Re: Apache - Qpsmtpd - TLS
What client are you trying to use? What's in the error log above and below that line? Have you tried to bump up the logging level by uncommenting the debug constants after the use IO::Socket::SSL line? When I did that I found that the issue I was having (this was with plain old tcpserver, YMMV) was that client and server couldn't agreee on a cipher - qpsmtpd is restricted to openssl's HIGH quality ciphers by default. To change this check out the qpsmtpd-0.3x branch with a revision 663 and modify config/tls_ciphers. For example, I have: # for available ciphers and format, see: #http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS # versamail 3.x requires either RC4-MD5 or RC4-SHA # openssl default is DEFAULT, but qpsmtpd uses HIGH as default HIGH:RC4-SHA:RC4-MD5 But this was determined by painstakingly determining which cipher versamail needed. Your best bet is to change that to ALL, and see if that works (if it doesn't, it's something else altogether). See http://www.nntp.perl.org/group/perl.qpsmtpd/5584 and followups. For more. But again, with the IO::Socket::SSL debug stuff enabled, you should see something useful above or near the mysterious Could not create SSL socket error which should send you down the right path in all cases. Good luck let us know what you find. Brian On Oct 6, 2006, at 3:21 PM, Ed McLain wrote: Ok.. Now that I have everything working with apache and qpsmtpd I'm wanting to throw tls into the mix as well. I've got the certs and keys built, however, when I issue a STARTTLS command I get the following: 250-PIPELINING 250-8BITMIME 250 STARTTLS STARTTLS 220 Go ahead with TLS 500 TLS Negotiation Failed quit and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd// plugins/tls line 98. Is there an issue with trying to create an SSL socket inside apache? Does anybody have this working? Thanks, Ed
Re: Apache - Qpsmtpd - TLS
Ed McLain wrote: and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 98. I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n No idea if it's related and haven't had a chance to debug. Anyone know where Apache creates the SSL context? Regards James Turnbull P.S. Also drop the last / on your PerlSetVar QpsmtpdDir statement - that's what's causing the // in the error line. -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Apache - Qpsmtpd - TLS
On Oct 6, 2006, at 15:39, Ed McLain wrote: What client are you trying to use? Straight telnet How do you speak SSL then? :-) That's a little like programming with cat /dev/sda1. - ask -- http://askask.com/ - http://develooper.com/
Re: Apache - Qpsmtpd - TLS
Just as a full test I ran swaks against it and here are the results: === Trying x.x.x.x:25... === Connected to x.x.x.x. - 220 tmx1.testnet.com ESMTP qpsmtpd 0.32 ready; send us your mail, but not your spam. - EHLO tested - 250-tmx1.testnet.com Hi [x.x.x.x] [x.x.x.x] - 250-PIPELINING - 250-8BITMIME - 250 STARTTLS - STARTTLS - 220 Go ahead with TLS *** TLS startup failed (error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) - QUIT ** Negotiation Failed ** 500 Unrecognized command === Connection closed with remote host. Also, I upgraded the plugin to the newest one in SVN, enabled full debugging, set the tls_ciphers to: HIGH:RC4-SHA:RC4-MD5, and here is the output in the apache error logs: SSL accept attempt failederror::lib(0):func(0):reason(0) at /home/smtpd/qpsmtpd//plugins/tls line 158 TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 158. And here is the qpsmtpd logs: Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Connection from [x.x.x.x][x.x.x.x] Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Plugins already loaded Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Loaded logging/syslog loglevel LOGDEBUG Oct 6 21:13:06 tmx1 qpsmtpd[4684]: loading plugins from /home/smtpd/qpsmtpd//plugins Oct 6 21:13:06 tmx1 qpsmtpd[4684]: ciphers: Qpsmtpd::Plugin::tls=HASH(0x95991ec)-tls_ciphers Oct 6 21:13:07 tmx1 qpsmtpd[4684]: loadcheck Oct 6 21:13:07 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:07 tmx1 qpsmtpd[4684]: check_earlytalker Oct 6 21:13:08 tmx1 qpsmtpd[4684]: remote host said nothing spontaneous, proceeding Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: check_spamhelo Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command 'starttls' Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: logging::denylog Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '\200|^A^C^A Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '^G Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Hope this helps some. Thanks, Ed. On Fri, 06 Oct 2006 17:16:58 -0700, Ask Bjørn Hansen wrote: On Oct 6, 2006, at 15:39, Ed McLain wrote: What client are you trying to use? Straight telnet How do you speak SSL then? :-) That's a little like programming with cat /dev/sda1. - ask
Re: Apache - Qpsmtpd - TLS
James Turnbull wrote: I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n I fixed this issue - SSL debug revealed it was permissions on the keys - which is odd because the keys were owned by the smtpd user that Apache::Qpsmtpd is running as, which also has read permissions to the files. I had to also add group read permissions to get this to work. Not sure why those permissions would be needed. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature