Any suggestions on this Andy? openssl s_client -crlf -connect qmail.rm.ht:465 CONNECTED(00000005) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = qmail.rm.ht verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=qmail.rm.ht i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA ---
I do have a valid cert as you can see it’s from COMODO. But not sure about the first few lines Remo > On Aug 13, 2018, at 21:42, Andrew Swartz <awswa...@acsalaska.net> wrote: > > I just realized that the plain text line-wrapped the script, so here is an > unwrapped version in case anyone else wants to use it. Also, I made it > multiline so you can cut and paste it into a terminal and accomplish this in > about 3 seconds with netstat confirming success (it should print a single > line showing tcpserver listening on 465). > > rfc8314 <https://tools.ietf.org/html/rfc8314> in Jan of this year reinstates > port 465/tls because starttls (port 587) is broken beyond repair (from a > security perspective). So eventually everyone may eventually need to go back > to port 465. But since servers get to dictate setting to their clients > without creating interoperability issues, it will likely be many years before > this occurs. > > The critical flaw in starttls is that some ISP's and/or governments have been > caught filtering out the STARTTLS packet and thus preventing the initiation > of encryption (a "starttls downgrade attack"). In that case, the client's > username and password are sent in the clear. And if an eavesdropper gets > those, they can wreak havoc on your your life (i.e. by resetting the password > for your bank or other online accounts, etc). With port 465/tls, the client > connection either establishes encryption or fails; it cannot be tricked into > using clear-text. > > Anyway, here is the paste-able script: > > qmailctl stop; \ > cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps; \ > chown -R qmaill:qmail /var/qmail/supervise/smtps; \ > sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' > /var/qmail/supervise/smtps/run; \ > sed -i 's/587/465/' /var/qmail/supervise/smtps/run; \ > sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run; \ > sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2:!SSLv3/' > /etc/tcprules.d/tcp.smtp; \ > qmailctl cdb; \ > qmailctl start; \ > netstat -lnp | grep 465 > > > -Andy > > PS: If old clients cannot connect, then remove the "!SSLv3" from the cipher > list in tcp.smtp > > > > > > > On 8/13/2018 7:32 PM, Remo Mattei wrote: >> Cool! I remember I did it like Eric described but the bottom line is it >> works either way. I do not offer 465 any longer :) >> >> dal mio iPhone X >> >> Il giorno 13 ago 2018, alle ore 20:25, Andrew Swartz <awswa...@acsalaska.net >> <mailto:awswa...@acsalaska.net>> ha scritto: >> >>> I eventually figured this out, and accomplished the same result though I >>> went about it slightly differently. It is now fully functional. Below >>> is the script which I created and accomplishes this in very few lines. >>> It copies the supervise/smtp directory to supervise/smtps and it then >>> edits a few values in two files files (plus editing the cipher list in >>> tcp.smtp). >>> >>> >>> qmailctl stop >>> cp -r /var/qmail/supervise/submission /var/qmail/supervise/smtps >>> chown -R qmaill:qmail /var/qmail/supervise/smtps >>> sed -i 's/REQUIRE_AUTH=1/REQUIRE_AUTH=1\nexport SMTPS=1/' >>> /var/qmail/supervise/smtps/run >>> sed -i 's/587/465/' /var/qmail/supervise/smtps/run >>> sed -i 's/submission/smtps/' /var/qmail/supervise/smtps/log/run >>> sed -i 's/DH:!LOW:!MEDIUM/ECDHE:DHE:ECDH:DH:AES:!SSLv2/' >>> /etc/tcprules.d/tcp.smtp >>> qmailctl cdb >>> qmailctl start >>> >>> >>> Thanks for confirming that I did it right, >>> Andy >>> >>> >>> On 8/13/2018 7:06 PM, Eric Broch wrote: >>>> Stock CentOS 7 does not have SMTPS standard. You must create the >>>> supervise scripts. >>>> >>>> You could stop qmail >>>> >>>> # qmailctl stop >>>> >>>> and copy smtp supervise scripts to smtps (make sure qmail is stopped or >>>> else you'll have a mess): >>>> >>>> # cp -Rp /var/qmail/supervise/smtp /var/qmail/supervise/smtps >>>> >>>> Then change two files: >>>> >>>> /var/qmail/supervise/smtps/run >>>> >>>> <run> >>>> >>>> #!/bin/sh >>>> QMAILDUID=`id -u vpopmail` >>>> NOFILESGID=`id -g vpopmail` >>>> MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` >>>> SMTPD="/var/qmail/bin/qmail-smtpd" >>>> TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" >>>> HOSTNAME=`hostname` >>>> VCHKPW="/home/vpopmail/bin/vchkpw" >>>> export SMTPS=1 >>>> >>>> exec /usr/bin/softlimit -m 128000000 \ >>>> /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ >>>> -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ >>>> $SMTPD $VCHKPW /bin/true 2>&1 >>>> >>>> </run> >>>> >>>> & >>>> >>>> /var/qmail/supervise/smtps/log/run >>>> >>>> <run> >>>> >>>> #!/bin/sh >>>> LOGSIZE=`cat /var/qmail/control/logsize` >>>> LOGCOUNT=`cat /var/qmail/control/logcount` >>>> exec /usr/bin/setuidgid qmaill /usr/bin/multilog \ >>>> t s$LOGSIZE n$LOGCOUNT /var/log/qmail/smtps 2>&1 >>>> >>>> </run> >>>> >>>> Start qmail (# qmailctl start) >>>> >>>> >>>> On 8/11/2018 6:36 PM, Andrew Swartz wrote: >>>>> I just installed qmailtoaster onto CentOS-7. The qt_install script >>>>> opened port 465 on the firewall. However, s_client cannot connect to >>>>> port 465 and netstat shows that nothing is listening on port 465. >>>>> >>>>> Can anyone point me at appropriate instructions for setting up listening >>>>> on port 465 which are specific (or applicable) to qmailtoaster? I >>>>> searched wiki.qmailtoaster.com <http://wiki.qmailtoaster.com/> and found >>>>> nothing. I did some general >>>>> googling and found several somewhat conflicting descriptions but I'm >>>>> unsure which apply to the configuration used in qmailtoaster. >>>>> >>>>> My interest is because 465 has been reinstated (in Jan 2018) as the >>>>> preferred submission port due to security problems with STARTTLS >>>>> (https://tools.ietf.org/html/rfc8314 >>>>> <https://tools.ietf.org/html/rfc8314>). >>>>> >>>>> Thanks, >>>>> -Andy >>>>> >>>>> >>>> >>> >>> -- >>> Andrew W. Swartz, MD >>> Departments of Emergency Medicine, Family Medicine, and Surgery >>> Yukon-Kuskokwim Delta Regional Hospital >>> Bethel, Alaska >>> > > -- > Andrew W. Swartz, MD > Departments of Emergency Medicine, Family Medicine, and Surgery > Yukon-Kuskokwim Delta Regional Hospital > Bethel, Alaska
signature.asc
Description: Message signed with OpenPGP