Re: [qmailtoaster] STARTTLS on CENT-6.9
Hi Eric,
Hi Jaime,
thanks for your suggestions.
I tested if the file was there, if it is a valid certificate, I have a
script to create the file on renewals, all that is done.
What I have unusual is: My certfile is a link.
When testing the certificate by:
openssl x509 -noout -in /var/qmail/control/servercert.pem -dates
and get:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:05:e5:90:e9:e7:50:85:52:24:f8:10:3a:29:c7:24:bb:e9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jun 12 21:01:00 2017 GMT
Not After : Sep 10 21:01:00 2017 GMT
~~~
The certificate is there, is valid.
I copied the servercert.pem to /var/qmail/control/ now, restartet qmail
and tested, now it works with STARTTLS
Must have been an issue with owner and/or rights.
Thanks a lot for pointing me in the correct direction.
I am always very happy to see how quick problems can be solved on this list-
Once again, many thanks
Andreas
> Just throwing a +1 for Eric asking about the servercert.pem file. You have
> to copy the Let's Encrypt cert over to there (and also have it copy it
> over
> each time the cert is renewed, approximately every 90 days). I have some
> shell scripts I'm running weekly to handle making sure the Let'sEncrypt
> cert
> is renewed and the servercert.pem file is updated
>
> From: Eric Broch <ebr...@whitehorsetc.com>
> Reply-To: <qmailtoaster-list@qmailtoaster.com>
> Date: Thursday, June 22, 2017 at 10:17 AM
> To: <qmailtoaster-list@qmailtoaster.com>
> Subject: Re: [qmailtoaster] STARTTLS on CENT-6.9
>
>
>
>
> Hi Andreas,
>
>
> I'm not sure if you're a coder, but here's the section of code in
> qmail-smtpd.c that sends STARTTLS upon meeting certain criteria.
>
>
>
>
>
>
> #ifdef TLS
>if (!ssl && (stat("control/servercert.pem",) == 0))
> out("\r\n250-STARTTLS");
> #endif
>
>
>
>
>
>
> Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a
> certificate.
>
>
> TLS should be compiled into qmail
>
>
>
> The first thing I'd check is the presence of a certificate
> /var/qmail/control/servercert.pem. If it exists we can start checking the
> ssl variable.
>
>
> Eric
>
>
>
>
>
>
>
> On 6/22/2017 5:13 AM, Andreas Galatis wrote:
>
>
>>
>>
>>
>> Hello List,
>>
>>
>>
>> since some time my qmailserver does not offer STARTTLS on ports 25 and
>> 587
>>
>>
>>
>> Dovecot offers STARTTLS, everything is fine.
>>
>> Qmail does not.
>>
>>
>>
>> I have another qmailserver with on CENT working fine and offering
>> STARTTLS,
>> tlsserverciphers are the same, same openssl- 1.0.1e-57
>>
>> Both servers have certificates from LetsEncrypt, issued this month.
>>
>>
>>
>> I cannot find the difference
>>
>> Here the answer when connecting:
>>
>> telnet localhost 25
>>
>> Trying 127.0.0.1...
>>
>> Connected to localhost.
>>
>> Escape character is '^]'.
>>
>> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
>>
>> ehlo mail.unet.de
>>
>> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
>>
>> 250-STARTTLS
>>
>> 250-PIPELINING
>>
>> 250-8BITMIME
>>
>> 250-SIZE 2000
>>
>> 250 AUTH LOGIN PLAIN CRAM-MD5
>>
>>
>>
>> telnet localhost 25
>>
>> Trying 127.0.0.1...
>>
>> Connected to mail.unet.de.
>>
>> Escape character is '^]'.
>>
>> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
>>
>> ehlo mail.unet.de
>>
>> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
>>
>> 250-PIPELINING
>>
>> 250-8BITMIME
>>
>> 250-SIZE 2000
>>
>> 250 AUTH LOGIN PLAIN CRAM-MD5
>>
>>
>>
>> Any help is very appreceated
>>
>>
>>
>> Andreas
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)
>
>
>
>
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] STARTTLS on CENT-6.9
Just throwing a +1 for Eric asking about the servercert.pem file. You have
to copy the Let's Encrypt cert over to there (and also have it copy it over
each time the cert is renewed, approximately every 90 days). I have some
shell scripts I'm running weekly to handle making sure the Let'sEncrypt cert
is renewed and the servercert.pem file is updated
From: Eric Broch <ebr...@whitehorsetc.com>
Reply-To: <qmailtoaster-list@qmailtoaster.com>
Date: Thursday, June 22, 2017 at 10:17 AM
To: <qmailtoaster-list@qmailtoaster.com>
Subject: Re: [qmailtoaster] STARTTLS on CENT-6.9
Hi Andreas,
I'm not sure if you're a coder, but here's the section of code in
qmail-smtpd.c that sends STARTTLS upon meeting certain criteria.
#ifdef TLS
if (!ssl && (stat("control/servercert.pem",) == 0))
out("\r\n250-STARTTLS");
#endif
Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a
certificate.
TLS should be compiled into qmail
The first thing I'd check is the presence of a certificate
/var/qmail/control/servercert.pem. If it exists we can start checking the
ssl variable.
Eric
On 6/22/2017 5:13 AM, Andreas Galatis wrote:
>
>
>
> Hello List,
>
>
>
> since some time my qmailserver does not offer STARTTLS on ports 25 and 587
>
>
>
> Dovecot offers STARTTLS, everything is fine.
>
> Qmail does not.
>
>
>
> I have another qmailserver with on CENT working fine and offering STARTTLS,
> tlsserverciphers are the same, same openssl- 1.0.1e-57
>
> Both servers have certificates from LetsEncrypt, issued this month.
>
>
>
> I cannot find the difference
>
> Here the answer when connecting:
>
> telnet localhost 25
>
> Trying 127.0.0.1...
>
> Connected to localhost.
>
> Escape character is '^]'.
>
> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
>
> ehlo mail.unet.de
>
> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
>
> 250-STARTTLS
>
> 250-PIPELINING
>
> 250-8BITMIME
>
> 250-SIZE 2000
>
> 250 AUTH LOGIN PLAIN CRAM-MD5
>
>
>
> telnet localhost 25
>
> Trying 127.0.0.1...
>
> Connected to mail.unet.de.
>
> Escape character is '^]'.
>
> 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
>
> ehlo mail.unet.de
>
> 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
>
> 250-PIPELINING
>
> 250-8BITMIME
>
> 250-SIZE 2000
>
> 250 AUTH LOGIN PLAIN CRAM-MD5
>
>
>
> Any help is very appreceated
>
>
>
> Andreas
>
>
>
>
>
>
>
>
>
>
>
>
--
Eric Broch
White Horse Technical Consulting (WHTC)
Re: [qmailtoaster] STARTTLS on CENT-6.9
Hi Andreas,
I'm not sure if you're a coder, but here's the section of code in
qmail-smtpd.c that sends STARTTLS upon meeting certain criteria.
#ifdef TLS
if (!ssl && (stat("control/servercert.pem",) == 0))
out("\r\n250-STARTTLS");
#endif
Looks like you need 1) TLS defined, 2) ssl variable not 0, and 3) a
certificate.
TLS should be compiled into qmail
The first thing I'd check is the presence of a certificate
/var/qmail/control/servercert.pem. If it exists we can start checking
the ssl variable.
Eric
On 6/22/2017 5:13 AM, Andreas Galatis wrote:
Hello List,
since some time my qmailserver does not offer STARTTLS on ports 25 and 587
Dovecot offers STARTTLS, everything is fine.
Qmail does not.
I have another qmailserver with on CENT working fine and offering
STARTTLS, tlsserverciphers are the same, same openssl- 1.0.1e-57
Both servers have certificates from LetsEncrypt, issued this month.
I cannot find the difference
Here the answer when connecting:
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
ehlo mail.unet.de
250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 2000
250 AUTH LOGIN PLAIN CRAM-MD5
telnet localhost 25
Trying 127.0.0.1...
Connected to mail.unet.de.
Escape character is '^]'.
220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP
ehlo mail.unet.de
250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
250-PIPELINING
250-8BITMIME
250-SIZE 2000
250 AUTH LOGIN PLAIN CRAM-MD5
Any help is very appreceated
Andreas
--
Eric Broch
White Horse Technical Consulting (WHTC)
[qmailtoaster] STARTTLS on CENT-6.9
Hello List, since some time my qmailserver does not offer STARTTLS on ports 25 and 587 Dovecot offers STARTTLS, everything is fine. Qmail does not. I have another qmailserver with on CENT working fine and offering STARTTLS, tlsserverciphers are the same, same openssl- 1.0.1e-57 Both servers have certificates from LetsEncrypt, issued this month. I cannot find the difference Here the answer when connecting: telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo mail.unet.de 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 2000 250 AUTH LOGIN PLAIN CRAM-MD5 telnet localhost 25 Trying 127.0.0.1... Connected to mail.unet.de. Escape character is '^]'. 220 unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo mail.unet.de 250-unet.de - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-PIPELINING 250-8BITMIME 250-SIZE 2000 250 AUTH LOGIN PLAIN CRAM-MD5 Any help is very appreceated Andreas smime.p7s Description: S/MIME cryptographic signature
