Re: Apache - Qpsmtpd - TLS

2006-10-06 Thread Brian Szymanski 

What client are you trying to use?

What's in the error log above and below that line? Have you tried to  
bump up the logging level by uncommenting the debug constants after  
the use IO::Socket::SSL line?


When I did that I found that the issue I was having (this was with  
plain old tcpserver, YMMV) was that client and server couldn't agreee  
on a cipher - qpsmtpd is restricted to openssl's HIGH quality  
ciphers by default. To change this check out the qpsmtpd-0.3x branch  
with a revision  663 and modify config/tls_ciphers. For example, I  
have:

  # for available ciphers and format, see:
  #http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
  # versamail 3.x requires either RC4-MD5 or RC4-SHA
  # openssl default is DEFAULT, but qpsmtpd uses HIGH as default
  HIGH:RC4-SHA:RC4-MD5

But this was determined by painstakingly determining which cipher  
versamail needed. Your best bet is to change that to ALL, and see  
if that works (if it doesn't, it's something else altogether). See  
http://www.nntp.perl.org/group/perl.qpsmtpd/5584 and followups. For  
more.


But again, with the IO::Socket::SSL debug stuff enabled, you should  
see something useful above or near the mysterious Could not create  
SSL socket error which should send you down the right path in all  
cases.


Good luck  let us know what you find.
Brian

On Oct 6, 2006, at 3:21 PM, Ed McLain wrote:


Ok.. Now that I have everything working with apache and qpsmtpd I'm
wanting to throw tls into the mix as well.  I've got the certs and  
keys

built, however, when I issue a STARTTLS command I get the following:

250-PIPELINING
250-8BITMIME
250 STARTTLS
STARTTLS
220 Go ahead with TLS
500 TLS Negotiation Failed
quit

and I get this in the apache error log:
TLS failed: Could not create SSL socket:  at /home/smtpd/qpsmtpd// 
plugins/tls line 98.



Is there an issue with trying to create an SSL socket inside  
apache?  Does

anybody have this working?

Thanks,
Ed

Re: Apache - Qpsmtpd - TLS

2006-10-06 Thread James Turnbull 
Ed McLain wrote:
 and I get this in the apache error log:
 TLS failed: Could not create SSL socket:  at /home/smtpd/qpsmtpd//plugins/tls 
 line 98.
 
 

I had similar problems and got an error message in the main Apache
error_log of:

[Sat Oct 07 09:40:45 2006] [error] Could not create SSL context:
Permission denied at /home/smtpd/plugins/tls line 79.\n

No idea if it's related and haven't had a chance to debug.  Anyone know
where Apache creates the SSL context?

Regards

James Turnbull

P.S.  Also drop the last / on your PerlSetVar QpsmtpdDir statement -
that's what's causing the // in the error line.

-- 
James Turnbull [EMAIL PROTECTED]
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/159059/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)



signature.asc
Description: OpenPGP digital signature

Re: Apache - Qpsmtpd - TLS

2006-10-06 Thread Ask Bjørn Hansen 


On Oct 6, 2006, at 15:39, Ed McLain wrote:


What client are you trying to use?


Straight telnet


How do you speak SSL then?  :-)  That's a little like programming  
with cat  /dev/sda1.



  - ask

--
http://askask.com/  - http://develooper.com/

Re: Apache - Qpsmtpd - TLS

2006-10-06 Thread Ed McLain 
Just as a full test I ran swaks against it and here are the results:

=== Trying x.x.x.x:25...
=== Connected to x.x.x.x.
-  220 tmx1.testnet.com ESMTP qpsmtpd 0.32 ready; send us your mail,
but not your spam.
 - EHLO tested
-  250-tmx1.testnet.com Hi [x.x.x.x] [x.x.x.x] -
250-PIPELINING
-  250-8BITMIME
-  250 STARTTLS
 - STARTTLS
-  220 Go ahead with TLS
*** TLS startup failed (error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol)
 - QUIT
**  Negotiation Failed
** 500 Unrecognized command
=== Connection closed with remote host.

Also, I upgraded the plugin to the newest one in SVN, enabled full
debugging, set the tls_ciphers to: HIGH:RC4-SHA:RC4-MD5, and here is the
output in the apache error logs:

SSL accept attempt failederror::lib(0):func(0):reason(0)
 at /home/smtpd/qpsmtpd//plugins/tls line 158
TLS failed: Could not create SSL socket:  at /home/smtpd/qpsmtpd//plugins/tls 
line 158.

And here is the qpsmtpd logs:
Oct  6 21:13:06 tmx1 qpsmtpd[4684]: Connection from [x.x.x.x][x.x.x.x] 
Oct  6 21:13:06 tmx1 qpsmtpd[4684]: Plugins already loaded
Oct  6 21:13:06 tmx1 qpsmtpd[4684]: Loaded logging/syslog loglevel
LOGDEBUG 
Oct  6 21:13:06 tmx1 qpsmtpd[4684]: loading plugins from
/home/smtpd/qpsmtpd//plugins 
Oct  6 21:13:06 tmx1 qpsmtpd[4684]: ciphers:
Qpsmtpd::Plugin::tls=HASH(0x95991ec)-tls_ciphers 
Oct  6 21:13:07 tmx1
qpsmtpd[4684]: loadcheck 
Oct  6 21:13:07 tmx1 qpsmtpd[4684]: tls 
Oct  6 21:13:07 tmx1 qpsmtpd[4684]: check_earlytalker 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: remote host said nothing spontaneous,
proceeding 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: tls 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: check_spamhelo 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command 'starttls' 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: tls
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: logging::denylog 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '\200|^A^C^A 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: tls 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '^G 
Oct  6 21:13:08 tmx1 qpsmtpd[4684]: tls

Hope this helps some.

Thanks,
Ed.

On Fri, 06 Oct 2006 17:16:58 -0700, Ask Bjørn Hansen wrote:

 
 On Oct 6, 2006, at 15:39, Ed McLain wrote:
 
 What client are you trying to use?

 Straight telnet
 
 How do you speak SSL then?  :-)  That's a little like programming  
 with cat  /dev/sda1.
 
 
- ask

Re: Apache - Qpsmtpd - TLS

2006-10-06 Thread James Turnbull 
James Turnbull wrote:
 
 I had similar problems and got an error message in the main Apache
 error_log of:
 
 [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context:
 Permission denied at /home/smtpd/plugins/tls line 79.\n

I fixed this issue - SSL debug revealed it was permissions on the keys -
which is odd because the keys were owned by the smtpd user that
Apache::Qpsmtpd is running as, which also has read permissions to the
files.  I had to also add group read permissions to get this to work.
Not sure why those permissions would be needed.

Regards

James Turnbull

-- 
James Turnbull [EMAIL PROTECTED]
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/159059/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)



signature.asc
Description: OpenPGP digital signature