Re: Apache - Qpsmtpd - TLS
James Turnbull wrote: > > I had similar problems and got an error message in the main Apache > error_log of: > > [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: > Permission denied at /home/smtpd/plugins/tls line 79.\n I fixed this issue - SSL debug revealed it was permissions on the keys - which is odd because the keys were owned by the smtpd user that Apache::Qpsmtpd is running as, which also has read permissions to the files. I had to also add group read permissions to get this to work. Not sure why those permissions would be needed. Regards James Turnbull -- James Turnbull <[EMAIL PROTECTED]> --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Apache - Qpsmtpd - TLS
Just as a full test I ran swaks against it and here are the results: === Trying x.x.x.x:25... === Connected to x.x.x.x. <- 220 tmx1.testnet.com ESMTP qpsmtpd 0.32 ready; send us your mail, but not your spam. -> EHLO tested <- 250-tmx1.testnet.com Hi [x.x.x.x] [x.x.x.x] <- 250-PIPELINING <- 250-8BITMIME <- 250 STARTTLS -> STARTTLS <- 220 Go ahead with TLS *** TLS startup failed (error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) -> QUIT <** Negotiation Failed <** 500 Unrecognized command === Connection closed with remote host. Also, I upgraded the plugin to the newest one in SVN, enabled full debugging, set the tls_ciphers to: HIGH:RC4-SHA:RC4-MD5, and here is the output in the apache error logs: SSL accept attempt failederror::lib(0):func(0):reason(0) at /home/smtpd/qpsmtpd//plugins/tls line 158 TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 158. And here is the qpsmtpd logs: Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Connection from [x.x.x.x][x.x.x.x] Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Plugins already loaded Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Loaded logging/syslog loglevel LOGDEBUG Oct 6 21:13:06 tmx1 qpsmtpd[4684]: loading plugins from /home/smtpd/qpsmtpd//plugins Oct 6 21:13:06 tmx1 qpsmtpd[4684]: ciphers: Qpsmtpd::Plugin::tls=HASH(0x95991ec)->tls_ciphers Oct 6 21:13:07 tmx1 qpsmtpd[4684]: loadcheck Oct 6 21:13:07 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:07 tmx1 qpsmtpd[4684]: check_earlytalker Oct 6 21:13:08 tmx1 qpsmtpd[4684]: remote host said nothing spontaneous, proceeding Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: check_spamhelo Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command 'starttls' Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: logging::denylog Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '\200|^A^C^A Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '^G Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Hope this helps some. Thanks, Ed. On Fri, 06 Oct 2006 17:16:58 -0700, Ask Bjørn Hansen wrote: > > On Oct 6, 2006, at 15:39, Ed McLain wrote: > >>> What client are you trying to use? >> >> Straight telnet > > How do you speak SSL then? :-) That's a little like programming > with "cat > /dev/sda1". > > >- ask
Re: Apache - Qpsmtpd - TLS
While it's true that I can't speak SSL to it, it does show that: 1. STARTTLS as an option is there when performing an EHLO, meaning that all of the certs could be found and the plugin was recognized. 2. Typing STARTTLS does in fact trigger the plugin and at least wait for an attempt of SSL negotiation. It's like pinging a machine to make sure it's there before you try to hit the website on it. Thanks, Ed On Fri, 06 Oct 2006 17:16:58 -0700, Ask Bjørn Hansen wrote: > > On Oct 6, 2006, at 15:39, Ed McLain wrote: > >>> What client are you trying to use? >> >> Straight telnet > > How do you speak SSL then? :-) That's a little like programming > with "cat > /dev/sda1". > > >- ask
Re: Apache - Qpsmtpd - TLS
On Oct 6, 2006, at 15:39, Ed McLain wrote: What client are you trying to use? Straight telnet How do you speak SSL then? :-) That's a little like programming with "cat > /dev/sda1". - ask -- http://askask.com/ - http://develooper.com/
Re: Apache - Qpsmtpd - TLS
Ed McLain wrote: > and I get this in the apache error log: > TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls > line 98. > > I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n No idea if it's related and haven't had a chance to debug. Anyone know where Apache creates the SSL context? Regards James Turnbull P.S. Also drop the last / on your PerlSetVar QpsmtpdDir statement - that's what's causing the // in the error line. -- James Turnbull <[EMAIL PROTECTED]> --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Apache - Qpsmtpd - TLS
On Fri, 06 Oct 2006 17:59:51 -0400, Brian Szymanski wrote: > What client are you trying to use? Straight telnet > > What's in the error log above and below that line? Have you tried to > bump up the logging level by uncommenting the debug constants after > the use IO::Socket::SSL line? Absolutely nothing. > When I did that I found that the issue I was having (this was with > plain old tcpserver, YMMV) was that client and server couldn't agreee > on a cipher - qpsmtpd is restricted to openssl's "HIGH" quality > ciphers by default. To change this check out the qpsmtpd-0.3x branch > with a revision > 663 and modify config/tls_ciphers. For example, I I de-commented out the debug lines and no other logging took place. One thing to note, the "500 TLS Negotiation Failed" messages pops up immediately, maybe a 1 or 2 second pause. Is there a timeout period on tls negotiation? When I try a telnet against my qmail box it sits there and waits for the client to attempt a tls negotiation before it bombs out. Thanks, Ed > > Good luck & let us know what you find. > Brian > > On Oct 6, 2006, at 3:21 PM, Ed McLain wrote: > >> Ok.. Now that I have everything working with apache and qpsmtpd I'm >> wanting to throw tls into the mix as well. I've got the certs and >> keys >> built, however, when I issue a STARTTLS command I get the following: >> >> 250-PIPELINING >> 250-8BITMIME >> 250 STARTTLS >> STARTTLS >> 220 Go ahead with TLS >> 500 TLS Negotiation Failed >> quit >> >> and I get this in the apache error log: >> TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd// >> plugins/tls line 98. >> >> >> Is there an issue with trying to create an SSL socket inside >> apache? Does >> anybody have this working? >> >> Thanks, >> Ed >>
Re: Apache - Qpsmtpd - TLS
What client are you trying to use? What's in the error log above and below that line? Have you tried to bump up the logging level by uncommenting the debug constants after the use IO::Socket::SSL line? When I did that I found that the issue I was having (this was with plain old tcpserver, YMMV) was that client and server couldn't agreee on a cipher - qpsmtpd is restricted to openssl's "HIGH" quality ciphers by default. To change this check out the qpsmtpd-0.3x branch with a revision > 663 and modify config/tls_ciphers. For example, I have: # for available ciphers and format, see: #http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS # versamail 3.x requires either RC4-MD5 or RC4-SHA # openssl default is "DEFAULT", but qpsmtpd uses "HIGH" as default HIGH:RC4-SHA:RC4-MD5 But this was determined by painstakingly determining which cipher versamail needed. Your best bet is to change that to "ALL", and see if that works (if it doesn't, it's something else altogether). See http://www.nntp.perl.org/group/perl.qpsmtpd/5584 and followups. For more. But again, with the IO::Socket::SSL debug stuff enabled, you should see something useful above or near the mysterious "Could not create SSL socket" error which should send you down the right path in all cases. Good luck & let us know what you find. Brian On Oct 6, 2006, at 3:21 PM, Ed McLain wrote: Ok.. Now that I have everything working with apache and qpsmtpd I'm wanting to throw tls into the mix as well. I've got the certs and keys built, however, when I issue a STARTTLS command I get the following: 250-PIPELINING 250-8BITMIME 250 STARTTLS STARTTLS 220 Go ahead with TLS 500 TLS Negotiation Failed quit and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd// plugins/tls line 98. Is there an issue with trying to create an SSL socket inside apache? Does anybody have this working? Thanks, Ed
Apache - Qpsmtpd - TLS
Ok.. Now that I have everything working with apache and qpsmtpd I'm wanting to throw tls into the mix as well. I've got the certs and keys built, however, when I issue a STARTTLS command I get the following: 250-PIPELINING 250-8BITMIME 250 STARTTLS STARTTLS 220 Go ahead with TLS 500 TLS Negotiation Failed quit and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 98. Is there an issue with trying to create an SSL socket inside apache? Does anybody have this working? Thanks, Ed