Hi Peter,
OpenSSL version 1.1.1 (RHEL8) and derivatives uses a different function
than OpenSSL 1.0.2 (RHEL7) to set connection ciphers. Before the patch,
the function in question for qmail-remote wasn't setting the connection
ciphers (tlsclientciphers) so it went to default from
Hi Eric,
I now installed the rpm from testing repo, restarted qmail and did three tests:
- emailed Gmail address, mail relayed through my qmail box: OK
- replied from Gmail to my qmail box: OK
- emailed hornet security: OK
What I have in qmail send log is:
List,
qmail-1.03-3.3.6.qt.md.el8.x86_64.rpm is in the testing repo. This is
patched with updated loading of ciphers consistent with OpenSSL 1.1.1 on
RHEL8 (and 8 derivatives) both in mysql and mariadb trees (non md to come).
Here's the patch:
--- qmail-1.03-3.3.5/qmail-remote.c
Hi Peter,
I've been looking into this TLS issue and think I've found the solution.
It seems that the function in the newest version of OpenSSL used in
qmail-remote to load ciphers suits from the control directory has been
replaced so the default ciphers are loaded instead of the one in the
I think it would, but I would try it to see.
On 3/1/2022 12:13 AM, Peter Peltonen wrote:
If I lower MinProtocol to TLSv1.0 would that enable access to those
servers but use the higher protocol version for the rest of the world?
Any ideas how to solve the TLS connect errors?
A bit of a hack that comes to my mind would be to have a cron job to
switch back to LEGACY, process the queue and then switch back to
DEFAULT?
But a more elegant solution would be preferable :)
Best,
Peter
On Tue, Mar 1, 2022 at 9:13 AM Peter
Now after monitoring 36h after the change no cipher related errors,
but a few servers apparently have problems with higher TLS versions:
TLS_connect_failed:_error:1425F102:SSL_routines:ssl_choose_client_version:unsupported_protocol
I assume that this is due to these
I'd like to implement this programmatically so that we can set
parameters in a /var/qmail/control/sslconf file
On 2/27/2022 2:25 PM, Peter Peltonen wrote:
Hi Eric,
Okay my crypto-policy is now DEFAULT again and in opensslcnf.config I now have:
CipherString =
Hi Eric,
Okay my crypto-policy is now DEFAULT again and in opensslcnf.config I now have:
CipherString =
DEFAULT@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
I am grepping ssl from qmail/send log.
Peter,
Can you try something with your server to get mail delivery to normal.
Run command:
update-crypto-policies --set DEFAULT
Edit file /etc/crypto-policies/back-ends/opensslcnf.config particularly
setting
CipherString = @SECLEVEL=2
change to
CipherString = DEFAULT@SECLEVEL=1
Watch
Hi List,
Since having setup the cipher-policy to DEFAULT I had no more failures
for wrong ciphersuite.
Even the hornetservers can be reached (they told me they accept TLS1.2
and TLS1.3 only).
Until having changed the policy I routed all mails to domains that
didn't accept my ciphers via my
when you run the command
update-crypto-policies --set 'POLICY'
it actually modifies the file
/etc/crypto-policies/back-ends/opensslcnf.config
If you set to DEFAULT you may be able to modify the file with the
correct cipher
Eric
On 2/23/2022 9:49 AM, xaf wrote:
Peter Peltonen a écrit le
No, I miss spoke, I meant the server you have with qmail-1.03-2.2.1
On 2/23/2022 8:53 AM, Peter Peltonen wrote:
You mean my server with qmail-1.03-3.3.1.qt.md.el8.x86_64 (not
qmail-1.03-2.2.1) with the LEGACY setting?
As far as I know the only problem I am having is with the
hornetsecurity.com
You mean my server with qmail-1.03-3.3.1.qt.md.el8.x86_64 (not
qmail-1.03-2.2.1) with the LEGACY setting?
As far as I know the only problem I am having is with the
hornetsecurity.com servers. But to be honest I have not really been
monitoring the logs that carefully, that's the only server I've
Does your legacy server qmail-1.03-2.2.1 send to all?
On 2/23/2022 8:03 AM, Peter Peltonen wrote:
Here is another error I have now seen qmail/send log about 10 times in
the recent hour:
TLS_connect_failed:_error:141A318A:SSL_routines:tls_process_ske_dhe:dh_key_too_small
And this has now
Here is another error I have now seen qmail/send log about 10 times in
the recent hour:
TLS_connect_failed:_error:141A318A:SSL_routines:tls_process_ske_dhe:dh_key_too_small
And this has now happened with two pretty big local service provider's
servers as well. I don't think I can continue with
If I remember correctly it had something to do with Dovecot
On Feb 23, 2022, 2:25 AM, at 2:25 AM, Peter Peltonen
wrote:
>Hello,
>
>Okay I now tested::
>
>With LEGACY (which I had earlier) I get the
>SSL_routines:set_client_ciphesuite:wrong_cipher_returned error in
>qmail/send log:
>
>But with
I've been now monitoring my qmail/send log and there has been now two
instances of a new error:
TLS_connect_failed:_error:1425F102:SSL_routines:ssl_choose_client_version:unsupported_protocol
The other one was my own very old qmail box that can do only
TLSv1.0/TLSv1.1. So apparently the new
Hello,
Okay I now tested::
With LEGACY (which I had earlier) I get the
SSL_routines:set_client_ciphesuite:wrong_cipher_returned error in
qmail/send log:
But with DEFAULT I get Remote_host_said:_250_2.0.0_OK_accept as the result
And I did the test without rebooting nor restarting qmail.
So
reboot
On 2/21/2022 8:30 AM, Peter Peltonen wrote:
Thanks Eric for the update. Here is what I see:
[root@mail ~]# update-crypto-policies --show
LEGACY
[root@mail ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on
Thanks Eric for the update. Here is what I see:
[root@mail ~]# update-crypto-policies --show
LEGACY
[root@mail ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system
Upon further reflection, at the end of the qt/cos8 install script there
is a command, 'update-crypto-policies --set LEGACY' intended for old
email clients I don't wonder if this change between cos7 and cos8 might
caused the problem. Have a look here:
Hi,
Is there something I can test? I didn't quite understand from Eric's
earlier msg what I should try...
One email address producing this error for me is
supp...@hornetsecurity.com -> If you like Eric, you could try emailing
themselves asking for more details (either they reply to you or you
Looking through the function tls_init() in the code for qmail-remote.c
I don't see much that it could be, they're almost identical between
2.2.1 and 3.3.5
Will continue looking...
On 2/18/2022 1:54 PM, Andreas Galatis wrote:
Hi Finn,
I have tested with the tlsserverciphers of my older
Hi Finn,
I have tested with the tlsserverciphers of my older server, completed
with some of the ciphers from the new file and my mails came through.
Thanks a lot for your tip, Finn, I didn't find it in the code
Andreas
Am 18.02.22 um 16:56 schrieb Qmail:
Hi Andreas.
In qmail You're
Hi list,
I have the same failure-mails with some servers, my version of qmail is
qmail-1.03-3.3.5.qt.md.el8.x86_64
TLS connect failed: error:1421C105:SSL routines:set_client_ciphersuite:wrong
cipher returnedZConnected to 83.246.65.85 but connection died.
With my old server
No update necessary.
No difference in TLS, it is the same in 3.3.1 and 3.3.5.
What about a shot in the dark as I'm at a loss (right now) as to what
they want:
Since tlsclientciphers is a link to tlsserverciphers I'm wondering if
copying tlsserverciphers to tlsserverciphers.bak and only
What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64
Any reason to update?
Best,
Peter
On Sun, Feb 13, 2022 at 5:15 PM Eric Broch wrote:
>
> What version of qmail ?
>
> On 2/12/2022 12:56 PM, Peter Peltonen wrote:
> > Finally got an answer from them (see list below). I see some matching
What version of qmail ?
On 2/12/2022 12:56 PM, Peter Peltonen wrote:
Finally got an answer from them (see list below). I see some matching
siphers on their and on my own list. Any idea how I could debug this
more so I can find out why mail is not being delivered to their
server?
best,
Peter
"
Finally got an answer from them (see list below). I see some matching
siphers on their and on my own list. Any idea how I could debug this
more so I can find out why mail is not being delivered to their
server?
best,
Peter
"
OPTON
All ciphers
DESCRIPTION
TLS encryption is only possible with
Is there a way to contact them and find out what obscure B.S. they want?
On 2/7/2022 12:26 AM, Peter Peltonen wrote:
When trying to deliver email to a domain that is using spam protection
from antispameurope.com I get the following error:
deferral:
When trying to deliver email to a domain that is using spam protection
from antispameurope.com I get the following error:
deferral:
TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/
So am I
32 matches
Mail list logo