Hi Peter,
I've been looking into this TLS issue and think I've found the solution.
It seems that the function in the newest version of OpenSSL used in
qmail-remote to load ciphers suits from the control directory has been
replaced so the default ciphers are loaded instead of the one in the
control directory. I've made changes to qmail-remote for the latest
OpenSSL to support TLS 1.3 and am using the proper function to load the
ciphers. It has been compiled on my Rocky8 box and I've successfully
used it to send emails. I can create and new RPM or make available the
qmail-remote executable for download and testing. Let me know which
you'd prefer.
Eric
On 3/2/2022 1:02 AM, Peter Peltonen wrote:
Any ideas how to solve the TLS connect errors?
A bit of a hack that comes to my mind would be to have a cron job to
switch back to LEGACY, process the queue and then switch back to
DEFAULT?
But a more elegant solution would be preferable :)
Best,
Peter
On Tue, Mar 1, 2022 at 9:13 AM Peter Peltonen <peter.pelto...@gmail.com> wrote:
Now after monitoring 36h after the change no cipher related errors,
but a few servers apparently have problems with higher TLS versions:
TLS_connect_failed:_error:1425F102:SSL_routines:ssl_choose_client_version:unsupported_protocol
I assume that this is due to these
/etc/crypto-policies/back-ends/opensslcnf.config settings:
TLS.MinProtocol = TLSv1.2
TLS.MaxProtocol = TLSv1.3
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
If I lower MinProtocol to TLSv1.0 would that enable access to those
servers but use the higher protocol version for the rest of the world?
Best,
Peter
On Mon, Feb 28, 2022 at 1:44 AM Eric Broch <ebr...@whitehorsetc.com> wrote:
I'd like to implement this programmatically so that we can set
parameters in a /var/qmail/control/sslconf file
On 2/27/2022 2:25 PM, Peter Peltonen wrote:
Hi Eric,
Okay my crypto-policy is now DEFAULT again and in opensslcnf.config I now have:
CipherString =
DEFAULT@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
I am grepping ssl from qmail/send log. Let's see how it goes.
Best,
Peter
On Thu, Feb 24, 2022 at 7:36 PM Eric Broch <ebr...@whitehorsetc.com> wrote:
Peter,
Can you try something with your server to get mail delivery to normal.
Run command:
update-crypto-policies --set DEFAULT
Edit file /etc/crypto-policies/back-ends/opensslcnf.config particularly
setting
CipherString = @SECLEVEL=2
change to
CipherString = DEFAULT@SECLEVEL=1
Watch logs
Eric
On 2/23/2022 8:53 AM, Peter Peltonen wrote:
You mean my server with qmail-1.03-3.3.1.qt.md.el8.x86_64 (not
qmail-1.03-2.2.1) with the LEGACY setting?
As far as I know the only problem I am having is with the
hornetsecurity.com servers. But to be honest I have not really been
monitoring the logs that carefully, that's the only server I've
received a complain about. I now tried sending them email with
unencrypted connection and it failed.
So I think I will now leave it to LEGACY, accept that I cannot deliver
mail to the hornet serers and keep monitoring now more closely for TLS
errors in the logs: if more turn up then I might consider again
switching to DEFAULT and then adding those servers to notlshosts/
although that looks like a nonendint task.
If someone comes up with a solution how I could have the best of both
worlds (= support everyone), let me know?
Best,
Peter
On Wed, Feb 23, 2022 at 5:08 PM Eric Broch <ebr...@whitehorsetc.com> wrote:
Does your legacy server qmail-1.03-2.2.1 send to all?
On 2/23/2022 8:03 AM, Peter Peltonen wrote:
Here is another error I have now seen qmail/send log about 10 times in
the recent hour:
TLS_connect_failed:_error:141A318A:SSL_routines:tls_process_ske_dhe:dh_key_too_small
And this has now happened with two pretty big local service provider's
servers as well. I don't think I can continue with the DEFAULT
setting. I will now try to fall back to LEGACY and see if
hornetsecurity.com accepts unencrypted connections. And I really do
not understand the core of this problem: why cannot my server just
have the whole range of ciphers and protocols in use and apply the
most secure / appropriate one that the other party supports?
Best,
Peter
On Wed, Feb 23, 2022 at 4:29 PM Eric Broch <ebr...@whitehorsetc.com> wrote:
If I remember correctly it had something to do with Dovecot
On Feb 23, 2022, at 2:25 AM, Peter Peltonen <peter.pelto...@gmail.com> wrote:
Hello,
Okay I now tested::
With LEGACY (which I had earlier) I get the
SSL_routines:set_client_ciphesuite:wrong_cipher_returned error in qmail/send
log:
But with DEFAULT I get Remote_host_said:_250_2.0.0_OK_accept as the result
And I did the test without rebooting nor restarting qmail.
So apparently this command did the trick like Eric suggested:
update-crypto-policies --set DEFAULT
Now I wonder if this has some other consequences, what legacy stuff is now
incompatible...?
Best,
Peter
ma 21. helmik. 2022 klo 17.55 Eric Broch < ebr...@whitehorsetc.com> kirjoitti:
reboot
On 2/21/2022 8:30 AM, Peter Peltonen wrote:
Thanks Eric for the update. Here is what I see:
[root@mail ~]# update-crypto-policies --show
LEGACY
[root@mail ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
Is restarting qmail enough or should I even reboot?
And is there some difference between DEFAULT and FUTURE or are they the same?
Best,
Peter
On Mon, Feb 21, 2022 at 4:39 PM Eric Broch < ebr...@whitehorsetc.com> wrote:
Upon further reflection, at the end of the qt/cos8 install script there
is a command, 'update-crypto-policies --set LEGACY' intended for old
email clients I don't wonder if this change between cos7 and cos8 might
caused the problem. Have a look here:
https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82
If you've change it to 'update-crypto-policies --set DEFAULT' or
'update-crypto-policies --set FUTURE' and are still having issue ask
hornet security if we can see the actual smtp transaction.
In my earlier email I was saying that there was not much difference
between the old code and the new code for remote delivery and it was not
immediately obvious why we would be having a problem.
Eric
On 2/21/2022 7:17 AM, Peter Peltonen wrote:
Hi,
Is there something I can test? I didn't quite understand from Eric's
earlier msg what I should try...
One email address producing this error for me is
supp...@hornetsecurity.com -> If you like Eric, you could try emailing
themselves asking for more details (either they reply to you or you
will face the same error). If you don't face the same error then we
could try figuring out what is different in our setups?
Best,
Peter
On Sat, Feb 19, 2022 at 6:29 PM Eric Broch < ebr...@whitehorsetc.com> wrote:
Looking through the function tls_init() in the code for qmail-remote.c
I don't see much that it could be, they're almost identical between
2.2.1 and 3.3.5
Will continue looking...
On 2/18/2022 1:54 PM, Andreas Galatis wrote:
Hi Finn,
I have tested with the tlsserverciphers of my older server, completed
with some of the ciphers from the new file and my mails came through.
Thanks a lot for your tip, Finn, I didn't find it in the code
Andreas
Am 18.02.22 um 16:56 schrieb Qmail:
Hi Andreas.
In qmail You're properly using /var/qmail/control/tlsclientciphers
(that are a link to tlcserverciphers)
According to what I read at the Nginx forum, the problem there is
because some of the included ciphers are with underscore '_' and not
hyphen '-' - I don't know if changing that in the tlsservercipher
file will solve the problem.
/Finn
Den 18-02-2022 kl. 16:29 skrev Andreas:
I cannot find any file where those ciphers could be adjust.
Is that compiled in?
Me too, I have clients not beeing reachable with the new server
(qmail-1.03-3.3.5), but my old server running qmail-1.03.2.2.1.qt.
Did anyone find a solution?
Andreas
Am 17.02.22 um 20:28 schrieb Qmail:
Hi.
Not sure it is related, but I just read in the Nginx forum that
some have issues (failed (SSL: error:0A0000B9:SSL routines::no
cipher match)) using Mozillas 'modern' 5.5 ciphers, but everything
works with Mozillas 'modern' ciphers 4.0.
(found testing the Nginx config)
The 5.5 list contains :
ssl_ciphers'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
The 4.0 list contains:
ssl_ciphers'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
These are matched against the openssl ciphers that are located on
the server but are more or less same as the tlsclientciphers used
in qmail.
Nginx can be setup as a MAIL proxy and therefore may be the reason
for Your issue ??
or maybe it's just a coincidence ?
Regards,
Finn
Den 17-02-2022 kl. 08:14 skrev Andreas:
Hi list,
I have the same failure-mails with some servers, my version of
qmail is
qmail-1.03-3.3.5.qt.md.el8.x86_64
TLS connect failed: error:1421C105:SSL
routines:set_client_ciphersuite:wrong
cipher returnedZConnected to 83.246.65.85 but connection died.
With my old server (qmail-1.03-2.2.1.qt.el7.x86_64) I can send
emails to the same recipients.
Andreas
Am 15.02.22 um 09:39 schrieb Peter Peltonen:
What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64
Any reason to update?
Best,
Peter
On Sun, Feb 13, 2022 at 5:15 PM Eric Broch
< ebr...@whitehorsetc.com> wrote:
What version of qmail ?
On 2/12/2022 12:56 PM, Peter Peltonen wrote:
Finally got an answer from them (see list below). I see some
matching
siphers on their and on my own list. Any idea how I could debug
this
more so I can find out why mail is not being delivered to their
server?
best,
Peter
"
OPTON
All ciphers
DESCRIPTION
TLS encryption is only possible with ciphers that are
considered as
secure by the German Federal Office for Information Security. A
TLS
connection is only established if the email server of the
communication partner supports one of the following ciphers:
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA
• DHE-RSA-AES256-GCM-SHA384
• DHE-RSA-AES256-SHA256
• DHE-RSA-AES256-SHA
• AES256-GCM-SHA384
• AES256-SHA256
• AES256-SHA
• ECDHE-RSA-DES-CBC3-SHA
• EDH-RSA-DES-CBC3-SHA
• DES-CBC3-SHA
OPTION
Secure ciphers
DESCRIPTION
Secure ciphers TLS encryption is only possible with ciphers
that are
considered as secure by the German Federal Office for Information
Security. A TLS connection is only established if the email
server of the communication partner supports one of the
following ciphers:
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-SHA384
• DHE-RSA-AES256-GCM-SHA384
• DHE-RSA-AES256-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-SHA256
• DHE-RSA-AES128-GCM-SHA256
• DHE-RSA-AES128-SHA256
"
On Mon, Feb 7, 2022 at 4:08 PM Eric Broch
< ebr...@whitehorsetc.com> wrote:
Is there a way to contact them and find out what obscure B.S.
they want?
On 2/7/2022 12:26 AM, Peter Peltonen wrote:
When trying to deliver email to a domain that is using spam
protection
from antispameurope.com I get the following error:
deferral:
TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/
So am I missing something here:
[root@mail ~]# cat /var/qmail/control/tlsclientciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:RSA-PSK-ARIA256-GCM-SHA384:DHE-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:PSK-ARIA256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:RSA-PSK-ARIA128-GCM-SHA256:DHE-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:PSK-AES128-GCM-SHA256:PSK-AES128-CCM8:PSK-AES128-CCM:PSK-ARIA128-GCM-SHA256:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:PSK-CAMELLIA256-SHA384:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:PSK-CAMELLIA128-SHA256
?
Best,
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com