & 7 using GoDaddy and LetsEncrypt. On 8/12/2018 9:12 PM, ChandranManikandan wrote: Hi Eric, I think i already installed the certificate which was 512 and got expired on the server. Can i try to install the certificate which you advised and sent

Re: [qmailtoaster] Requested DIGEST-MD5 scheme, but we have only SHA1

I'd remove DIGEST-MD5 from 'auth_mechanisms'. On 8/13/2018 3:01 PM, Peter Peltonen wrote: I have a user with Outlook 2016 having this error appearing in the Dovecot logs and not being able to login when it occurs The strange thing is that if I restart dovecot then the Outlook can login and no

Re: [qmailtoaster] Requested DIGEST-MD5 scheme, but we have only SHA1

I used this settings auth_cache_ttl = 60 auth_cache_negative_ttl = 60 Did not change the key value. Remo > On Aug 13, 2018, at 14:01, Peter Peltonen wrote: > > I have a user with Outlook 2016 having this error appearing in the > Dovecot logs and not being able to login when it occurs > > Th

Re: [qmailtoaster] Requested DIGEST-MD5 scheme, but we have only SHA1

I hade to use a timeout on mine. I can share it later tonight Sent from my iPad > On Aug 13, 2018, at 2:01 PM, Peter Peltonen wrote: > > I have a user with Outlook 2016 having this error appearing in the > Dovecot logs and not being able to login when it occurs > > The strange thing is that i

[qmailtoaster] Requested DIGEST-MD5 scheme, but we have only SHA1

I have a user with Outlook 2016 having this error appearing in the Dovecot logs and not being able to login when it occurs The strange thing is that if I restart dovecot then the Outlook can login and no error: method=DIGEST-MD5, rip=xxx, lip=yyy, mpid=23280, TLS What I have for auth mechanisms