Looking forward to the Update :-)
2013/9/10 Sam Clippinger <s...@silence.org> > I think you're exactly right -- I'll need to add another TLS option to > spamdyke to accept the DH parameters and pass them to OpenSSL with the > callback. I'll have to figure out how to test it as well... > > Thanks for finding that link, I don't think I would have even looked at a > function with "tmp" in its name! > > -- Sam Clippinger > > > > > On Sep 9, 2013, at 3:34 AM, Marc Gregel wrote: > > Hi Sam, > > is it possible that the problem is because of missing "dh keys"? > I think (!) spamdyke don't use or call something like this here: > http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read > the 'notes' part > so cipher with EDHE:DE won't work. > > My server/openssl is fine because the orginal qmail-tls works with cipher > EDHE_DH"! So the problem is the tls handling of spamdyke?! > > > 2013/9/8 Sam Clippinger <s...@silence.org> > >> Hmmm... I think you may be beyond the edge of my expertise, but I'll >> certainly try to help if I can. spamdyke uses the OpenSSL library to >> handle SSL and TLS, so anything that works with OpenSSL on the command line >> should work with spamdyke as well. The option "tls-cipher-list" serves the >> same function as the "-cipher" option to "openssl". spamdyke just takes >> the text it's given and passes it to the SSL_CTX_set_cipher_list() function >> in the OpenSSL library before the connection is established. The ciphers >> you give should be ones listed when you run "openssl ciphers" from the >> command line, I'm not sure how it handles abbreviations. >> >> It's possible the problem is actually within openssl's SMTP client. If >> it's not starting the SMTP connection and asking for TLS correctly, the >> client could be sending encrypted text while the server is still in >> plaintext mode or vice-versa. That would yield some strange error messages >> on both sides. >> >> I think I would suggest configuring spamdyke on port 465 with "tls-level" >> set to "smtps" and the "tls-cipher-list" option set to your specific >> ciphers. Then use this command to connect and test (substitute your >> ciphers as appropriate): >> openssl s_client -quiet -cipher "EXP-RC4-MD5" -connect localhost:465 >> If it connects and you see the "220" greeting banner, it's working. If >> you see an "alert handshake failure", you've probably selected a cipher the >> server doesn't support. >> >> -- Sam Clippinger >> >> >> >> >> On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: >> >> Hi :-) >> >> These days where the NSA is watching us I decided to make my server as >> secure as possible. >> For qmail it means to use TLS with strong encryption - openssl with "- >> ciphers "EDHS:DE" for example. >> >> The original QMAIL without spamdyke works fine: >> openssl s_client -starttls smtp -connect localhost:25 >> shows me this: >> Protocol : TLSv1.2 >> Cipher : DHE-RSA-AES256-GCM-SHA384 >> Great! >> >> Now I enable spamdyke and test it again... >> Protocol : TLSv1.2 >> Cipher : AES256-GCM-SHA384 >> >> Ok, not that good... maybe just a wrong cipher list? So I specified it a >> little bit more (works fine with qmail only): >> openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' >> >> Ups, an error: >> CONNECTED(00000003) >> 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 >> alert handshake failure:s23_clnt.c:741: >> >> I already tried to add "dhparam" to the qmail servercert >> (mentioned here >> http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) >> but that didnt't change anything... >> >> >> I also tested with "tls-cipher-list" param at the conf file - same error. >> And at the maillog this: >> A protocol or library failure occurred, error:140E6118:lib(20):func( >> 230):reason(280) >> >> Is it possible that there's a bug in spamdyke with strong encryption? >> >> Thanks for your help, >> Marc >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> >> >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > >
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
