Hmmm... I think you may be beyond the edge of my expertise, but I'll certainly
try to help if I can. spamdyke uses the OpenSSL library to handle SSL and TLS,
so anything that works with OpenSSL on the command line should work with
spamdyke as well. The option "tls-cipher-list" serves the same function as the
"-cipher" option to "openssl". spamdyke just takes the text it's given and
passes it to the SSL_CTX_set_cipher_list() function in the OpenSSL library
before the connection is established. The ciphers you give should be ones
listed when you run "openssl ciphers" from the command line, I'm not sure how
it handles abbreviations.
It's possible the problem is actually within openssl's SMTP client. If it's
not starting the SMTP connection and asking for TLS correctly, the client could
be sending encrypted text while the server is still in plaintext mode or
vice-versa. That would yield some strange error messages on both sides.
I think I would suggest configuring spamdyke on port 465 with "tls-level" set
to "smtps" and the "tls-cipher-list" option set to your specific ciphers. Then
use this command to connect and test (substitute your ciphers as appropriate):
openssl s_client -quiet -cipher "EXP-RC4-MD5" -connect localhost:465
If it connects and you see the "220" greeting banner, it's working. If you see
an "alert handshake failure", you've probably selected a cipher the server
doesn't support.
-- Sam Clippinger
On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote:
> Hi :-)
>
> These days where the NSA is watching us I decided to make my server as secure
> as possible.
> For qmail it means to use TLS with strong encryption - openssl with "-
> ciphers "EDHS:DE" for example.
>
> The original QMAIL without spamdyke works fine:
> openssl s_client -starttls smtp -connect localhost:25
> shows me this:
> Protocol : TLSv1.2
> Cipher : DHE-RSA-AES256-GCM-SHA384
> Great!
>
> Now I enable spamdyke and test it again...
> Protocol : TLSv1.2
> Cipher : AES256-GCM-SHA384
>
> Ok, not that good... maybe just a wrong cipher list? So I specified it a
> little bit more (works fine with qmail only):
> openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH'
>
> Ups, an error:
> CONNECTED(00000003)
> 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:741:
>
> I already tried to add "dhparam" to the qmail servercert
> (mentioned here http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226
> )
> but that didnt't change anything...
>
>
> I also tested with "tls-cipher-list" param at the conf file - same error.
> And at the maillog this:
> A protocol or library failure occurred,
> error:140E6118:lib(20):func(230):reason(280)
>
> Is it possible that there's a bug in spamdyke with strong encryption?
>
> Thanks for your help,
> Marc
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
