Just for the records: With Version 5.0.0 and the new option "tls-dhparams-file" everything works great, TLS uses the strong cipher suites now! Thank you :-)
2013-09-10 Marc Gregel <m...@gregel.net>: > Looking forward to the Update :-) > > > 2013/9/10 Sam Clippinger <s...@silence.org> > >> I think you're exactly right -- I'll need to add another TLS option to >> spamdyke to accept the DH parameters and pass them to OpenSSL with the >> callback. I'll have to figure out how to test it as well... >> >> Thanks for finding that link, I don't think I would have even looked at a >> function with "tmp" in its name! >> >> -- Sam Clippinger >> >> >> >> >> On Sep 9, 2013, at 3:34 AM, Marc Gregel wrote: >> >> Hi Sam, >> >> is it possible that the problem is because of missing "dh keys"? >> I think (!) spamdyke don't use or call something like this here: >> http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read >> the 'notes' part >> so cipher with EDHE:DE won't work. >> >> My server/openssl is fine because the orginal qmail-tls works with cipher >> EDHE_DH"! So the problem is the tls handling of spamdyke?! >> >> >> 2013/9/8 Sam Clippinger <s...@silence.org> >> >>> Hmmm... I think you may be beyond the edge of my expertise, but I'll >>> certainly try to help if I can. spamdyke uses the OpenSSL library to >>> handle SSL and TLS, so anything that works with OpenSSL on the command line >>> should work with spamdyke as well. The option "tls-cipher-list" serves the >>> same function as the "-cipher" option to "openssl". spamdyke just takes >>> the text it's given and passes it to the SSL_CTX_set_cipher_list() function >>> in the OpenSSL library before the connection is established. The ciphers >>> you give should be ones listed when you run "openssl ciphers" from the >>> command line, I'm not sure how it handles abbreviations. >>> >>> It's possible the problem is actually within openssl's SMTP client. If >>> it's not starting the SMTP connection and asking for TLS correctly, the >>> client could be sending encrypted text while the server is still in >>> plaintext mode or vice-versa. That would yield some strange error messages >>> on both sides. >>> >>> I think I would suggest configuring spamdyke on port 465 with >>> "tls-level" set to "smtps" and the "tls-cipher-list" option set to your >>> specific ciphers. Then use this command to connect and test (substitute >>> your ciphers as appropriate): >>> openssl s_client -quiet -cipher "EXP-RC4-MD5" -connect localhost:465 >>> If it connects and you see the "220" greeting banner, it's working. If >>> you see an "alert handshake failure", you've probably selected a cipher the >>> server doesn't support. >>> >>> -- Sam Clippinger >>> >>> >>> >>> >>> On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: >>> >>> Hi :-) >>> >>> These days where the NSA is watching us I decided to make my server as >>> secure as possible. >>> For qmail it means to use TLS with strong encryption - openssl with "- >>> ciphers "EDHS:DE" for example. >>> >>> The original QMAIL without spamdyke works fine: >>> openssl s_client -starttls smtp -connect localhost:25 >>> shows me this: >>> Protocol : TLSv1.2 >>> Cipher : DHE-RSA-AES256-GCM-SHA384 >>> Great! >>> >>> Now I enable spamdyke and test it again... >>> Protocol : TLSv1.2 >>> Cipher : AES256-GCM-SHA384 >>> >>> Ok, not that good... maybe just a wrong cipher list? So I specified it a >>> little bit more (works fine with qmail only): >>> openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' >>> >>> Ups, an error: >>> CONNECTED(00000003) >>> 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 >>> alert handshake failure:s23_clnt.c:741: >>> >>> I already tried to add "dhparam" to the qmail servercert >>> (mentioned here >>> http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) >>> but that didnt't change anything... >>> >>> >>> I also tested with "tls-cipher-list" param at the conf file - same error. >>> And at the maillog this: >>> A protocol or library failure occurred, error:140E6118:lib(20):func( >>> 230):reason(280) >>> >>> Is it possible that there's a bug in spamdyke with strong encryption? >>> >>> Thanks for your help, >>> Marc >>> _______________________________________________ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >>> >>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >>> >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> >> >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> >
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
