Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install - figgered it out

2018-07-05 Thread Eric Broch

Now I can go watch the Orioles play, and enjoy a beer. ;-)


On 7/5/2018 6:48 PM, South Computers wrote:
Did a comparison of /control directories from another toaster, and 
noticed the link from clientcert.pem -> servercert.pem.


And realized I only had a servercert.rpm.new

Renamed it.  Doh!

Working.

Thank you to everyone who contributed, and especially you Eric.

Next time you're in Miami, I'll buy you a round.

Cheers!
Scott





Eric Broch wrote:

Try this command from your CentOS 5 box

openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -debug -msg 
-connect fpl-com.mail.protection.outlook.com:25


What kind of beer? Hopefully not Schlitz. ;-)


On 7/5/2018 5:57 PM, South Computers wrote:

No worries, I appreciate it.

tlsserverciphiers is fine.

And checking the mail in the queue that fails with the TLS errors, 
they are all going to office365 accounts, with 1 going to a hotmail 
account, but all the mx records point to 
something.protection.outlook.com, so basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.
220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

I see starttls in there, so should be good there, although versions 
accepted are unknown, Do our toasters drop back to tls 1 if the 
receiving server doesn;t do 1.2?


And sending an email to a gmail account works. Relevant portion 
showing TLS:

Received: from mail.noube.com (mail.noube.com. [75.13.64.133])
    by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

    for 
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 
bits=128/128);

    Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:
Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:

DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.




In the meantime though, since the update, I'm having tls 
connect problems to certain domains. For certain ofice365 
accounts are not going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is 
using TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to 
get qmail-dk working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install - figgered it out

2018-07-05 Thread South Computers
Did a comparison of /control directories from another toaster, and 
noticed the link from clientcert.pem -> servercert.pem.


And realized I only had a servercert.rpm.new

Renamed it.  Doh!

Working.

Thank you to everyone who contributed, and especially you Eric.

Next time you're in Miami, I'll buy you a round.

Cheers!
Scott





Eric Broch wrote:

Try this command from your CentOS 5 box

openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -debug -msg 
-connect fpl-com.mail.protection.outlook.com:25


What kind of beer? Hopefully not Schlitz. ;-)


On 7/5/2018 5:57 PM, South Computers wrote:

No worries, I appreciate it.

tlsserverciphiers is fine.

And checking the mail in the queue that fails with the TLS errors, 
they are all going to office365 accounts, with 1 going to a hotmail 
account, but all the mx records point to 
something.protection.outlook.com, so basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.
220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

I see starttls in there, so should be good there, although versions 
accepted are unknown, Do our toasters drop back to tls 1 if the 
receiving server doesn;t do 1.2?


And sending an email to a gmail account works. Relevant portion 
showing TLS:

Received: from mail.noube.com (mail.noube.com. [75.13.64.133])
by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 
bits=128/128);

Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:
Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:

DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.




In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are 
not going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is 
using TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to 
get qmail-dk working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (ver

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers

Eek!  :-)

New Belgium Trying a Fat tire. Normally do Becks, but especially partial 
to a true Trappist or Abbey.


Cool command there! Now I'm really lost...  Attached the output.

Eric Broch wrote:

Try this command from your CentOS 5 box

openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -debug -msg 
-connect fpl-com.mail.protection.outlook.com:25


What kind of beer? Hopefully not Schlitz. ;-)


On 7/5/2018 5:57 PM, South Computers wrote:

No worries, I appreciate it.

tlsserverciphiers is fine.

And checking the mail in the queue that fails with the TLS errors, 
they are all going to office365 accounts, with 1 going to a hotmail 
account, but all the mx records point to 
something.protection.outlook.com, so basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.
220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

I see starttls in there, so should be good there, although versions 
accepted are unknown, Do our toasters drop back to tls 1 if the 
receiving server doesn;t do 1.2?


And sending an email to a gmail account works. Relevant portion 
showing TLS:

Received: from mail.noube.com (mail.noube.com. [75.13.64.133])
by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 
bits=128/128);

Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:
Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:

DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.




In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are 
not going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using 
TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to 
get qmail-dk working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch

Try this command from your CentOS 5 box

openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -debug -msg -connect 
fpl-com.mail.protection.outlook.com:25


What kind of beer? Hopefully not Schlitz. ;-)


On 7/5/2018 5:57 PM, South Computers wrote:

No worries, I appreciate it.

tlsserverciphiers is fine.

And checking the mail in the queue that fails with the TLS errors, 
they are all going to office365 accounts, with 1 going to a hotmail 
account, but all the mx records point to 
something.protection.outlook.com, so basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.
220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

I see starttls in there, so should be good there, although versions 
accepted are unknown, Do our toasters drop back to tls 1 if the 
receiving server doesn;t do 1.2?


And sending an email to a gmail account works. Relevant portion 
showing TLS:

Received: from mail.noube.com (mail.noube.com. [75.13.64.133])
    by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

    for 
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:
Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:

DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.

In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not 
going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using 
TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to get 
qmail-dk working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>
>> FWIW, I did not update my qmail-dk binary. I was hypothesizing 
it was only used to sign, not to communicate, and therefore the 
version of openssl didn't matter. I might be wrong, but I'm still 
sendin

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers

No worries, I appreciate it.

tlsserverciphiers is fine.

And checking the mail in the queue that fails with the TLS errors, they 
are all going to office365 accounts, with 1 going to a hotmail account, 
but all the mx records point to something.protection.outlook.com, so 
basically the same.


Telnetting to one of them:

[root@mail control]# telnet fpl-com.mail.protection.outlook.com 25
Trying 207.46.163.215...
Connected to fpl-com.mail.protection.outlook.com (207.46.163.215).
Escape character is '^]'.
220 BL2FFO11FD008.mail.protection.outlook.com Microsoft ESMTP MAIL 
Service ready at Thu, 5 Jul 2018 23:51:00 +

ehlo
250-BL2FFO11FD008.mail.protection.outlook.com Hello [75.13.64.133]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

I see starttls in there, so should be good there, although versions 
accepted are unknown, Do our toasters drop back to tls 1 if the 
receiving server doesn;t do 1.2?


And sending an email to a gmail account works. Relevant portion showing TLS:
Received: from mail.noube.com (mail.noube.com. [75.13.64.133])
by mx.google.com with ESMTPS id 
a207-v6si3191006itb.75.2018.07.05.16.38.19

for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 05 Jul 2018 16:38:19 -0700 (PDT)

Stopping for a beer to contemplate...








Eric Broch wrote:
Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:

DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA 




On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry 
about that sir.


Thank you Eric, might give it a shot later.

In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not 
going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using 
TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to get 
qmail-dk working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>
>> FWIW, I did not update my qmail-dk binary. I was hypothesizing 
it was only used to sign, not to communicate, and therefore the 
version of openssl didn't matter. I might be wrong, but I'm still 
sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>
>>> I don't have the time to look further right now, but disabled 
dk for the time being, and it's working.

>>>
>>> Was getting this in 

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch
Sorry, my mistake, check tlsciphers 'cat 
/var/qmail/control/tlsserverciphers'


mine on CentOS 6 & 7 look like this:

DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA


On 7/5/2018 2:49 PM, South Computers wrote:

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry about 
that sir.


Thank you Eric, might give it a shot later.

In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not 
going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using 
TLS 1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the 
update (qmail version 1.03-1.3.24) you can do the following to get 
qmail-dk working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>
>> FWIW, I did not update my qmail-dk binary. I was hypothesizing it 
was only used to sign, not to communicate, and therefore the version 
of openssl didn't matter. I might be wrong, but I'm still sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>
>>> I don't have the time to look further right now, but disabled dk 
for the time being, and it's working.

>>>
>>> Was getting this in smtp/current when trying to send mail:
>>> @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a 
POSSIBLE BUG!

>>>
>>> etc...
>>>
>>>
>>>
>>>
>>> South Computers wrote:
 Also mostly a lurker these days, but wanted to chime in and 
give a big thanks as well Eric.


 Much appreciate all your work to keep this going.
 Scott

 Also, if anyone else has neglected to keep their toaster up to 
date and needs to manually install the epel repo, at least for x86 
on COS5:
 wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

 rpm -Uhv epel-release-5-4.noarch.rpm



 Eric Broch wrote:
> Instructions for setting up greater than openssl-0.9.8 CentOS 
5, minimal testing done. This is done with openssl-1.01e

>
> https://www.qmailtoaster.org/newopensslcnt50.html
>
> Eric
>
>
> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>> Great, thanks for sharing!
>>
>> One question:
>>
>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the 
CNAME

>> lookups removed.
>>
>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
>>
>> How would one migrate the changes you did to Eric's version, 
as I
>> would like to have both: newer TLS support + CNAME lookups 
removed?

>>
>> Best,
>> Peter
>>
>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broc

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers

Good question, hadn't considered that. Will check it tonight.



Eric Broch wrote:

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry about 
that sir.


Thank you Eric, might give it a shot later.

In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not 
going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using TLS 
1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the update 
(qmail version 1.03-1.3.24) you can do the following to get qmail-dk 
working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>
>> FWIW, I did not update my qmail-dk binary. I was hypothesizing it 
was only used to sign, not to communicate, and therefore the version 
of openssl didn't matter. I might be wrong, but I'm still sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>
>>> I don't have the time to look further right now, but disabled dk 
for the time being, and it's working.

>>>
>>> Was getting this in smtp/current when trying to send mail:
>>> @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a 
POSSIBLE BUG!

>>>
>>> etc...
>>>
>>>
>>>
>>>
>>> South Computers wrote:
 Also mostly a lurker these days, but wanted to chime in and give 
a big thanks as well Eric.


 Much appreciate all your work to keep this going.
 Scott

 Also, if anyone else has neglected to keep their toaster up to 
date and needs to manually install the epel repo, at least for x86 on 
COS5:
 wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

 rpm -Uhv epel-release-5-4.noarch.rpm



 Eric Broch wrote:
> Instructions for setting up greater than openssl-0.9.8 CentOS 
5, minimal testing done. This is done with openssl-1.01e

>
> https://www.qmailtoaster.org/newopensslcnt50.html
>
> Eric
>
>
> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>> Great, thanks for sharing!
>>
>> One question:
>>
>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the 
CNAME

>> lookups removed.
>>
>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
>>
>> How would one migrate the changes you did to Eric's version, as I
>> would like to have both: newer TLS support + CNAME lookups 
removed?

>>
>> Best,
>> Peter
>>
>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

>>> Thanks, Brian!!!
>>>
>>>
>>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>>>
>>> Good news - I seemed to have solved this. It's a combo of 
these old notes

>>> from 2011 and an upgraded openssl:
>>>
>>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>>>
>>> I'm attaching my modified qmail-toaster.spec from 1.3.21. I 
installed

>>> openssl-1.0.2o from source on CentOS 5 and linked:
>>>
>>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>>>
>>> Then I rebuilt the RPM:
>>>
>>> rpmbuild -bb --target i686 --with cnt50
>>> /usr/src/redhat/SPECS/qmail-toaster.spec
>>>
>>> This generated the RPM. I extracted the files:
>>>
>>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>>>
>>> I backed up my existing qmail-smtpd and qmail-remote.orig, 
and copied
>>> the new binaries over (from 
/usr/src/redhat/RPMS/i686/var/qmail/bin

>>> where cpio extracted them to)
>>>
>>> And then tested with checktls.com and everything shows TLS 
1.2 now. *whew*

>>>
>>> This buys us a little time to complete a migration. Hope this 
helps someone

>>> else!
>>>
>>>
>>> Brian
>>>
>>>
>>> On 6/27/18 09:09, Eric Broch wrote:
>>>
>>> Have a look at this thread:
>>>
>>> 
https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

>>>
>>> IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

>>

Re: [qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch

What about your dh key, Is it to small?


On 7/5/2018 1:28 PM, South Computers wrote:
This is a repeat,  my first reply went directly to Eric, sorry about 
that sir.


Thank you Eric, might give it a shot later.

In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not 
going through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using TLS 
1.2.


Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the update 
(qmail version 1.03-1.3.24) you can do the following to get qmail-dk 
working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>
>> FWIW, I did not update my qmail-dk binary. I was hypothesizing it 
was only used to sign, not to communicate, and therefore the version 
of openssl didn't matter. I might be wrong, but I'm still sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>
>>> I don't have the time to look further right now, but disabled dk 
for the time being, and it's working.

>>>
>>> Was getting this in smtp/current when trying to send mail:
>>> @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE 
BUG!

>>>
>>> etc...
>>>
>>>
>>>
>>>
>>> South Computers wrote:
 Also mostly a lurker these days, but wanted to chime in and give 
a big thanks as well Eric.


 Much appreciate all your work to keep this going.
 Scott

 Also, if anyone else has neglected to keep their toaster up to 
date and needs to manually install the epel repo, at least for x86 on 
COS5:
 wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

 rpm -Uhv epel-release-5-4.noarch.rpm



 Eric Broch wrote:
> Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e

>
> https://www.qmailtoaster.org/newopensslcnt50.html
>
> Eric
>
>
> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>> Great, thanks for sharing!
>>
>> One question:
>>
>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
>> lookups removed.
>>
>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
>>
>> How would one migrate the changes you did to Eric's version, as I
>> would like to have both: newer TLS support + CNAME lookups 
removed?

>>
>> Best,
>> Peter
>>
>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

>>> Thanks, Brian!!!
>>>
>>>
>>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>>>
>>> Good news - I seemed to have solved this. It's a combo of 
these old notes

>>> from 2011 and an upgraded openssl:
>>>
>>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>>>
>>> I'm attaching my modified qmail-toaster.spec from 1.3.21. I 
installed

>>> openssl-1.0.2o from source on CentOS 5 and linked:
>>>
>>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>>>
>>> Then I rebuilt the RPM:
>>>
>>> rpmbuild -bb --target i686 --with cnt50
>>> /usr/src/redhat/SPECS/qmail-toaster.spec
>>>
>>> This generated the RPM. I extracted the files:
>>>
>>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>>>
>>> I backed up my existing qmail-smtpd and qmail-remote.orig, and 
copied
>>> the new binaries over (from 
/usr/src/redhat/RPMS/i686/var/qmail/bin

>>> where cpio extracted them to)
>>>
>>> And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*

>>>
>>> This buys us a little time to complete a migration. Hope this 
helps someone

>>> else!
>>>
>>>
>>> Brian
>>>
>>>
>>> On 6/27/18 09:09, Eric Broch wrote:
>>>
>>> Have a look at this thread:
>>>
>>> 
https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

>>>
>>> IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

>>> CentOS 5 box to make this practical.
>>>
>>>
>>>
>>>
>>> 
--

[qmailtoaster] re: Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers
This is a repeat,  my first reply went directly to Eric, sorry about 
that sir.


Thank you Eric, might give it a shot later.

In the meantime though, since the update, I'm having tls connect 
problems to certain domains. For certain ofice365 accounts are not going 
through.


 deferral: TLS_connect_failed;_connected_to_

I can send to gmail, and in the headers it shows that it is using TLS 1.2.

Anyone have any ideas?

Thanks!

Eric Broch wrote:
> If people want qmail-dk (ssl) and have already installed the update 
(qmail version 1.03-1.3.24) you can do the following to get qmail-dk 
working with ssl/crypto:

>
> (i686)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm

>
> (x86_64)
>
> # rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm

>
> # rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm

>
>
> If you haven't installed qmail-toaster ssl update (version 
1.03-1.3.24) follow instruction here: 
https://www.qmailtoaster.org/newopensslcnt50.html

>
>
>
> On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:
>>
>> FWIW, I did not update my qmail-dk binary. I was hypothesizing it 
was only used to sign, not to communicate, and therefore the version of 
openssl didn't matter. I might be wrong, but I'm still sending mail?

>>
>>
>> Brian
>>
>>
>> On 7/5/18 06:38, South Computers wrote:
>>> Interestingly, this broke DKIM.
>>>
>>> I don't have the time to look further right now, but disabled dk 
for the time being, and it's working.

>>>
>>> Was getting this in smtp/current when trying to send mail:
>>> @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!
>>>
>>> etc...
>>>
>>>
>>>
>>>
>>> South Computers wrote:
 Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


 Much appreciate all your work to keep this going.
 Scott

 Also, if anyone else has neglected to keep their toaster up to 
date and needs to manually install the epel repo, at least for x86 on COS5:
 wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

 rpm -Uhv epel-release-5-4.noarch.rpm



 Eric Broch wrote:
> Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e

>
> https://www.qmailtoaster.org/newopensslcnt50.html
>
> Eric
>
>
> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>> Great, thanks for sharing!
>>
>> One question:
>>
>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
>> lookups removed.
>>
>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
>>
>> How would one migrate the changes you did to Eric's version, as I
>> would like to have both: newer TLS support + CNAME lookups removed?
>>
>> Best,
>> Peter
>>
>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

>>> Thanks, Brian!!!
>>>
>>>
>>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>>>
>>> Good news - I seemed to have solved this. It's a combo of these 
old notes

>>> from 2011 and an upgraded openssl:
>>>
>>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>>>
>>> I'm attaching my modified qmail-toaster.spec from 1.3.21. I 
installed

>>> openssl-1.0.2o from source on CentOS 5 and linked:
>>>
>>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>>>
>>> Then I rebuilt the RPM:
>>>
>>> rpmbuild -bb --target i686 --with cnt50
>>> /usr/src/redhat/SPECS/qmail-toaster.spec
>>>
>>> This generated the RPM. I extracted the files:
>>>
>>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>>>
>>> I backed up my existing qmail-smtpd and qmail-remote.orig, and 
copied

>>> the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
>>> where cpio extracted them to)
>>>
>>> And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*

>>>
>>> This buys us a little time to complete a migration. Hope this 
helps someone

>>> else!
>>>
>>>
>>> Brian
>>>
>>>
>>> On 6/27/18 09:09, Eric Broch wrote:
>>>
>>> Have a look at this thread:
>>>
>>> 
https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

>>>
>>> IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

>>> CentOS 5 box to make this practical.
>>>
>>>
>>>
>>>
>>> 
-
>>> To unsubscribe, e-mail:

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch
If people want qmail-dk (ssl) and have already installed the update 
(qmail version 1.03-1.3.24) you can do the following to get qmail-dk 
working with ssl/crypto:


(i686)

# rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm


# rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm


(x86_64)

# rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm


# rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm



If you haven't installed qmail-toaster ssl update (version 1.03-1.3.24) 
follow instruction here: https://www.qmailtoaster.org/newopensslcnt50.html




On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:


FWIW, I did not update my qmail-dk binary. I was hypothesizing it was 
only used to sign, not to communicate, and therefore the version of 
openssl didn't matter. I might be wrong, but I'm still sending mail?



Brian


On 7/5/18 06:38, South Computers wrote:

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for 
the time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I 
installed

openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and 
copied

the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




- 

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)



Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Brian Ghidinelli



FWIW, I did not update my qmail-dk binary. I was hypothesizing it was 
only used to sign, not to communicate, and therefore the version of 
openssl didn't matter. I might be wrong, but I'm still sending mail?



Brian


On 7/5/18 06:38, South Computers wrote:

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for 
the time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



[qmailtoaster] {Disarmed} Re: [qmailtoaster] clamav-toaster 0.100

2018-07-05 Thread Remo Mattei
I just rebooted and I see the same issues 

I see 
>> Hi,
>> 
>> It asked for newer versions libcurl and libcurl-devel versions, default 
>> centos5 repostitory is 7.15 so I had to install libssh2, 
>> libcurl-7.21.7-5.el5.remi.2.x86_64.rpm, 
>> libcurl-devel-7.21.7-5.el5.remi.2.x86_64.rpm and everything worked fine, 
>> thanks.
>> 
>> Leonardo
>> 
>> 

Where did you get the rpms for this?
Thanks

> On Jul 4, 2018, at 9:44 PM, ChandranManikandan  wrote:
> 
 ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/clamav-toaster-0.100.0-1.0.16.i386.rpm
  
 


Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch

Thanks!

An oversight on my part, I'll probably have to recompile and link 
domainkeys with openssl101e if anyone's interested. I'm not sure how 
much it's in use these days being replaced by dkim.



On 7/5/2018 7:38 AM, South Computers wrote:

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for 
the time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for the 
time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a big 
thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old 
notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now. 
*whew*


This buys us a little time to complete a migration. Hope this helps 
someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers
Also mostly a lurker these days, but wanted to chime in and give a big 
thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date and 
needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old 
notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now. 
*whew*


This buys us a little time to complete a migration. Hope this helps 
someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on openssl-9.8 
on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com