Re: [qmailtoaster] lot of cname lookup failed

2017-04-20 Thread Rajesh M 
eric

thanks a lot

yes i am running qmailtoaster on centos6

now the next question is how do i patch ?

would need detailed steps please so that i don't go wrong anywhere

regds
rajesh





- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Thu, 20 Apr 2017 09:27:25 -0600
Subject:

Hi Rajesh,

I think you're still running QMT/CentOS 6, correct?

If so, I've uploaded a qmail update

to the QMT/CentOS 6 repository that incorporates the DNS patch you
referenced (any-to-cname.patch) and the starttls flush io patch
 which I've been derelict in
implementing.

It has not been tested. If you do install it and something goes wrong,
it most likely won't, you can always downgrade which I've been doing
regularly with success (of late) on CentOS 7 with qmail while testing
other patches. Be mindful that I haven't downgraded on CentOS 6

The patch (below) has relatively minor, yet very helpful, coding changes.

Eric



diff -uNr qmtqmail-1.03/dns.c qmtqmail-1.03-new/dns.c
--- qmtqmail-1.03/dns.c 2017-04-20 08:54:53.142832827 -0600
+++ qmtqmail-1.03-new/dns.c 2017-04-20 08:59:46.309633810 -0600
@@ -256,7 +256,7 @@
 if (!sa->len) return loop;
 if (sa->s[sa->len - 1] == ']') return loop;
 if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
-   switch(resolve(sa,T_ANY))
+   switch(resolve(sa,T_CNAME))
  {
   case DNS_MEM: return DNS_MEM;
   case DNS_SOFT: return DNS_SOFT;
diff -uNr qmtqmail-1.03/qmail-smtpd.c qmtqmail-1.03-new/qmail-smtpd.c
--- qmtqmail-1.03/qmail-smtpd.c 2017-04-20 08:54:52.848840048 -0600
+++ qmtqmail-1.03-new/qmail-smtpd.c 2017-04-20 08:58:23.299671749 -0600
@@ -723,7 +723,9 @@

  char ssinbuf[1024];
  substdio ssin = SUBSTDIO_FDBUF(saferead,0,ssinbuf,sizeof ssinbuf);
-
+#ifdef TLS
+void flush_io() { ssin.p = 0; flush(); }
+#endif

  stralloc line = {0};
  stralloc base64types = {0};
@@ -1398,7 +1400,7 @@
  , { "rset", smtp_rset, 0 }
  , { "help", smtp_help, flush }
  #ifdef TLS
-, { "starttls", smtp_tls, flush }
+, { "starttls", smtp_tls, flush_io }
  #endif
  , { "noop", err_noop, flush }
  , { "vrfy", err_vrfy, flush }





On 4/20/2017 1:12 AM, Rajesh M wrote:
> hi eric
>
> we are receiving a lot of cname lookup failed.
>
> this happens on a random basis on all our qmailtoaster servers.
>
> our resolv.conf contains
>
> 127.0.0.1
> 8.8.8.8
> 8.8.4.4
>
> we use bind locally within the mail server and google's dns which is also set 
> as cache records and allow lookups from local ips only.
>
> Had a quick question
>
> there are supposedly two different patches.
>
> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg35981.html
>
> is qmailtoaster on whitehorse patched with both these two patches related to 
> dns.?
>
> DNS-related Patches by Jonathan de Boyne Pollard
> http://www.memoryhole.net/qmail/any-to-cname.patch
>
> thanks
> rajesh
>
>
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Let's Encrypt SSL Cert Install Instructions added to docs?

2017-04-20 Thread Eric Broch 
You must stop/start qmail for things to take effect. I'd stop, update, 
start, in that order.



On 4/20/2017 2:20 PM, Eric Broch wrote:


Hi Jaime,

I'd be glad to add instructions for Let's Encrypt SSL cert but 
couldn't find them on the mailing list.


Yes, those two commands should do it barring repo propagation issues. 
I ALWAYS want to update to the latest but I'm ALWAYS hesitant to do it 
when things works well. I suppose I have a healthy fear of breaking 
stuff. ;-)


FYI I just updated my CentOS 6 (to 1.03-1) server and CentOS 7 (to 
1.03-2.1) servers and things seems to work fine on both, although I 
had to bump the softlimit on CentOS 6 server from 500 to 6400 
for submission. All seems good.


Eric


On 4/20/2017 8:13 AM, Jaime Lerner wrote:

Hey Eric,

Was just looking at the docs at qmailtoaster.org and thought it might 
be nice to add in the instructions to use a free Let's Encrypt SSL 
cert with qmail.


Mine has been running smoothly (including all the auto-renewals). 
There's instructions somewhere in the threads from me from the time I 
first got it going. The only thing I would add to those instructions 
would be the crons I set up to auto-renew and auto-generate the file 
for qmail.


Just a thought since you have some other releases. By the way, just 
to confirm...should we want to update to the latest QMT you just 
posted, we would just run the two commands you have listed, correct?


Update CentOS 7/QMT
   1) # yum update
   2) # yum --enablerepo=qmt-testing update


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] Let's Encrypt SSL Cert Install Instructions added to docs?

2017-04-20 Thread Eric Broch 

Hi Jaime,

I'd be glad to add instructions for Let's Encrypt SSL cert but couldn't 
find them on the mailing list.


Yes, those two commands should do it barring repo propagation issues. I 
ALWAYS want to update to the latest but I'm ALWAYS hesitant to do it 
when things works well. I suppose I have a healthy fear of breaking 
stuff. ;-)


FYI I just updated my CentOS 6 (to 1.03-1) server and CentOS 7 (to 
1.03-2.1) servers and things seems to work fine on both, although I had 
to bump the softlimit on CentOS 6 server from 500 to 6400 for 
submission. All seems good.


Eric


On 4/20/2017 8:13 AM, Jaime Lerner wrote:

Hey Eric,

Was just looking at the docs at qmailtoaster.org and thought it might 
be nice to add in the instructions to use a free Let's Encrypt SSL 
cert with qmail.


Mine has been running smoothly (including all the auto-renewals). 
There's instructions somewhere in the threads from me from the time I 
first got it going. The only thing I would add to those instructions 
would be the crons I set up to auto-renew and auto-generate the file 
for qmail.


Just a thought since you have some other releases. By the way, just to 
confirm...should we want to update to the latest QMT you just posted, 
we would just run the two commands you have listed, correct?


Update CentOS 7/QMT
   1) # yum update
   2) # yum --enablerepo=qmt-testing update


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

[qmailtoaster] Let's Encrypt SSL Cert Install Instructions added to docs?

2017-04-20 Thread Jaime Lerner 
Hey Eric,

Was just looking at the docs at qmailtoaster.org and thought it might be
nice to add in the instructions to use a free Let's Encrypt SSL cert with
qmail.

Mine has been running smoothly (including all the auto-renewals). There's
instructions somewhere in the threads from me from the time I first got it
going. The only thing I would add to those instructions would be the crons I
set up to auto-renew and auto-generate the file for qmail.

Just a thought since you have some other releases. By the way, just to
confirm...should we want to update to the latest QMT you just posted, we
would just run the two commands you have listed, correct?

Update CentOS 7/QMT
  1) # yum update
  2) # yum --enablerepo=qmt-testing update

Re: [qmailtoaster] lot of cname lookup failed

2017-04-20 Thread Eric Broch 

Also added these fixes to the CentOS 7 testing repository

ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/7/testing/x86_64/qmail-1.03-2.1.qt.el7.x86_64.rpm


On 4/20/2017 9:27 AM, Eric Broch wrote:


Hi Rajesh,

I think you're still running QMT/CentOS 6, correct?

If so, I've uploaded a qmail update 
 
to the QMT/CentOS 6 repository that incorporates the DNS patch you 
referenced (any-to-cname.patch) and the starttls flush io patch 
 which I've been derelict in 
implementing.


It has not been tested. If you do install it and something goes wrong, 
it most likely won't, you can always downgrade which I've been doing 
regularly with success (of late) on CentOS 7 with qmail while testing 
other patches. Be mindful that I haven't downgraded on CentOS 6


The patch (below) has relatively minor, yet very helpful, coding changes.

Eric



diff -uNr qmtqmail-1.03/dns.c qmtqmail-1.03-new/dns.c
--- qmtqmail-1.03/dns.c 2017-04-20 08:54:53.142832827 -0600
+++ qmtqmail-1.03-new/dns.c 2017-04-20 08:59:46.309633810 -0600
@@ -256,7 +256,7 @@
if (!sa->len) return loop;
if (sa->s[sa->len - 1] == ']') return loop;
if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
-   switch(resolve(sa,T_ANY))
+   switch(resolve(sa,T_CNAME))
 {
  case DNS_MEM: return DNS_MEM;
  case DNS_SOFT: return DNS_SOFT;
diff -uNr qmtqmail-1.03/qmail-smtpd.c qmtqmail-1.03-new/qmail-smtpd.c
--- qmtqmail-1.03/qmail-smtpd.c 2017-04-20 08:54:52.848840048 -0600
+++ qmtqmail-1.03-new/qmail-smtpd.c 2017-04-20 08:58:23.299671749 
-0600

@@ -723,7 +723,9 @@

 char ssinbuf[1024];
 substdio ssin = SUBSTDIO_FDBUF(saferead,0,ssinbuf,sizeof ssinbuf);
-
+#ifdef TLS
+void flush_io() { ssin.p = 0; flush(); }
+#endif

 stralloc line = {0};
 stralloc base64types = {0};
@@ -1398,7 +1400,7 @@
 , { "rset", smtp_rset, 0 }
 , { "help", smtp_help, flush }
 #ifdef TLS
-, { "starttls", smtp_tls, flush }
+, { "starttls", smtp_tls, flush_io }
 #endif
 , { "noop", err_noop, flush }
 , { "vrfy", err_vrfy, flush }





On 4/20/2017 1:12 AM, Rajesh M wrote:

hi eric

we are receiving a lot of cname lookup failed.

this happens on a random basis on all our qmailtoaster servers.

our resolv.conf contains

127.0.0.1
8.8.8.8
8.8.4.4

we use bind locally within the mail server and google's dns which is also set 
as cache records and allow lookups from local ips only.

Had a quick question

there are supposedly two different patches.

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg35981.html

is qmailtoaster on whitehorse patched with both these two patches related to 
dns.?

DNS-related Patches by Jonathan de Boyne Pollard
http://www.memoryhole.net/qmail/any-to-cname.patch

thanks
rajesh




-
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] lot of cname lookup failed

2017-04-20 Thread Eric Broch 
Also, it might be helpful to have only one DNS server listed in your 
resolv.conf file...maybe to segregate the offending server if it is 
indeed a DNS server issue. Maybe that would help pre-upgrade.



On 4/20/2017 9:27 AM, Eric Broch wrote:


Hi Rajesh,

I think you're still running QMT/CentOS 6, correct?

If so, I've uploaded a qmail update 
 
to the QMT/CentOS 6 repository that incorporates the DNS patch you 
referenced (any-to-cname.patch) and the starttls flush io patch 
 which I've been derelict in 
implementing.


It has not been tested. If you do install it and something goes wrong, 
it most likely won't, you can always downgrade which I've been doing 
regularly with success (of late) on CentOS 7 with qmail while testing 
other patches. Be mindful that I haven't downgraded on CentOS 6


The patch (below) has relatively minor, yet very helpful, coding changes.

Eric



diff -uNr qmtqmail-1.03/dns.c qmtqmail-1.03-new/dns.c
--- qmtqmail-1.03/dns.c 2017-04-20 08:54:53.142832827 -0600
+++ qmtqmail-1.03-new/dns.c 2017-04-20 08:59:46.309633810 -0600
@@ -256,7 +256,7 @@
if (!sa->len) return loop;
if (sa->s[sa->len - 1] == ']') return loop;
if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
-   switch(resolve(sa,T_ANY))
+   switch(resolve(sa,T_CNAME))
 {
  case DNS_MEM: return DNS_MEM;
  case DNS_SOFT: return DNS_SOFT;
diff -uNr qmtqmail-1.03/qmail-smtpd.c qmtqmail-1.03-new/qmail-smtpd.c
--- qmtqmail-1.03/qmail-smtpd.c 2017-04-20 08:54:52.848840048 -0600
+++ qmtqmail-1.03-new/qmail-smtpd.c 2017-04-20 08:58:23.299671749 
-0600

@@ -723,7 +723,9 @@

 char ssinbuf[1024];
 substdio ssin = SUBSTDIO_FDBUF(saferead,0,ssinbuf,sizeof ssinbuf);
-
+#ifdef TLS
+void flush_io() { ssin.p = 0; flush(); }
+#endif

 stralloc line = {0};
 stralloc base64types = {0};
@@ -1398,7 +1400,7 @@
 , { "rset", smtp_rset, 0 }
 , { "help", smtp_help, flush }
 #ifdef TLS
-, { "starttls", smtp_tls, flush }
+, { "starttls", smtp_tls, flush_io }
 #endif
 , { "noop", err_noop, flush }
 , { "vrfy", err_vrfy, flush }





On 4/20/2017 1:12 AM, Rajesh M wrote:

hi eric

we are receiving a lot of cname lookup failed.

this happens on a random basis on all our qmailtoaster servers.

our resolv.conf contains

127.0.0.1
8.8.8.8
8.8.4.4

we use bind locally within the mail server and google's dns which is also set 
as cache records and allow lookups from local ips only.

Had a quick question

there are supposedly two different patches.

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg35981.html

is qmailtoaster on whitehorse patched with both these two patches related to 
dns.?

DNS-related Patches by Jonathan de Boyne Pollard
http://www.memoryhole.net/qmail/any-to-cname.patch

thanks
rajesh




-
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] lot of cname lookup failed

2017-04-20 Thread Eric Broch 

Hi Rajesh,

I think you're still running QMT/CentOS 6, correct?

If so, I've uploaded a qmail update 
 
to the QMT/CentOS 6 repository that incorporates the DNS patch you 
referenced (any-to-cname.patch) and the starttls flush io patch 
 which I've been derelict in 
implementing.


It has not been tested. If you do install it and something goes wrong, 
it most likely won't, you can always downgrade which I've been doing 
regularly with success (of late) on CentOS 7 with qmail while testing 
other patches. Be mindful that I haven't downgraded on CentOS 6


The patch (below) has relatively minor, yet very helpful, coding changes.

Eric



diff -uNr qmtqmail-1.03/dns.c qmtqmail-1.03-new/dns.c
--- qmtqmail-1.03/dns.c 2017-04-20 08:54:53.142832827 -0600
+++ qmtqmail-1.03-new/dns.c 2017-04-20 08:59:46.309633810 -0600
@@ -256,7 +256,7 @@
if (!sa->len) return loop;
if (sa->s[sa->len - 1] == ']') return loop;
if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
-   switch(resolve(sa,T_ANY))
+   switch(resolve(sa,T_CNAME))
 {
  case DNS_MEM: return DNS_MEM;
  case DNS_SOFT: return DNS_SOFT;
diff -uNr qmtqmail-1.03/qmail-smtpd.c qmtqmail-1.03-new/qmail-smtpd.c
--- qmtqmail-1.03/qmail-smtpd.c 2017-04-20 08:54:52.848840048 -0600
+++ qmtqmail-1.03-new/qmail-smtpd.c 2017-04-20 08:58:23.299671749 -0600
@@ -723,7 +723,9 @@

 char ssinbuf[1024];
 substdio ssin = SUBSTDIO_FDBUF(saferead,0,ssinbuf,sizeof ssinbuf);
-
+#ifdef TLS
+void flush_io() { ssin.p = 0; flush(); }
+#endif

 stralloc line = {0};
 stralloc base64types = {0};
@@ -1398,7 +1400,7 @@
 , { "rset", smtp_rset, 0 }
 , { "help", smtp_help, flush }
 #ifdef TLS
-, { "starttls", smtp_tls, flush }
+, { "starttls", smtp_tls, flush_io }
 #endif
 , { "noop", err_noop, flush }
 , { "vrfy", err_vrfy, flush }





On 4/20/2017 1:12 AM, Rajesh M wrote:

hi eric

we are receiving a lot of cname lookup failed.

this happens on a random basis on all our qmailtoaster servers.

our resolv.conf contains

127.0.0.1
8.8.8.8
8.8.4.4

we use bind locally within the mail server and google's dns which is also set 
as cache records and allow lookups from local ips only.

Had a quick question

there are supposedly two different patches.

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg35981.html

is qmailtoaster on whitehorse patched with both these two patches related to 
dns.?

DNS-related Patches by Jonathan de Boyne Pollard
http://www.memoryhole.net/qmail/any-to-cname.patch

thanks
rajesh




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] lot of cname lookup failed

2017-04-20 Thread Eric Broch 

Hi Rajesh,

The first patch (Big DNS) is included in QMT, but the T_ANY to T_CNAME 
is not.


Eric


On 4/20/2017 1:12 AM, Rajesh M wrote:

hi eric

we are receiving a lot of cname lookup failed.

this happens on a random basis on all our qmailtoaster servers.

our resolv.conf contains

127.0.0.1
8.8.8.8
8.8.4.4

we use bind locally within the mail server and google's dns which is also set 
as cache records and allow lookups from local ips only.

Had a quick question

there are supposedly two different patches.

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg35981.html

is qmailtoaster on whitehorse patched with both these two patches related to 
dns.?

DNS-related Patches by Jonathan de Boyne Pollard
http://www.memoryhole.net/qmail/any-to-cname.patch

thanks
rajesh




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

[qmailtoaster] lot of cname lookup failed

2017-04-20 Thread Rajesh M 
hi eric

we are receiving a lot of cname lookup failed.

this happens on a random basis on all our qmailtoaster servers.

our resolv.conf contains

127.0.0.1
8.8.8.8
8.8.4.4

we use bind locally within the mail server and google's dns which is also set 
as cache records and allow lookups from local ips only.

Had a quick question

there are supposedly two different patches.

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg35981.html

is qmailtoaster on whitehorse patched with both these two patches related to 
dns.?

DNS-related Patches by Jonathan de Boyne Pollard
http://www.memoryhole.net/qmail/any-to-cname.patch

thanks
rajesh


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fwd: qmail-1.03-3 CentOS 7

2017-04-20 Thread Eric Broch 
A link is also included on the main website qmailtoaster.com and 
qmailtoaster.org



On 4/20/2017 1:01 AM, Eric Broch wrote:

Qmail-1.03-3   
is ready for testing (20 APR 2017). Available in the repository upon completion. It 
includes,
1) Thelatest   Qmail-TLS patch from Frederik 
Vermeulen's Qmail-TLSsite .
2) Secure SMTP (Port 465) available by default.
3) 2048 bit RSA keys and DH params (default).
4) This patch fixes the STARTTLS plaintext command injection vulnerability.Here 
.
*Thanks to Frederik Vermeulen and others who made these fixes and features 
available to the Qmail community.

[qmailtoaster] Fwd: qmail-1.03-3 CentOS 7

2017-04-20 Thread Eric Broch 

   Qmail-1.03-3   
is ready for testing (20 APR 2017). Available in the repository upon completion. It 
includes,
   1) Thelatest   Qmail-TLS patch from Frederik 
Vermeulen's Qmail-TLSsite .
   2) Secure SMTP (Port 465) available by default.
   3) 2048 bit RSA keys and DH params (default).
   4) This patch fixes the STARTTLS plaintext command injection vulnerability.Here 
.
   *Thanks to Frederik Vermeulen and others who made these fixes and features 
available to the Qmail community.