Hmmm... I think you may be beyond the edge of my expertise, but I'll certainly try to help if I can. spamdyke uses the OpenSSL library to handle SSL and TLS, so anything that works with OpenSSL on the command line should work with spamdyke as well. The option "tls-cipher-list" serves the same function as the "-cipher" option to "openssl". spamdyke just takes the text it's given and passes it to the SSL_CTX_set_cipher_list() function in the OpenSSL library before the connection is established. The ciphers you give should be ones listed when you run "openssl ciphers" from the command line, I'm not sure how it handles abbreviations.
It's possible the problem is actually within openssl's SMTP client. If it's not starting the SMTP connection and asking for TLS correctly, the client could be sending encrypted text while the server is still in plaintext mode or vice-versa. That would yield some strange error messages on both sides. I think I would suggest configuring spamdyke on port 465 with "tls-level" set to "smtps" and the "tls-cipher-list" option set to your specific ciphers. Then use this command to connect and test (substitute your ciphers as appropriate): openssl s_client -quiet -cipher "EXP-RC4-MD5" -connect localhost:465 If it connects and you see the "220" greeting banner, it's working. If you see an "alert handshake failure", you've probably selected a cipher the server doesn't support. -- Sam Clippinger On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: > Hi :-) > > These days where the NSA is watching us I decided to make my server as secure > as possible. > For qmail it means to use TLS with strong encryption - openssl with "- > ciphers "EDHS:DE" for example. > > The original QMAIL without spamdyke works fine: > openssl s_client -starttls smtp -connect localhost:25 > shows me this: > Protocol : TLSv1.2 > Cipher : DHE-RSA-AES256-GCM-SHA384 > Great! > > Now I enable spamdyke and test it again... > Protocol : TLSv1.2 > Cipher : AES256-GCM-SHA384 > > Ok, not that good... maybe just a wrong cipher list? So I specified it a > little bit more (works fine with qmail only): > openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' > > Ups, an error: > CONNECTED(00000003) > 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:741: > > I already tried to add "dhparam" to the qmail servercert > (mentioned here http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 > ) > but that didnt't change anything... > > > I also tested with "tls-cipher-list" param at the conf file - same error. > And at the maillog this: > A protocol or library failure occurred, > error:140E6118:lib(20):func(230):reason(280) > > Is it possible that there's a bug in spamdyke with strong encryption? > > Thanks for your help, > Marc > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users