Have you looked at upgrading:
http://www.courier-mta.org/imap/download.html
http://www.courier-mta.org/FAQ.html#rpm
On 11/12/2020 12:45 PM, Janno Sannik wrote:
The stackexchange was the first thing I tried, but it seemed just
guesswork going on in there.
And of course - it did not work.
Couriertls manpage says that you can use only:
TLS_PROTOCOL=proto
Set the protocol version. The possible versions are: SSL2, SSL3, TLS1.
Source: http://manpages.org/couriertls
The code reveals:
ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL2") == 0
? SSLv2_method():
protocol && strcmp(protocol, "SSL3") == 0 ?
SSLv23_method():
TLSv1_method());
Which is what I saw - whatever garbage I put in the TLS_PROTOCOL
variable - it did not care and defaulted to tlsv1
So looking at the openssl man page:
https://www.openssl.org/docs/man1.0.2/man3/TLSv1_method.html
Luckyly there were sslv2 and sslv3 so I did not need to know much
about c coding and could just directly make a replacement since they
are also absolute.
diff -Nur courier-imap-4.1.2/tcpd/libcouriertls.c
courier-imap-4.1.2-new/tcpd/libcouriertls.c
--- courier-imap-4.1.2/tcpd/libcouriertls.c 2006-10-28
20:47:32.000000000 +0300
+++ courier-imap-4.1.2-new/tcpd/libcouriertls.c 2020-11-12
21:06:03.338688570 +0200
@@ -416,9 +416,9 @@
memcpy(info_copy, info, sizeof(*info_copy));
info_copy->isserver=isserver;
- ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL2") == 0
- ? SSLv2_method():
- protocol && strcmp(protocol, "SSL3") == 0 ?
SSLv23_method():
+ ctx=SSL_CTX_new(protocol && strcmp(protocol, "TLS1_1") == 0
+ ?
TLSv1_1_method():
+ protocol && strcmp(protocol, "TLS1_2") == 0 ?
TLSv1_2_method():
rpm was built --with cnt5064 (on centos6 system)
And behold:
openssl s_client -tls1_2 -connect mail.example.com:993
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
175F44FDDE4230DBDD7200B5E276AB1D87206062931B05EAD68A3892DF3CDB68
Session-ID-ctx:
Master-Key:
F9BDA2CCD78802E8FE2AFD7B440C5E3F5EE8AFD286ABF39F7BCB7796B55D89C5D043207BCB5E8F5C70D372EFAF30CC65
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
I'm well aware that I'm fixin a dead horse, but just archiving it to
myself and anyone it might concern of :)
On 12.11.2020 20:17, Eric Broch wrote:
Also
qmail with updated ssl
http://repo.whitehorsetc.com/6/development/x86_64/
On 11/12/2020 11:10 AM, Eric Broch wrote:
This may help with Courier IMAP
https://serverfault.com/questions/845162/disabling-sslv2-in-courier-imap
On 11/12/2020 10:50 AM, Janno Sannik wrote:
Yes. I probably compiled it to centos 6 myself (i have been using
qmail from start of it's days when compiling it was usual, around
17 years). This specific box dates back to that time and is also
the reason for this mixed setup.
[root@mail]# cat /etc/redhat-release
CentOS release 6.10 (Final)
I was not sure if it will work with latest one. We had a few
modifications to the qmail, but I can't be 100% sure of all the
things. Like autoresponder in mysql (so we can have easy change of
autoresponders from our own web management panel).
Also I was probably afraid to mess up mailboxes if switching to
dovecot. Since packages simply compiled it was fast and safe transition
So i'm guessing it's out of scope for you because I have this mixed
setup what anyone should not even have in a first place.
I'm thinking of making centos 8 box with all latest qmail packages
and mounting it with nfs in parallel to test things out and use it
only as a client server (imap,pop). Later on would move on to fully
replace old machine so that incoming mail would also be handled.
Would it work (accessing vpopmail fs in parallel that is)?
It's getting night time here and would be good time to make
maintenance so help is appreciated.
Janno
On 12.11.2020 16:53, Eric Broch wrote:
Are you sure you're running CentOS 6?
On 11/12/2020 7:49 AM, Eric Broch wrote:
Sorry,
The *-toaster designation went out with CentOS 5 and we stopped
using Courier IMAP altogether in CentOS 6
Eric
On 11/12/2020 7:47 AM, Eric Broch wrote:
So,
The *-toaster designation went out with CentOS 6. Did you
compile/build the RPMs yourself?
Eric
On 11/12/2020 5:10 AM, Emiliano Lima wrote:
hello friend, I have this same problem ..
Em qui., 12 de nov. de 2020 às 5:46 AM, Janno Sannik
<ja...@foor.ee <mailto:ja...@foor.ee>> escreveu:
Hi,
Seems to have hit a problem with new Thunderbird 78
disabling tls lower
than v1.2. So now they cannot connect.
I run a older box on centos 6. OS supports TLS v1.2, but
how to make it
available on courier imaps?
Running a tool on the imap port reports tls v1.0 only.
My qmail version: qmail-toaster-1.03-1.3.22
My courier-imap version: courier-imap-toaster-4.1.2-1.3.10
Janno
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
<mailto:qmailtoaster-list-h...@qmailtoaster.com>
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
