Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
If people want qmail-dk (ssl) and have already installed the update (qmail version 1.03-1.3.24) you can do the following to get qmail-dk working with ssl/crypto: (i686) # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/libdomainkeys-toaster-0.68-1.3.7.i686.rpm # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/i386/qmail-toaster-1.03-1.3.24.i686.rpm (x86_64) # rpm -Uvh ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/libdomainkeys-toaster-0.68-1.3.7.x86_64.rpm # rpm -ivh --replacefiles --replacepkgs ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/testing/x86_64/qmail-toaster-1.03-1.3.24.x86_64.rpm If you haven't installed qmail-toaster ssl update (version 1.03-1.3.24) follow instruction here: https://www.qmailtoaster.org/newopensslcnt50.html On 7/5/2018 10:58 AM, Brian Ghidinelli wrote: FWIW, I did not update my qmail-dk binary. I was hypothesizing it was only used to sign, not to communicate, and therefore the version of openssl didn't matter. I might be wrong, but I'm still sending mail? Brian On 7/5/18 06:38, South Computers wrote: Interestingly, this broke DKIM. I don't have the time to look further right now, but disabled dk for the time being, and it's working. Was getting this in smtp/current when trying to send mail: @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG! etc... South Computers wrote: Also mostly a lurker these days, but wanted to chime in and give a big thanks as well Eric. Much appreciate all your work to keep this going. Scott Also, if anyone else has neglected to keep their toaster up to date and needs to manually install the epel repo, at least for x86 on COS5: wget http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uhv epel-release-5-4.noarch.rpm Eric Broch wrote: Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC)
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
FWIW, I did not update my qmail-dk binary. I was hypothesizing it was only used to sign, not to communicate, and therefore the version of openssl didn't matter. I might be wrong, but I'm still sending mail? Brian On 7/5/18 06:38, South Computers wrote: Interestingly, this broke DKIM. I don't have the time to look further right now, but disabled dk for the time being, and it's working. Was getting this in smtp/current when trying to send mail: @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG! etc... South Computers wrote: Also mostly a lurker these days, but wanted to chime in and give a big thanks as well Eric. Much appreciate all your work to keep this going. Scott Also, if anyone else has neglected to keep their toaster up to date and needs to manually install the epel repo, at least for x86 on COS5: wget http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uhv epel-release-5-4.noarch.rpm Eric Broch wrote: Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Thanks! An oversight on my part, I'll probably have to recompile and link domainkeys with openssl101e if anyone's interested. I'm not sure how much it's in use these days being replaced by dkim. On 7/5/2018 7:38 AM, South Computers wrote: Interestingly, this broke DKIM. I don't have the time to look further right now, but disabled dk for the time being, and it's working. Was getting this in smtp/current when trying to send mail: @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG! etc... South Computers wrote: Also mostly a lurker these days, but wanted to chime in and give a big thanks as well Eric. Much appreciate all your work to keep this going. Scott Also, if anyone else has neglected to keep their toaster up to date and needs to manually install the epel repo, at least for x86 on COS5: wget http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uhv epel-release-5-4.noarch.rpm Eric Broch wrote: Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Interestingly, this broke DKIM. I don't have the time to look further right now, but disabled dk for the time being, and it's working. Was getting this in smtp/current when trying to send mail: @40005b3e1a821e069b7c qmail-dk:[3870]: Dying due to a POSSIBLE BUG! etc... South Computers wrote: Also mostly a lurker these days, but wanted to chime in and give a big thanks as well Eric. Much appreciate all your work to keep this going. Scott Also, if anyone else has neglected to keep their toaster up to date and needs to manually install the epel repo, at least for x86 on COS5: wget http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uhv epel-release-5-4.noarch.rpm Eric Broch wrote: Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Also mostly a lurker these days, but wanted to chime in and give a big thanks as well Eric. Much appreciate all your work to keep this going. Scott Also, if anyone else has neglected to keep their toaster up to date and needs to manually install the epel repo, at least for x86 on COS5: wget http://dl.fedoraproject.org/pub/archive/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uhv epel-release-5-4.noarch.rpm Eric Broch wrote: Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Thanks, Dan. On 7/3/2018 7:38 AM, Dan McAllister - QMT DNS wrote: I'm normally just a lurker around here anymore -- Eric does such a GREAT job helping you guys! Before I forget, GREAT WORK on getting the updated OpenSSL package installation instructions out there! So, I'm going to add my 2-cents worth in today as an EXPLANATION of WHY you need to update your QMail server... and I hope you'll see why. People using OLD versions of Qmail, or any other mail server, are likely to have connectivity issues -- especially after June 30! Why? Because the IEFT and PCI councils have recommended the SHUTDOWN of SSL (all versions -- even SSLv3) by June 30, and moving to REQUIRE TLS v1.1 or higher. *MANY ISPs ARE ALREADY REQUIRING TLS 1.2 or HIGHER!* So, if you're using an OpenSSL stack from CentOS 3, 4, or 5, that's going to be a problem unless you are able to upgrade your OpenSSL package. Why are the old SSL versions being SHUTDOWN? Because they have known vulnerabilities and we (the server admin community) have had SEVERAL YEARS now to address them. I just thought you (gentle readers) might want to know the reason WHY your 15-year-old QMT installation is starting to fail! LOL Dan McAllister QMT DNS Admin -Original Message- From: Eric Broch [mailto:ebr...@whitehorsetc.com] Sent: Wednesday, June 27, 2018 12:09 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. On 6/26/2018 11:44 PM, Brian Ghidinelli wrote: I'm running into the same SMTP TLS connection errors as reported by Sean Murphy in this email here: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html Same scenario: old, reliable CentOS 5 box. We need a few more months to transition off this box and we're getting an increasing number of TLS failures that are hard to fix with notls FQDNs. I have upgraded our openssl so I'm wondering if it's possible, using the source rpm for my very old install, to recompile and provide a new SSL library path? I am not very experienced with rpmbuild and have toyed with the qmail-toaster.spec file but I believe I ran into a problem that openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any suggestions for a short term fix? I believe I would need to recompile and then replace just qmail-smtpd and qmail-remote, yes? Brian - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
I'm normally just a lurker around here anymore -- Eric does such a GREAT job helping you guys! Before I forget, GREAT WORK on getting the updated OpenSSL package installation instructions out there! So, I'm going to add my 2-cents worth in today as an EXPLANATION of WHY you need to update your QMail server... and I hope you'll see why. People using OLD versions of Qmail, or any other mail server, are likely to have connectivity issues -- especially after June 30! Why? Because the IEFT and PCI councils have recommended the SHUTDOWN of SSL (all versions -- even SSLv3) by June 30, and moving to REQUIRE TLS v1.1 or higher. *MANY ISPs ARE ALREADY REQUIRING TLS 1.2 or HIGHER!* So, if you're using an OpenSSL stack from CentOS 3, 4, or 5, that's going to be a problem unless you are able to upgrade your OpenSSL package. Why are the old SSL versions being SHUTDOWN? Because they have known vulnerabilities and we (the server admin community) have had SEVERAL YEARS now to address them. I just thought you (gentle readers) might want to know the reason WHY your 15-year-old QMT installation is starting to fail! LOL Dan McAllister QMT DNS Admin -Original Message- From: Eric Broch [mailto:ebr...@whitehorsetc.com] Sent: Wednesday, June 27, 2018 12:09 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. On 6/26/2018 11:44 PM, Brian Ghidinelli wrote: > > I'm running into the same SMTP TLS connection errors as reported by > Sean Murphy in this email here: > > https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html > > > Same scenario: old, reliable CentOS 5 box. We need a few more months > to transition off this box and we're getting an increasing number of > TLS failures that are hard to fix with notls FQDNs. > > I have upgraded our openssl so I'm wondering if it's possible, using > the source rpm for my very old install, to recompile and provide a new > SSL library path? > > I am not very experienced with rpmbuild and have toyed with the > qmail-toaster.spec file but I believe I ran into a problem that > openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any > suggestions for a short term fix? > > I believe I would need to recompile and then replace just qmail-smtpd > and qmail-remote, yes? > > > Brian > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Yes, CNAME lookup removed. On 7/2/2018 12:47 PM, Peter Peltonen wrote: Thanks Eric, does this rpm have also the cname lookup remove patch? Best, Peter On Sat, Jun 30, 2018 at 9:06 PM, Eric Broch wrote: Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Thanks Eric, does this rpm have also the cname lookup remove patch? Best, Peter On Sat, Jun 30, 2018 at 9:06 PM, Eric Broch wrote: > Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal > testing done. This is done with openssl-1.01e > > https://www.qmailtoaster.org/newopensslcnt50.html > > Eric > > > > On 6/29/2018 4:51 AM, Peter Peltonen wrote: >> >> Great, thanks for sharing! >> >> One question: >> >> Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME >> lookups removed. >> >> Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. >> >> How would one migrate the changes you did to Eric's version, as I >> would like to have both: newer TLS support + CNAME lookups removed? >> >> Best, >> Peter >> >> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch >> wrote: >>> >>> Thanks, Brian!!! >>> >>> >>> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: >>> >>> Good news - I seemed to have solved this. It's a combo of these old notes >>> from 2011 and an upgraded openssl: >>> >>> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up >>> >>> I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed >>> openssl-1.0.2o from source on CentOS 5 and linked: >>> >>> /usr/include/openssl -> /usr/local/ssl/include/openssl/ >>> >>> Then I rebuilt the RPM: >>> >>> rpmbuild -bb --target i686 --with cnt50 >>> /usr/src/redhat/SPECS/qmail-toaster.spec >>> >>> This generated the RPM. I extracted the files: >>> >>> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv >>> >>> I backed up my existing qmail-smtpd and qmail-remote.orig, and copied >>> the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin >>> where cpio extracted them to) >>> >>> And then tested with checktls.com and everything shows TLS 1.2 now. >>> *whew* >>> >>> This buys us a little time to complete a migration. Hope this helps >>> someone >>> else! >>> >>> >>> Brian >>> >>> >>> On 6/27/18 09:09, Eric Broch wrote: >>> >>> Have a look at this thread: >>> >>> >>> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html >>> >>> IMHO, there were to many packages that were dependent on openssl-9.8 on >>> the >>> CentOS 5 box to make this practical. >>> >>> >>> >>> >>> - >>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >>> >>> >>> -- >>> Eric Broch >>> White Horse Technical Consulting (WHTC) >> >> - >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> > > -- > Eric Broch > White Horse Technical Consulting (WHTC) > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Instructions for setting up greater than openssl-0.9.8 CentOS 5, minimal testing done. This is done with openssl-1.01e https://www.qmailtoaster.org/newopensslcnt50.html Eric On 6/29/2018 4:51 AM, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
It removes cname lookups from qmail-remote, specifically in dns.c per DJB (https://lists.gt.net/qmail/users/138190). On 6/29/2018 9:49 AM, Brian Ghidinelli wrote: What does this patch do? I never heard about 1.3.23. On 6/29/18 08:45, Eric Broch wrote: Here's the patch: diff -rNu qmailqmt/dns.c qmailqmt-new/dns.c --- qmailqmt/dns.c 2018-01-21 09:03:56.201694493 -0700 +++ qmailqmt-new/dns.c 2018-01-21 09:06:40.696619489 -0700 @@ -249,32 +249,7 @@ int dns_cname(sa) stralloc *sa; { - int r; - int loop; - for (loop = 0;loop < 10;++loop) - { - if (!sa->len) return loop; - if (sa->s[sa->len - 1] == ']') return loop; - if (sa->s[sa->len - 1] == '.') { --sa->len; continue; } - switch(resolve(sa,T_CNAME)) - { - case DNS_MEM: return DNS_MEM; - case DNS_SOFT: return DNS_SOFT; - case DNS_HARD: return loop; - default: - while ((r = findname(T_CNAME)) != 2) - { - if (r == DNS_SOFT) return DNS_SOFT; - if (r == 1) - { - if (!stralloc_copys(sa,name)) return DNS_MEM; - break; - } - } - if (r == 2) return loop; - } - } - return DNS_HARD; /* alias loop */ + return 0; } #define FMT_IAA 40 On 6/29/2018 9:01 AM, Brian Ghidinelli wrote: My guess is: get both source RPMs, extract both spec files, diff my spec against .22 and then apply those changes to .23 and follow the rest of the steps? I don’t remember what I changed in the spec file, or if that even mattered, but that would give you what is needed to replicate for .23 I believe. Brian On Jun 29, 2018, at 03:51, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Here's the patch: diff -rNu qmailqmt/dns.c qmailqmt-new/dns.c --- qmailqmt/dns.c 2018-01-21 09:03:56.201694493 -0700 +++ qmailqmt-new/dns.c 2018-01-21 09:06:40.696619489 -0700 @@ -249,32 +249,7 @@ int dns_cname(sa) stralloc *sa; { - int r; - int loop; - for (loop = 0;loop < 10;++loop) - { - if (!sa->len) return loop; - if (sa->s[sa->len - 1] == ']') return loop; - if (sa->s[sa->len - 1] == '.') { --sa->len; continue; } - switch(resolve(sa,T_CNAME)) - { - case DNS_MEM: return DNS_MEM; - case DNS_SOFT: return DNS_SOFT; - case DNS_HARD: return loop; - default: - while ((r = findname(T_CNAME)) != 2) - { - if (r == DNS_SOFT) return DNS_SOFT; - if (r == 1) - { - if (!stralloc_copys(sa,name)) return DNS_MEM; - break; - } - } - if (r == 2) return loop; - } - } - return DNS_HARD; /* alias loop */ + return 0; } #define FMT_IAA 40 On 6/29/2018 9:01 AM, Brian Ghidinelli wrote: My guess is: get both source RPMs, extract both spec files, diff my spec against .22 and then apply those changes to .23 and follow the rest of the steps? I don’t remember what I changed in the spec file, or if that even mattered, but that would give you what is needed to replicate for .23 I believe. Brian On Jun 29, 2018, at 03:51, Peter Peltonen wrote: Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: Thanks, Brian!!! On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: Good news - I seemed to have solved this. It's a combo of these old notes from 2011 and an upgraded openssl: http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed openssl-1.0.2o from source on CentOS 5 and linked: /usr/include/openssl -> /usr/local/ssl/include/openssl/ Then I rebuilt the RPM: rpmbuild -bb --target i686 --with cnt50 /usr/src/redhat/SPECS/qmail-toaster.spec This generated the RPM. I extracted the files: rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv I backed up my existing qmail-smtpd and qmail-remote.orig, and copied the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin where cpio extracted them to) And then tested with checktls.com and everything shows TLS 1.2 now. *whew* This buys us a little time to complete a migration. Hope this helps someone else! Brian On 6/27/18 09:09, Eric Broch wrote: Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
My guess is: get both source RPMs, extract both spec files, diff my spec against .22 and then apply those changes to .23 and follow the rest of the steps? I don’t remember what I changed in the spec file, or if that even mattered, but that would give you what is needed to replicate for .23 I believe. Brian > On Jun 29, 2018, at 03:51, Peter Peltonen wrote: > > Great, thanks for sharing! > > One question: > > Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME > lookups removed. > > Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. > > How would one migrate the changes you did to Eric's version, as I > would like to have both: newer TLS support + CNAME lookups removed? > > Best, > Peter > >> On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: >> Thanks, Brian!!! >> >> >> On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: >> >> Good news - I seemed to have solved this. It's a combo of these old notes >> from 2011 and an upgraded openssl: >> >> http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up >> >> I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed >> openssl-1.0.2o from source on CentOS 5 and linked: >> >> /usr/include/openssl -> /usr/local/ssl/include/openssl/ >> >> Then I rebuilt the RPM: >> >> rpmbuild -bb --target i686 --with cnt50 >> /usr/src/redhat/SPECS/qmail-toaster.spec >> >> This generated the RPM. I extracted the files: >> >> rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv >> >> I backed up my existing qmail-smtpd and qmail-remote.orig, and copied >> the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin >> where cpio extracted them to) >> >> And then tested with checktls.com and everything shows TLS 1.2 now. *whew* >> >> This buys us a little time to complete a migration. Hope this helps someone >> else! >> >> >> Brian >> >> >> On 6/27/18 09:09, Eric Broch wrote: >> >> Have a look at this thread: >> >> https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html >> >> IMHO, there were to many packages that were dependent on openssl-9.8 on the >> CentOS 5 box to make this practical. >> >> >> >> >> - >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >> >> -- >> Eric Broch >> White Horse Technical Consulting (WHTC) > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Great, thanks for sharing! One question: Eric had produced an RPM for qmail 1.03-1.3.23.i386 with the CNAME lookups removed. Yours is 1.03-1.3.22 and with CNAME lookups enabled I assume. How would one migrate the changes you did to Eric's version, as I would like to have both: newer TLS support + CNAME lookups removed? Best, Peter On Fri, Jun 29, 2018 at 10:34 AM, Eric Broch wrote: > Thanks, Brian!!! > > > On 6/29/2018 1:32 AM, Brian Ghidinelli wrote: > > Good news - I seemed to have solved this. It's a combo of these old notes > from 2011 and an upgraded openssl: > > http://www.ghidinelli.com/2011/10/20/october-qmail-follow-up > > I'm attaching my modified qmail-toaster.spec from 1.3.21. I installed > openssl-1.0.2o from source on CentOS 5 and linked: > > /usr/include/openssl -> /usr/local/ssl/include/openssl/ > > Then I rebuilt the RPM: > > rpmbuild -bb --target i686 --with cnt50 > /usr/src/redhat/SPECS/qmail-toaster.spec > > This generated the RPM. I extracted the files: > > rpm2cpio qmail-toaster-1.03-1.3.22.i686.rpm | cpio -idmv > > I backed up my existing qmail-smtpd and qmail-remote.orig, and copied > the new binaries over (from /usr/src/redhat/RPMS/i686/var/qmail/bin > where cpio extracted them to) > > And then tested with checktls.com and everything shows TLS 1.2 now. *whew* > > This buys us a little time to complete a migration. Hope this helps someone > else! > > > Brian > > > On 6/27/18 09:09, Eric Broch wrote: > > Have a look at this thread: > > https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html > > IMHO, there were to many packages that were dependent on openssl-9.8 on the > CentOS 5 box to make this practical. > > > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > -- > Eric Broch > White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
Have a look at this thread: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41029.html IMHO, there were to many packages that were dependent on openssl-9.8 on the CentOS 5 box to make this practical. On 6/26/2018 11:44 PM, Brian Ghidinelli wrote: I'm running into the same SMTP TLS connection errors as reported by Sean Murphy in this email here: https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html Same scenario: old, reliable CentOS 5 box. We need a few more months to transition off this box and we're getting an increasing number of TLS failures that are hard to fix with notls FQDNs. I have upgraded our openssl so I'm wondering if it's possible, using the source rpm for my very old install, to recompile and provide a new SSL library path? I am not very experienced with rpmbuild and have toyed with the qmail-toaster.spec file but I believe I ran into a problem that openssl 1.0.2l does not pass the checks for openssl >= 0.9.8. Any suggestions for a short term fix? I believe I would need to recompile and then replace just qmail-smtpd and qmail-remote, yes? Brian - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Upgrading openssl in an old Qmailtoaster install
I would be interested in this solution as well. How did you upgrade openssl? Did you follow this tutorial https://miteshshah.github.io/linux/centos/how-to-enable-openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/ or something else? Best, Peter On Wed, Jun 27, 2018 at 8:44 AM, Brian Ghidinelli wrote: > > I'm running into the same SMTP TLS connection errors as reported by Sean > Murphy in this email here: > > https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg41115.html > > Same scenario: old, reliable CentOS 5 box. We need a few more months to > transition off this box and we're getting an increasing number of TLS > failures that are hard to fix with notls FQDNs. > > I have upgraded our openssl so I'm wondering if it's possible, using the > source rpm for my very old install, to recompile and provide a new SSL > library path? > > I am not very experienced with rpmbuild and have toyed with the > qmail-toaster.spec file but I believe I ran into a problem that openssl > 1.0.2l does not pass the checks for openssl >= 0.9.8. Any suggestions for a > short term fix? > > I believe I would need to recompile and then replace just qmail-smtpd and > qmail-remote, yes? > > > Brian > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com