I think you're exactly right -- I'll need to add another TLS option to spamdyke to accept the DH parameters and pass them to OpenSSL with the callback. I'll have to figure out how to test it as well...
Thanks for finding that link, I don't think I would have even looked at a function with "tmp" in its name! -- Sam Clippinger On Sep 9, 2013, at 3:34 AM, Marc Gregel wrote: > Hi Sam, > > is it possible that the problem is because of missing "dh keys"? > I think (!) spamdyke don't use or call something like this here: > http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read the > 'notes' part > so cipher with EDHE:DE won't work. > > My server/openssl is fine because the orginal qmail-tls works with cipher > EDHE_DH"! So the problem is the tls handling of spamdyke?! > > > 2013/9/8 Sam Clippinger <s...@silence.org> > Hmmm... I think you may be beyond the edge of my expertise, but I'll > certainly try to help if I can. spamdyke uses the OpenSSL library to handle > SSL and TLS, so anything that works with OpenSSL on the command line should > work with spamdyke as well. The option "tls-cipher-list" serves the same > function as the "-cipher" option to "openssl". spamdyke just takes the text > it's given and passes it to the SSL_CTX_set_cipher_list() function in the > OpenSSL library before the connection is established. The ciphers you give > should be ones listed when you run "openssl ciphers" from the command line, > I'm not sure how it handles abbreviations. > > It's possible the problem is actually within openssl's SMTP client. If it's > not starting the SMTP connection and asking for TLS correctly, the client > could be sending encrypted text while the server is still in plaintext mode > or vice-versa. That would yield some strange error messages on both sides. > > I think I would suggest configuring spamdyke on port 465 with "tls-level" set > to "smtps" and the "tls-cipher-list" option set to your specific ciphers. > Then use this command to connect and test (substitute your ciphers as > appropriate): > openssl s_client -quiet -cipher "EXP-RC4-MD5" -connect localhost:465 > If it connects and you see the "220" greeting banner, it's working. If you > see an "alert handshake failure", you've probably selected a cipher the > server doesn't support. > > -- Sam Clippinger > > > > > On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: > >> Hi :-) >> >> These days where the NSA is watching us I decided to make my server as >> secure as possible. >> For qmail it means to use TLS with strong encryption - openssl with "- >> ciphers "EDHS:DE" for example. >> >> The original QMAIL without spamdyke works fine: >> openssl s_client -starttls smtp -connect localhost:25 >> shows me this: >> Protocol : TLSv1.2 >> Cipher : DHE-RSA-AES256-GCM-SHA384 >> Great! >> >> Now I enable spamdyke and test it again... >> Protocol : TLSv1.2 >> Cipher : AES256-GCM-SHA384 >> >> Ok, not that good... maybe just a wrong cipher list? So I specified it a >> little bit more (works fine with qmail only): >> openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' >> >> Ups, an error: >> CONNECTED(00000003) >> 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 >> alert handshake failure:s23_clnt.c:741: >> >> I already tried to add "dhparam" to the qmail servercert >> (mentioned here >> http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) >> but that didnt't change anything... >> >> >> I also tested with "tls-cipher-list" param at the conf file - same error. >> And at the maillog this: >> A protocol or library failure occurred, >> error:140E6118:lib(20):func(230):reason(280) >> >> Is it possible that there's a bug in spamdyke with strong encryption? >> >> Thanks for your help, >> Marc >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
