Re: [qmailtoaster] STARTTLS on CENT-6.9
Hi Eric, Hi Jaime, thanks for your suggestions. I tested if the file was there, if it is a valid certificate, I have a script to create the file on renewals, all that is done. What I have unusual is: My certfile is a link. When testing the certificate by: openssl x509 -noout -in /var/qmail/control/servercert.pem -dates and get: Certificate: Data: Version: 3 (0x2) Serial Number: 03:05:e5:90:e9:e7:50:85:52:24:f8:10:3a:29:c7:24:bb:e9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Jun 12 21:01:00 2017 GMT Not After : Sep 10 21:01:00 2017 GMT ~~~ The certificate is there, is valid. I copied the servercert.pem to /var/qmail/control/ now, restartet qmail and tested, now it works with STARTTLS Must have been an issue with owner and/or rights. Thanks a lot for pointing me in the correct direction. I am always very happy to see how quick problems can be solved on this list- Once again, many thanks Andreas > Just throwing a +1 for Eric asking about the servercert.pem file. You have > to copy the Let's Encrypt cert over to there (and also have it copy it > over > each time the cert is renewed, approximately every 90 days). I have some > shell scripts I'm running weekly to handle making sure the Let'sEncrypt > cert > is renewed and the servercert.pem file is updated > > From: Eric Broch <ebr...@whitehorsetc.com> > Reply-To: <qmailtoaster-list@qmailtoaster.com> > Date: Thursday, June 22, 2017 at 10:17 AM > To: <qmailtoaster-list@qmailtoaster.com> > Subject: Re: [qmailtoaster] STARTTLS on CENT-6.9 > > > > > Hi Andreas, > > > I'm not sure if you're a coder, but here's the section of code in > qmail-smtpd.c that sends STARTTLS upon meeting certain criteria. > > > > > > > #ifdef TLS >if (!ssl && (stat("control/servercert.pem",) == 0)) > out("\r\n250-STARTTLS"); > #endif > > > > > > > Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a > certificate. > > > TLS should be compiled into qmail > > > > The first thing I'd check is the presence of a certificate > /var/qmail/control/servercert.pem. If it exists we can start checking the > ssl variable. > > > Eric > > > > > > > > On 6/22/2017 5:13 AM, Andreas Galatis wrote: > > >> >> >> >> Hello List, >> >> >> >> since some time my qmailserver does not offer STARTTLS on ports 25 and >> 587 >> >> >> >> Dovecot offers STARTTLS, everything is fine. >> >> Qmail does not. >> >> >> >> I have another qmailserver with on CENT working fine and offering >> STARTTLS, >> tlsserverciphers are the same, same openssl- 1.0.1e-57 >> >> Both servers have certificates from LetsEncrypt, issued this month. >> >> >> >> I cannot find the difference >> >> Here the answer when connecting: >> >> telnet localhost 25 >> >> Trying 127.0.0.1... >> >> Connected to localhost. >> >> Escape character is '^]'. >> >> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP >> >> ehlo mail.unet.de >> >> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server >> >> 250-STARTTLS >> >> 250-PIPELINING >> >> 250-8BITMIME >> >> 250-SIZE 2000 >> >> 250 AUTH LOGIN PLAIN CRAM-MD5 >> >> >> >> telnet localhost 25 >> >> Trying 127.0.0.1... >> >> Connected to mail.unet.de. >> >> Escape character is '^]'. >> >> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP >> >> ehlo mail.unet.de >> >> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server >> >> 250-PIPELINING >> >> 250-8BITMIME >> >> 250-SIZE 2000 >> >> 250 AUTH LOGIN PLAIN CRAM-MD5 >> >> >> >> Any help is very appreceated >> >> >> >> Andreas >> >> >> >> >> >> >> >> >> >> >> >> > > > -- > Eric Broch > White Horse Technical Consulting (WHTC) > > > > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] STARTTLS on CENT-6.9
Just throwing a +1 for Eric asking about the servercert.pem file. You have to copy the Let's Encrypt cert over to there (and also have it copy it over each time the cert is renewed, approximately every 90 days). I have some shell scripts I'm running weekly to handle making sure the Let'sEncrypt cert is renewed and the servercert.pem file is updated From: Eric Broch <ebr...@whitehorsetc.com> Reply-To: <qmailtoaster-list@qmailtoaster.com> Date: Thursday, June 22, 2017 at 10:17 AM To: <qmailtoaster-list@qmailtoaster.com> Subject: Re: [qmailtoaster] STARTTLS on CENT-6.9 Hi Andreas, I'm not sure if you're a coder, but here's the section of code in qmail-smtpd.c that sends STARTTLS upon meeting certain criteria. #ifdef TLS if (!ssl && (stat("control/servercert.pem",) == 0)) out("\r\n250-STARTTLS"); #endif Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a certificate. TLS should be compiled into qmail The first thing I'd check is the presence of a certificate /var/qmail/control/servercert.pem. If it exists we can start checking the ssl variable. Eric On 6/22/2017 5:13 AM, Andreas Galatis wrote: > > > > Hello List, > > > > since some time my qmailserver does not offer STARTTLS on ports 25 and 587 > > > > Dovecot offers STARTTLS, everything is fine. > > Qmail does not. > > > > I have another qmailserver with on CENT working fine and offering STARTTLS, > tlsserverciphers are the same, same openssl- 1.0.1e-57 > > Both servers have certificates from LetsEncrypt, issued this month. > > > > I cannot find the difference > > Here the answer when connecting: > > telnet localhost 25 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP > > ehlo mail.unet.de > > 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server > > 250-STARTTLS > > 250-PIPELINING > > 250-8BITMIME > > 250-SIZE 2000 > > 250 AUTH LOGIN PLAIN CRAM-MD5 > > > > telnet localhost 25 > > Trying 127.0.0.1... > > Connected to mail.unet.de. > > Escape character is '^]'. > > 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP > > ehlo mail.unet.de > > 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server > > 250-PIPELINING > > 250-8BITMIME > > 250-SIZE 2000 > > 250 AUTH LOGIN PLAIN CRAM-MD5 > > > > Any help is very appreceated > > > > Andreas > > > > > > > > > > > > -- Eric Broch White Horse Technical Consulting (WHTC)
Re: [qmailtoaster] STARTTLS on CENT-6.9
Hi Andreas, I'm not sure if you're a coder, but here's the section of code in qmail-smtpd.c that sends STARTTLS upon meeting certain criteria. #ifdef TLS if (!ssl && (stat("control/servercert.pem",) == 0)) out("\r\n250-STARTTLS"); #endif Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a certificate. TLS should be compiled into qmail The first thing I'd check is the presence of a certificate /var/qmail/control/servercert.pem. If it exists we can start checking the ssl variable. Eric On 6/22/2017 5:13 AM, Andreas Galatis wrote: Hello List, since some time my qmailserver does not offer STARTTLS on ports 25 and 587 Dovecot offers STARTTLS, everything is fine. Qmail does not. I have another qmailserver with on CENT working fine and offering STARTTLS, tlsserverciphers are the same, same openssl- 1.0.1e-57 Both servers have certificates from LetsEncrypt, issued this month. I cannot find the difference Here the answer when connecting: telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo mail.unet.de 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 2000 250 AUTH LOGIN PLAIN CRAM-MD5 telnet localhost 25 Trying 127.0.0.1... Connected to mail.unet.de. Escape character is '^]'. 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo mail.unet.de 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-PIPELINING 250-8BITMIME 250-SIZE 2000 250 AUTH LOGIN PLAIN CRAM-MD5 Any help is very appreceated Andreas -- Eric Broch White Horse Technical Consulting (WHTC)
[qmailtoaster] STARTTLS on CENT-6.9
Hello List, since some time my qmailserver does not offer STARTTLS on ports 25 and 587 Dovecot offers STARTTLS, everything is fine. Qmail does not. I have another qmailserver with on CENT working fine and offering STARTTLS, tlsserverciphers are the same, same openssl- 1.0.1e-57 Both servers have certificates from LetsEncrypt, issued this month. I cannot find the difference Here the answer when connecting: telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo mail.unet.de 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 2000 250 AUTH LOGIN PLAIN CRAM-MD5 telnet localhost 25 Trying 127.0.0.1... Connected to mail.unet.de. Escape character is '^]'. 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo mail.unet.de 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-PIPELINING 250-8BITMIME 250-SIZE 2000 250 AUTH LOGIN PLAIN CRAM-MD5 Any help is very appreceated Andreas smime.p7s Description: S/MIME cryptographic signature