Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install - figgered it out

Thu, 12 Jul 2018 07:46:25 -0700

Just noticed this update replaces the run /supervise/smtp/run file, so if anyone was running spamdyke, you may need to stop qmail, rename the run file, and copy the the run.spamdyke file to run, and restart qmail. 



Eric Broch wrote:

Now I can go watch the Orioles play, and enjoy a beer. ;-)


On 7/5/2018 6:48 PM, South Computers wrote:

Did a comparison of /control directories from another toaster, and 
noticed the link from clientcert.pem -> servercert.pem.


And realized I only had a servercert.rpm.new

Renamed it.  Doh!

Working.

Thank you to everyone who contributed, and especially you Eric.

Next time you're in Miami, I'll buy you a round.

Cheers!
Scott





Eric Broch wrote:

Try this command from your CentOS 5 box


openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -debug -msg 
-connect fpl-com.mail.protection.outlook.com:25


What kind of beer? Hopefully not Schlitz. ;-)


On 7/5/2018 5:57 PM, South Computers wrote:

No worries, I appreciate it.

tlsserverciphiers is fine.


And checking the mail in the queue that fails with the TLS errors, 
they are all going to office365 accounts, with 1 going to a 
hotmail account, but all the mx records point to 
something.protection.outlook.com, so basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.

220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +0000

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8


I see starttls in there, so should be good there, although 
versions accepted are unknown, Do our toasters drop back to tls 1 
if the receiving server doesn;t do 1.2?



And sending an email to a gmail account works. Relevant portion 
showing TLS:

Received: from mail.noube.com (mail.noube.com. [75.13.64.133])

        by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

        for <myemailaddr...@gmail.com>

        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 
bits=128/128);

        Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:

Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:


DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:

This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.





In the meantime though, since the update, I'm having tls 
connect problems to certain domains. For certain ofice365 
accounts are not going through.


 deferral: TLS_connect_failed;_connected_to_


I can send to gmail, and in the headers it shows that it is 
using TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:

> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to 
get qmail-dk working with ssl/crypto:

>
> (i686)
>

> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>

> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>

> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>

> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>

> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>

>> FWIW, I did not update my qmail-dk binary. I was 
hypothesizing it was only used to sign, not to communicate, 
and therefore the version of openssl didn't matter. I might be 
wrong, but I'm still sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>

>>> I don't have the time to look further right now, but 
disabled dk for the time being, and it's working.

>>>
>>> Was getting this in smtp/current when trying to send mail:

>>> @400000005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a 
POSSIBLE BUG!

>>>
>>> etc...
>>>
>>>
>>>
>>>
>>> South Computers wrote:

>>>> Also mostly a lurker these days, but wanted to chime in 
and give a big thanks as well Eric.

>>>>
>>>> Much appreciate all your work to keep this going.
>>>> Scott
>>>>

>>>> Also, if anyone else has neglected to keep their toaster 
up to date and needs to manually install the epel repo, at 
least for x86 on COS5:
>>>> wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

>>>> rpm -Uhv epel-release-5-4.noarch.rpm
>>>>
>>>>
>>>>
>>>> Eric Broch wrote:

>>>>> Instructions for setting up greater than openssl-0.9.8 
CentOS 5, minimal testing done. This is done with openssl-1.01e

>>>>>
>>>>> https://www.qmailtoaster.org/newopensslcnt50.html
>>>>>
>>>>> Eric
>>>>>
>>>>>
>>>>> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>>>>>> Great, thanks for sharing!
>>>>>>
>>>>>> One question:
>>>>>>

>>>>>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 
with the CNAME

>>>>>> lookups removed.
>>>>>>

>>>>>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I 
assume.

>>>>>>

>>>>>> How would one migrate the changes you did to Eric's 
version, as I
>>>>>> would like to have both: newer TLS support + CNAME 
lookups removed?

>>>>>>
>>>>>> Best,
>>>>>> Peter
>>>>>>

>>>>>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
<ebr...@whitehorsetc.com> wrote:

>>>>>>> Thanks, Brian!!!
>>>>>>>
>>>>>>>
>>>>>>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>>>>>>>

>>>>>>> Good news - I seemed to have solved this. It's a combo 
of these old notes

>>>>>>> from 2011 and an upgraded openssl:
>>>>>>>

>>>>>>> 
http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

>>>>>>>

>>>>>>> I'm attaching my modified qmail-toaster.spec from 
1.3.21. I installed

>>>>>>> openssl-1.0.2o from source on CentOS 5 and linked:
>>>>>>>
>>>>>>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>>>>>>>
>>>>>>> Then I rebuilt the RPM:
>>>>>>>
>>>>>>> rpmbuild -bb --target i686 --with cnt50
>>>>>>> /usr/src/redhat/SPECS/qmail-toaster.spec
>>>>>>>
>>>>>>> This generated the RPM. I extracted the files:
>>>>>>>
>>>>>>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>>>>>>>

>>>>>>> I backed up my existing qmail-smtpd and 
qmail-remote.orig, and copied
>>>>>>> the new binaries over (from 
/usr/src/redhat/RPMS/i686/var/qmail/bin

>>>>>>> where cpio extracted them to)
>>>>>>>

>>>>>>> And then tested with checktls.com and everything shows 
TLS 1.2 now. *whew*

>>>>>>>

>>>>>>> This buys us a little time to complete a migration. 
Hope this helps someone

>>>>>>> else!
>>>>>>>
>>>>>>>
>>>>>>> Brian
>>>>>>>
>>>>>>>
>>>>>>> On 6/27/18 09:09, Eric Broch wrote:
>>>>>>>
>>>>>>> Have a look at this thread:
>>>>>>>

>>>>>>> 
https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

>>>>>>>

>>>>>>> IMHO, there were to many packages that were dependent 
on openssl-9.8 on the

>>>>>>> CentOS 5 box to make this practical.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>

>>>>>>> 
--------------------------------------------------------------------- 

>>>>>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>>>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Eric Broch
>>>>>>> White Horse Technical Consulting (WHTC)

>>>>>> 
--------------------------------------------------------------------- 

>>>>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>>>>
>>>>>
>>>>
>>>>

>>>> 
--------------------------------------------------------------------- 

>>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>>
>>>>
>>>>
>>>
>>>

>>> 
--------------------------------------------------------------------- 

>>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>>
>>
>>

>> 
--------------------------------------------------------------------- 

>> To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

>>
>




--------------------------------------------------------------------- 

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com








--------------------------------------------------------------------- 

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com








---------------------------------------------------------------------

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com








---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com




---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com







---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com























					Reply via email to