Hi Peter,
OpenSSL version 1.1.1 (RHEL8) and derivatives uses a different function
than OpenSSL 1.0.2 (RHEL7) to set connection ciphers. Before the patch,
the function in question for qmail-remote wasn't setting the connection
ciphers (tlsclientciphers) so it went to default from opensslcnf.con
Hi Eric,
I now installed the rpm from testing repo, restarted qmail and did three tests:
- emailed Gmail address, mail relayed through my qmail box: OK
- replied from Gmail to my qmail box: OK
- emailed hornet security: OK
What I have in qmail send log is:
Remote_host_said:_250_2.0.0_OK_accept_a
List,
qmail-1.03-3.3.6.qt.md.el8.x86_64.rpm is in the testing repo. This is
patched with updated loading of ciphers consistent with OpenSSL 1.1.1 on
RHEL8 (and 8 derivatives) both in mysql and mariadb trees (non md to come).
Here's the patch:
--- qmail-1.03-3.3.5/qmail-remote.c 2022-03-1
Hi Peter,
I've been looking into this TLS issue and think I've found the solution.
It seems that the function in the newest version of OpenSSL used in
qmail-remote to load ciphers suits from the control directory has been
replaced so the default ciphers are loaded instead of the one in the
co
I think it would, but I would try it to see.
On 3/1/2022 12:13 AM, Peter Peltonen wrote:
If I lower MinProtocol to TLSv1.0 would that enable access to those
servers but use the higher protocol version for the rest of the world?
--
Any ideas how to solve the TLS connect errors?
A bit of a hack that comes to my mind would be to have a cron job to
switch back to LEGACY, process the queue and then switch back to
DEFAULT?
But a more elegant solution would be preferable :)
Best,
Peter
On Tue, Mar 1, 2022 at 9:13 AM Peter Pelto
Now after monitoring 36h after the change no cipher related errors,
but a few servers apparently have problems with higher TLS versions:
TLS_connect_failed:_error:1425F102:SSL_routines:ssl_choose_client_version:unsupported_protocol
I assume that this is due to these
/etc/crypto-policies/back-ends
I'd like to implement this programmatically so that we can set
parameters in a /var/qmail/control/sslconf file
On 2/27/2022 2:25 PM, Peter Peltonen wrote:
Hi Eric,
Okay my crypto-policy is now DEFAULT again and in opensslcnf.config I now have:
CipherString =
DEFAULT@SECLEVEL=1:kEECDH:kRSA:kE
Hi Eric,
Okay my crypto-policy is now DEFAULT again and in opensslcnf.config I now have:
CipherString =
DEFAULT@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
I am grepping ssl from qmail/send log. Le
Peter,
Can you try something with your server to get mail delivery to normal.
Run command:
update-crypto-policies --set DEFAULT
Edit file /etc/crypto-policies/back-ends/opensslcnf.config particularly
setting
CipherString = @SECLEVEL=2
change to
CipherString = DEFAULT@SECLEVEL=1
Watch l
Hi List,
Since having setup the cipher-policy to DEFAULT I had no more failures
for wrong ciphersuite.
Even the hornetservers can be reached (they told me they accept TLS1.2
and TLS1.3 only).
Until having changed the policy I routed all mails to domains that
didn't accept my ciphers via my o
when you run the command
update-crypto-policies --set 'POLICY'
it actually modifies the file
/etc/crypto-policies/back-ends/opensslcnf.config
If you set to DEFAULT you may be able to modify the file with the
correct cipher
Eric
On 2/23/2022 9:49 AM, xaf wrote:
Peter Peltonen a écrit le 23
No, I miss spoke, I meant the server you have with qmail-1.03-2.2.1
On 2/23/2022 8:53 AM, Peter Peltonen wrote:
You mean my server with qmail-1.03-3.3.1.qt.md.el8.x86_64 (not
qmail-1.03-2.2.1) with the LEGACY setting?
As far as I know the only problem I am having is with the
hornetsecurity.com
You mean my server with qmail-1.03-3.3.1.qt.md.el8.x86_64 (not
qmail-1.03-2.2.1) with the LEGACY setting?
As far as I know the only problem I am having is with the
hornetsecurity.com servers. But to be honest I have not really been
monitoring the logs that carefully, that's the only server I've
re
Does your legacy server qmail-1.03-2.2.1 send to all?
On 2/23/2022 8:03 AM, Peter Peltonen wrote:
Here is another error I have now seen qmail/send log about 10 times in
the recent hour:
TLS_connect_failed:_error:141A318A:SSL_routines:tls_process_ske_dhe:dh_key_too_small
And this has now happen
Here is another error I have now seen qmail/send log about 10 times in
the recent hour:
TLS_connect_failed:_error:141A318A:SSL_routines:tls_process_ske_dhe:dh_key_too_small
And this has now happened with two pretty big local service provider's
servers as well. I don't think I can continue with th
If I remember correctly it had something to do with Dovecot
On Feb 23, 2022, 2:25 AM, at 2:25 AM, Peter Peltonen
wrote:
>Hello,
>
>Okay I now tested::
>
>With LEGACY (which I had earlier) I get the
>SSL_routines:set_client_ciphesuite:wrong_cipher_returned error in
>qmail/send log:
>
>But with DE
I've been now monitoring my qmail/send log and there has been now two
instances of a new error:
TLS_connect_failed:_error:1425F102:SSL_routines:ssl_choose_client_version:unsupported_protocol
The other one was my own very old qmail box that can do only
TLSv1.0/TLSv1.1. So apparently the new settin
Hello,
Okay I now tested::
With LEGACY (which I had earlier) I get the
SSL_routines:set_client_ciphesuite:wrong_cipher_returned error in
qmail/send log:
But with DEFAULT I get Remote_host_said:_250_2.0.0_OK_accept as the result
And I did the test without rebooting nor restarting qmail.
So appa
reboot
On 2/21/2022 8:30 AM, Peter Peltonen wrote:
Thanks Eric for the update. Here is what I see:
[root@mail ~]# update-crypto-policies --show
LEGACY
[root@mail ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on applicatio
Thanks Eric for the update. Here is what I see:
[root@mail ~]# update-crypto-policies --show
LEGACY
[root@mail ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system fo
Upon further reflection, at the end of the qt/cos8 install script there
is a command, 'update-crypto-policies --set LEGACY' intended for old
email clients I don't wonder if this change between cos7 and cos8 might
caused the problem. Have a look here:
https://www.redhat.com/en/blog/how-customiz
Hi,
Is there something I can test? I didn't quite understand from Eric's
earlier msg what I should try...
One email address producing this error for me is
supp...@hornetsecurity.com -> If you like Eric, you could try emailing
themselves asking for more details (either they reply to you or you
wil
Looking through the function tls_init() in the code for qmail-remote.c
I don't see much that it could be, they're almost identical between
2.2.1 and 3.3.5
Will continue looking...
On 2/18/2022 1:54 PM, Andreas Galatis wrote:
Hi Finn,
I have tested with the tlsserverciphers of my older serv
Hi Finn,
I have tested with the tlsserverciphers of my older server, completed
with some of the ciphers from the new file and my mails came through.
Thanks a lot for your tip, Finn, I didn't find it in the code
Andreas
Am 18.02.22 um 16:56 schrieb Qmail:
Hi Andreas.
In qmail You're pro
Hi list,
I have the same failure-mails with some servers, my version of qmail is
qmail-1.03-3.3.5.qt.md.el8.x86_64
TLS connect failed: error:1421C105:SSL routines:set_client_ciphersuite:wrong
cipher returnedZConnected to 83.246.65.85 but connection died.
With my old server (qmail-1.03-2.2.1.qt.e
No update necessary.
No difference in TLS, it is the same in 3.3.1 and 3.3.5.
What about a shot in the dark as I'm at a loss (right now) as to what
they want:
Since tlsclientciphers is a link to tlsserverciphers I'm wondering if
copying tlsserverciphers to tlsserverciphers.bak and only putti
What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64
Any reason to update?
Best,
Peter
On Sun, Feb 13, 2022 at 5:15 PM Eric Broch wrote:
>
> What version of qmail ?
>
> On 2/12/2022 12:56 PM, Peter Peltonen wrote:
> > Finally got an answer from them (see list below). I see some matching
>
What version of qmail ?
On 2/12/2022 12:56 PM, Peter Peltonen wrote:
Finally got an answer from them (see list below). I see some matching
siphers on their and on my own list. Any idea how I could debug this
more so I can find out why mail is not being delivered to their
server?
best,
Peter
"
Finally got an answer from them (see list below). I see some matching
siphers on their and on my own list. Any idea how I could debug this
more so I can find out why mail is not being delivered to their
server?
best,
Peter
"
OPTON
All ciphers
DESCRIPTION
TLS encryption is only possible with ciph
Is there a way to contact them and find out what obscure B.S. they want?
On 2/7/2022 12:26 AM, Peter Peltonen wrote:
When trying to deliver email to a domain that is using spam protection
from antispameurope.com I get the following error:
deferral:
TLS_connect_failed:_error:1421C105:SSL_routin
When trying to deliver email to a domain that is using spam protection
from antispameurope.com I get the following error:
deferral:
TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/
So am I missin
32 matches
Mail list logo