subject:"RE\: \[qmailtoaster\] Upgrading openssl in an old Qmailtoaster install"

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch

If people want qmail-dk (ssl) and have already installed the update 
(qmail version 1.03-1.3.24) you can do the following to get qmail-dk 
working with ssl/crypto:


(i686)

# rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm


# rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm


(x86_64)

# rpm -Uvh 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm


# rpm -ivh --replacefiles --replacepkgs 
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm



If you haven't installed qmail-toaster ssl update (version 1.03-1.3.24) 
follow instruction here: https://www.qmailtoaster.org/newopensslcnt50.html




On 7/5/2018 10:58 AM, Brian Ghidinelli wrote:


FWIW, I did not update my qmail-dk binary. I was hypothesizing it was 
only used to sign, not to communicate, and therefore the version of 
openssl didn't matter. I might be wrong, but I'm still sending mail?



Brian


On 7/5/18 06:38, South Computers wrote:

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for 
the time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I 
installed

openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and 
copied

the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




- 

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Brian Ghidinelli




FWIW, I did not update my qmail-dk binary. I was hypothesizing it was 
only used to sign, not to communicate, and therefore the version of 
openssl didn't matter. I might be wrong, but I'm still sending mail?



Brian


On 7/5/18 06:38, South Computers wrote:

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for 
the time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread Eric Broch


Thanks!

An oversight on my part, I'll probably have to recompile and link 
domainkeys with openssl101e if anyone's interested. I'm not sure how 
much it's in use these days being replaced by dkim.



On 7/5/2018 7:38 AM, South Computers wrote:

Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for 
the time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a 
big thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers


Interestingly, this broke DKIM.

I don't have the time to look further right now, but disabled dk for the 
time being, and it's working.


Was getting this in smtp/current when trying to send mail:
@40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG!

etc...




South Computers wrote:
Also mostly a lurker these days, but wanted to chime in and give a big 
thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date 
and needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old 
notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now. 
*whew*


This buys us a little time to complete a migration. Hope this helps 
someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-05 Thread South Computers

Also mostly a lurker these days, but wanted to chime in and give a big 
thanks as well Eric.


Much appreciate all your work to keep this going.
Scott

Also, if anyone else has neglected to keep their toaster up to date and 
needs to manually install the epel repo, at least for x86 on COS5:
wget 
http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uhv epel-release-5-4.noarch.rpm



Eric Broch wrote:
Instructions for setting up greater than openssl-0.9.8 CentOS 5, 
minimal testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old 
notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now. 
*whew*


This buys us a little time to complete a migration. Hope this helps 
someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on openssl-9.8 
on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-03 Thread Eric Broch


Thanks, Dan.


On 7/3/2018 7:38 AM, Dan McAllister - QMT DNS wrote:

I'm normally just a lurker around here anymore -- Eric does such a GREAT job 
helping you guys! Before I forget, GREAT WORK on getting the updated OpenSSL 
package installation instructions out there!

So, I'm going to add my 2-cents worth in today as an EXPLANATION of WHY you 
need to update your QMail server... and I hope you'll see why.

People using OLD versions of Qmail, or any other mail server, are likely to 
have connectivity issues -- especially after June 30!
Why? Because the IEFT  and PCI councils have recommended the SHUTDOWN of SSL 
(all versions -- even SSLv3) by June 30, and moving to REQUIRE TLS v1.1 or 
higher. *MANY ISPs ARE ALREADY REQUIRING TLS 1.2 or HIGHER!*

So, if you're using an OpenSSL stack from CentOS 3, 4, or 5, that's going to be 
a problem unless you are able to upgrade your OpenSSL package.

Why are the old SSL versions being SHUTDOWN? Because they have known 
vulnerabilities and we (the server admin community) have had SEVERAL YEARS now 
to address them.

I just thought you (gentle readers) might want to know the reason WHY your 
15-year-old QMT installation is starting to fail! LOL

Dan McAllister

QMT DNS Admin


-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
Sent: Wednesday, June 27, 2018 12:09 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

IMHO, there were to many packages that were dependent on openssl-9.8 on the 
CentOS 5 box to make this practical.


On 6/26/2018 11:44 PM, Brian Ghidinelli wrote:

I'm running into the same SMTP TLS connection errors as reported by
Sean Murphy in this email here:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html


Same scenario: old, reliable CentOS 5 box. We need a few more months
to transition off this box and we're getting an increasing number of
TLS failures that are hard to fix with notls FQDNs.

I have upgraded our openssl so I'm wondering if it's possible, using
the source rpm for my very old install, to recompile and provide a new
SSL library path?

I am not very experienced with rpmbuild and have toyed with the
qmail-toaster.spec file but I believe I ran into a problem that
openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any
suggestions for a short term fix?

I believe I would need to recompile and then replace just qmail-smtpd
and qmail-remote, yes?


Brian

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-03 Thread Dan McAllister - QMT DNS

I'm normally just a lurker around here anymore -- Eric does such a GREAT job 
helping you guys! Before I forget, GREAT WORK on getting the updated OpenSSL 
package installation instructions out there!

So, I'm going to add my 2-cents worth in today as an EXPLANATION of WHY you 
need to update your QMail server... and I hope you'll see why.

People using OLD versions of Qmail, or any other mail server, are likely to 
have connectivity issues -- especially after June 30!
Why? Because the IEFT  and PCI councils have recommended the SHUTDOWN of SSL 
(all versions -- even SSLv3) by June 30, and moving to REQUIRE TLS v1.1 or 
higher. *MANY ISPs ARE ALREADY REQUIRING TLS 1.2 or HIGHER!*

So, if you're using an OpenSSL stack from CentOS 3, 4, or 5, that's going to be 
a problem unless you are able to upgrade your OpenSSL package.

Why are the old SSL versions being SHUTDOWN? Because they have known 
vulnerabilities and we (the server admin community) have had SEVERAL YEARS now 
to address them.

I just thought you (gentle readers) might want to know the reason WHY your 
15-year-old QMT installation is starting to fail! LOL

Dan McAllister

QMT DNS Admin

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
Sent: Wednesday, June 27, 2018 12:09 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

IMHO, there were to many packages that were dependent on openssl-9.8 on the 
CentOS 5 box to make this practical.

On 6/26/2018 11:44 PM, Brian Ghidinelli wrote:
>
> I'm running into the same SMTP TLS connection errors as reported by
> Sean Murphy in this email here:
>
> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html
>
>
> Same scenario: old, reliable CentOS 5 box. We need a few more months
> to transition off this box and we're getting an increasing number of
> TLS failures that are hard to fix with notls FQDNs.
>
> I have upgraded our openssl so I'm wondering if it's possible, using
> the source rpm for my very old install, to recompile and provide a new
> SSL library path?
>
> I am not very experienced with rpmbuild and have toyed with the
> qmail-toaster.spec file but I believe I ran into a problem that
> openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any
> suggestions for a short term fix?
>
> I believe I would need to recompile and then replace just qmail-smtpd
> and qmail-remote, yes?
>
>
> Brian
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>

--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-02 Thread Eric Broch


Yes, CNAME lookup removed.


On 7/2/2018 12:47 PM, Peter Peltonen wrote:

Thanks Eric, does this rpm have also the cname lookup remove patch?

Best,
Peter

On Sat, Jun 30, 2018 at 9:06 PM, Eric Broch  wrote:

Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal
testing done. This is done with openssl-1.01e

https://www.qmailtoaster.org/newopensslcnt50.html

Eric



On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old notes
from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now.
*whew*

This buys us a little time to complete a migration. Hope this helps
someone
else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:


https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

IMHO, there were to many packages that were dependent on openssl-9.8 on
the
CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-07-02 Thread Peter Peltonen

Thanks Eric, does this rpm have also the cname lookup remove patch?

Best,
Peter

On Sat, Jun 30, 2018 at 9:06 PM, Eric Broch  wrote:
> Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal
> testing done. This is done with openssl-1.01e
>
> https://www.qmailtoaster.org/newopensslcnt50.html
>
> Eric
>
>
>
> On 6/29/2018 4:51 AM, Peter Peltonen wrote:
>>
>> Great, thanks for sharing!
>>
>> One question:
>>
>> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
>> lookups removed.
>>
>> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
>>
>> How would one migrate the changes you did to Eric's version, as I
>> would like to have both: newer TLS support + CNAME lookups removed?
>>
>> Best,
>> Peter
>>
>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
>> wrote:
>>>
>>> Thanks, Brian!!!
>>>
>>>
>>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>>>
>>> Good news - I seemed to have solved this. It's a combo of these old notes
>>> from 2011 and an upgraded openssl:
>>>
>>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>>>
>>> I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
>>> openssl-1.0.2o from source on CentOS 5 and linked:
>>>
>>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>>>
>>> Then I rebuilt the RPM:
>>>
>>> rpmbuild -bb --target i686 --with cnt50
>>> /usr/src/redhat/SPECS/qmail-toaster.spec
>>>
>>> This generated the RPM. I extracted the files:
>>>
>>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>>>
>>> I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
>>> the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
>>> where cpio extracted them to)
>>>
>>> And then tested with checktls.com and everything shows TLS 1.2 now.
>>> *whew*
>>>
>>> This buys us a little time to complete a migration. Hope this helps
>>> someone
>>> else!
>>>
>>>
>>> Brian
>>>
>>>
>>> On 6/27/18 09:09, Eric Broch wrote:
>>>
>>> Have a look at this thread:
>>>
>>>
>>> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html
>>>
>>> IMHO, there were to many packages that were dependent on openssl-9.8 on
>>> the
>>> CentOS 5 box to make this practical.
>>>
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>
>>>
>>> --
>>> Eric Broch
>>> White Horse Technical Consulting (WHTC)
>>
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-30 Thread Eric Broch

Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal 
testing done. This is done with openssl-1.01e


https://www.qmailtoaster.org/newopensslcnt50.html

Eric


On 6/29/2018 4:51 AM, Peter Peltonen wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch  wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old notes
from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now. *whew*

This buys us a little time to complete a migration. Hope this helps someone
else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

IMHO, there were to many packages that were dependent on openssl-9.8 on the
CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-30 Thread Eric Broch

It removes cname lookups from qmail-remote, specifically in dns.c per 
DJB (https://lists.gt.net/qmail/users/138190).




On 6/29/2018 9:49 AM, Brian Ghidinelli wrote:


What does this patch do? I never heard about 1.3.23.


On 6/29/18 08:45, Eric Broch wrote:

Here's the patch:



diff -rNu qmailqmt/dns.c qmailqmt-new/dns.c
--- qmailqmt/dns.c  2018-01-21 09:03:56.201694493 -0700
+++ qmailqmt-new/dns.c  2018-01-21 09:06:40.696619489 -0700
@@ -249,32 +249,7 @@
 int dns_cname(sa)
 stralloc *sa;
 {
- int r;
- int loop;
- for (loop = 0;loop < 10;++loop)
-  {
-   if (!sa->len) return loop;
-   if (sa->s[sa->len - 1] == ']') return loop;
-   if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
-   switch(resolve(sa,T_CNAME))
-    {
- case DNS_MEM: return DNS_MEM;
- case DNS_SOFT: return DNS_SOFT;
- case DNS_HARD: return loop;
- default:
-   while ((r = findname(T_CNAME)) != 2)
-   {
-    if (r == DNS_SOFT) return DNS_SOFT;
-    if (r == 1)
- {
-  if (!stralloc_copys(sa,name)) return DNS_MEM;
-  break;
- }
-   }
-   if (r == 2) return loop;
-    }
-  }
- return DNS_HARD; /* alias loop */
+   return 0;
 }

 #define FMT_IAA 40




On 6/29/2018 9:01 AM, Brian Ghidinelli wrote:
My guess is: get both source RPMs, extract both spec files, diff my 
spec against .22 and then apply those changes to .23 and follow the 
rest of the steps?


I don’t remember what I changed in the spec file, or if that even 
mattered, but that would give you what is needed to replicate for 
.23 I believe.


Brian


On Jun 29, 2018, at 03:51, Peter Peltonen 
 wrote:


Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch 
 wrote:

Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these 
old notes

from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 
now. *whew*


This buys us a little time to complete a migration. Hope this 
helps someone

else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html 



IMHO, there were to many packages that were dependent on 
openssl-9.8 on the

CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com








--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-29 Thread Eric Broch


Here's the patch:



diff -rNu qmailqmt/dns.c qmailqmt-new/dns.c
--- qmailqmt/dns.c  2018-01-21 09:03:56.201694493 -0700
+++ qmailqmt-new/dns.c  2018-01-21 09:06:40.696619489 -0700
@@ -249,32 +249,7 @@
 int dns_cname(sa)
 stralloc *sa;
 {
- int r;
- int loop;
- for (loop = 0;loop < 10;++loop)
-  {
-   if (!sa->len) return loop;
-   if (sa->s[sa->len - 1] == ']') return loop;
-   if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
-   switch(resolve(sa,T_CNAME))
-    {
- case DNS_MEM: return DNS_MEM;
- case DNS_SOFT: return DNS_SOFT;
- case DNS_HARD: return loop;
- default:
-   while ((r = findname(T_CNAME)) != 2)
-   {
-    if (r == DNS_SOFT) return DNS_SOFT;
-    if (r == 1)
- {
-  if (!stralloc_copys(sa,name)) return DNS_MEM;
-  break;
- }
-   }
-   if (r == 2) return loop;
-    }
-  }
- return DNS_HARD; /* alias loop */
+   return 0;
 }

 #define FMT_IAA 40




On 6/29/2018 9:01 AM, Brian Ghidinelli wrote:

My guess is: get both source RPMs, extract both spec files, diff my spec 
against .22 and then apply those changes to .23 and follow the rest of the 
steps?

I don’t remember what I changed in the spec file, or if that even mattered, but 
that would give you what is needed to replicate for .23 I believe.

Brian



On Jun 29, 2018, at 03:51, Peter Peltonen  wrote:

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter


On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch  wrote:
Thanks, Brian!!!


On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:

Good news - I seemed to have solved this. It's a combo of these old notes
from 2011 and an upgraded openssl:

http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up

I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
openssl-1.0.2o from source on CentOS 5 and linked:

/usr/include/openssl -> /usr/local/ssl/include/openssl/

Then I rebuilt the RPM:

rpmbuild -bb --target i686 --with cnt50
/usr/src/redhat/SPECS/qmail-toaster.spec

This generated the RPM. I extracted the files:

rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv

I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
where cpio extracted them to)

And then tested with checktls.com and everything shows TLS 1.2 now. *whew*

This buys us a little time to complete a migration. Hope this helps someone
else!


Brian


On 6/27/18 09:09, Eric Broch wrote:

Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

IMHO, there were to many packages that were dependent on openssl-9.8 on the
CentOS 5 box to make this practical.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch
White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-29 Thread Brian Ghidinelli



My guess is: get both source RPMs, extract both spec files, diff my spec 
against .22 and then apply those changes to .23 and follow the rest of the 
steps? 

I don’t remember what I changed in the spec file, or if that even mattered, but 
that would give you what is needed to replicate for .23 I believe. 

Brian


> On Jun 29, 2018, at 03:51, Peter Peltonen  wrote:
> 
> Great, thanks for sharing!
> 
> One question:
> 
> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
> lookups removed.
> 
> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.
> 
> How would one migrate the changes you did to Eric's version, as I
> would like to have both: newer TLS support + CNAME lookups removed?
> 
> Best,
> Peter
> 
>> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch  wrote:
>> Thanks, Brian!!!
>> 
>> 
>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>> 
>> Good news - I seemed to have solved this. It's a combo of these old notes
>> from 2011 and an upgraded openssl:
>> 
>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>> 
>> I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
>> openssl-1.0.2o from source on CentOS 5 and linked:
>> 
>> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>> 
>> Then I rebuilt the RPM:
>> 
>> rpmbuild -bb --target i686 --with cnt50
>> /usr/src/redhat/SPECS/qmail-toaster.spec
>> 
>> This generated the RPM. I extracted the files:
>> 
>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>> 
>> I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
>> the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
>> where cpio extracted them to)
>> 
>> And then tested with checktls.com and everything shows TLS 1.2 now. *whew*
>> 
>> This buys us a little time to complete a migration. Hope this helps someone
>> else!
>> 
>> 
>> Brian
>> 
>> 
>> On 6/27/18 09:09, Eric Broch wrote:
>> 
>> Have a look at this thread:
>> 
>> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html
>> 
>> IMHO, there were to many packages that were dependent on openssl-9.8 on the
>> CentOS 5 box to make this practical.
>> 
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>> 
>> 
>> --
>> Eric Broch
>> White Horse Technical Consulting (WHTC)
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-29 Thread Peter Peltonen

Great, thanks for sharing!

One question:

Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME
lookups removed.

Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume.

How would one migrate the changes you did to Eric's version, as I
would like to have both: newer TLS support + CNAME lookups removed?

Best,
Peter

On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch  wrote:
> Thanks, Brian!!!
>
>
> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote:
>
> Good news - I seemed to have solved this. It's a combo of these old notes
> from 2011 and an upgraded openssl:
>
> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up
>
> I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed
> openssl-1.0.2o from source on CentOS 5 and linked:
>
> /usr/include/openssl -> /usr/local/ssl/include/openssl/
>
> Then I rebuilt the RPM:
>
> rpmbuild -bb --target i686 --with cnt50
> /usr/src/redhat/SPECS/qmail-toaster.spec
>
> This generated the RPM. I extracted the files:
>
> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv
>
> I backed up my existing qmail-smtpd and qmail-remote.orig, and copied
> the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin
> where cpio extracted them to)
>
> And then tested with checktls.com and everything shows TLS 1.2 now. *whew*
>
> This buys us a little time to complete a migration. Hope this helps someone
> else!
>
>
> Brian
>
>
> On 6/27/18 09:09, Eric Broch wrote:
>
> Have a look at this thread:
>
> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html
>
> IMHO, there were to many packages that were dependent on openssl-9.8 on the
> CentOS 5 box to make this practical.
>
>
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-27 Thread Eric Broch


Have a look at this thread:

https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html

IMHO, there were to many packages that were dependent on openssl-9.8 on 
the CentOS 5 box to make this practical.



On 6/26/2018 11:44 PM, Brian Ghidinelli wrote:


I'm running into the same SMTP TLS connection errors as reported by 
Sean Murphy in this email here:


https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html 



Same scenario: old, reliable CentOS 5 box. We need a few more months 
to transition off this box and we're getting an increasing number of 
TLS failures that are hard to fix with notls FQDNs.


I have upgraded our openssl so I'm wondering if it's possible, using 
the source rpm for my very old install, to recompile and provide a new 
SSL library path?


I am not very experienced with rpmbuild and have toyed with the 
qmail-toaster.spec file but I believe I ran into a problem that 
openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any 
suggestions for a short term fix?


I believe I would need to recompile and then replace just qmail-smtpd 
and qmail-remote, yes?



Brian

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

2018-06-27 Thread Peter Peltonen

I would be interested in this solution as well.

How did you upgrade openssl? Did you follow this tutorial

https://miteshshah.github.io/linux/centos/how-to-enable-openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/

or something else?

Best,
Peter

On Wed, Jun 27, 2018 at 8:44 AM, Brian Ghidinelli  wrote:
>
> I'm running into the same SMTP TLS connection errors as reported by Sean
> Murphy in this email here:
>
> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html
>
> Same scenario: old, reliable CentOS 5 box. We need a few more months to
> transition off this box and we're getting an increasing number of TLS
> failures that are hard to fix with notls FQDNs.
>
> I have upgraded our openssl so I'm wondering if it's possible, using the
> source rpm for my very old install, to recompile and provide a new SSL
> library path?
>
> I am not very experienced with rpmbuild and have toyed with the
> qmail-toaster.spec file but I believe I ran into a problem that openssl
> 1.0.2l does not pass the checks for openssl >= 0.9.8. Any suggestions for a
> short term fix?
>
> I believe I would need to recompile and then replace just qmail-smtpd and
> qmail-remote, yes?
>
>
> Brian
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

RE: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install

16 matches

Site Navigation

Mail list logo

Footer information