PG qmail - no tls?

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

PG qmail - no tls?

Unread post by faris »

On doing some tests, it appears that the version of qmail in PG doesn't support TLS

This is a result of trying to enable it and failing, then using spamdyke's config test which says:
"WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer TLS support."

Is this really the case, and if so is there any chance of getting TLS support enabled please?

spamdyke does allow you to use tls without qmail being patched for tls (using smtp-no-passthrough mode), but ideally it would be nice if qmail did it, I think.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: PG qmail - no tls?

Unread post by scott »

I'll have to poke around to see if anyone has made a patch for TLSv1+ on qmail. Presumably it exists, since I think plesk's qmail daemon does work with it.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: PG qmail - no tls?

Unread post by faris »

I'm actually failing to get spamdyke's native TLS to work. I think it is something to do with cyphers. I'm continuing to investigate :-(
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: PG qmail - no tls?

Unread post by faris »

Just getting back to this ... it looks as though we are going to have to move some of our clients off our PG boxes due to lack of TLS.

Much to my surprise, one of the UK banks is refusing to send email to mailservers that don't support TLS, and a few of our clients bank with them. I guess this is a reasonable policy for a bank so I can't complain.

I will try again to get spamdyke to do the TLS, but that's going to take a while.

Obviously PG is not a commercial product and I'm grateful that you have put it together and allowed people like me to make use of your expertise, so don't think this is a complaint. It is just a plea for TLS support ASAP :-)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: PG qmail - no tls?

Unread post by prupert »

It is absurd for an MX not to support TLS. This forces all your messages to be shouted in clear text over the internet from server to server.
Lemonbit Internet Dedicated Server Management
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: PG qmail - no tls?

Unread post by hostingg »

It is absurd for an MX not to support TLS. This forces all your messages to be shouted in clear text over the internet from server to server.
qmail was written before tls even existed. is it any wonder it doesnt support it? of course you could ask for your money back lol
If everything was easy, then the world wouldn't need engineers.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: PG qmail - no tls?

Unread post by faris »

Well, I have to report that I've failed spectacularly to get spamdyke to handle tls for qmail (for receiving, obviously not for sending)

I've been trying all morning, and after sorting a few rookie errors with the perms on the certificate files, I am still stuck with:

Code: Select all

unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0BB:lib(20):func(138):reason(187) 
I'll see if anyone on the spamdyke mailing list has any suggestions.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: PG qmail - no tls?

Unread post by prupert »

hostingg wrote:
It is absurd for an MX not to support TLS. This forces all your messages to be shouted in clear text over the internet from server to server.
qmail was written before tls even existed. is it any wonder it doesnt support it? of course you could ask for your money back lol
I wasn't complaining about qmail, merely stating that it is irresponsible to provide an MX service without TLS.
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: PG qmail - no tls?

Unread post by faris »

Whew! Finally. I've figured out why spamdyke won't talk TLS. It is because of fixcrio in the tcpserver line, which breaks TLS

Revisiting these posts from a lifetime ago, it seems I was aware of this all the while:
https://atomicorp.com/forums/viewtopic. ... 34&p=19890
https://talk.plesk.com/threads/hotmail- ... ail.94222/

The version of fixcrio on the PG boxes comes from the Atomic/PG repo ucspi-tcp-0.88-5.el6.art.

As it happens, someone wrote a patch for fixcrio that resolved this issue:
http://www.mail-archive.com/qmail@id.wu ... 48044.html

Code: Select all

--- ucspi-tcp-0.88/fixcrio.c    Sat Mar 18 16:18:42 2000
+++ ucspi-tcp-0.88.new/fixcrio.c        Sat Jun  2 01:39:46 2001
@@ -23,6 +23,14 @@
 int rightpos;
 int rightflagcr = 0;
 
+#define NULL ((void *)0)
+int active = 1;
+int gotleft_tls = 0;
+static char left_tls[] = "STARTTLS";
+static char right_tls[] = "220";
+static char *left_p = NULL;
+static char *right_p = NULL;
+
 void doit(int fdleft,int fdright)
 {
   struct taia stamp;
@@ -83,9 +91,20 @@
        leftlen = 0;
        for (i = 0;i < r;++i) {
          ch = prebuf[i];
-         if (ch == '\n')
-           if (!leftflagcr)
-             leftbuf[leftlen++] = '\r';
+         if (active)
+           if (ch == '\n') {
+             if (!leftflagcr)
+               leftbuf[leftlen++] = '\r';
+             gotleft_tls = (left_p != NULL && *left_p == 0);
+             if (gotleft_tls)
+               right_p = right_tls;
+             left_p = left_tls;
+           } else if (left_p != NULL && *left_p != 0) {
+             if (ch == *left_p)
+               left_p++;
+             else
+               left_p = NULL;
+           }
          leftbuf[leftlen++] = ch;
          leftflagcr = (ch == '\r');
        }
@@ -107,9 +126,18 @@
       rightlen = 0;
       for (i = 0;i < r;++i) {
        ch = prebuf[i];
-       if (ch == '\n')
-         if (!rightflagcr)
-           rightbuf[rightlen++] = '\r';
+       if (active)
+         if (ch == '\n') {
+           if (!rightflagcr)
+             rightbuf[rightlen++] = '\r';
+           active = !(right_p != NULL && *right_p == 0);
+           right_p = NULL;
+         } else if (right_p != NULL && *right_p != 0) {
+           if (ch == *right_p)
+             right_p++;
+           else
+             right_p = NULL;
+         }
        rightbuf[rightlen++] = ch;
        rightflagcr = (ch == '\r');
       }
But I'm wondering - Scott, do we still need fixcrio? Was it only there to deal with broken clients? Or is it vital?


EDIT: For my own reference: After manually patching fixcrio.c, to successfully compile and save somewhere safe, you need to edit conf-home to save these somewhere other than /usr/local/bin and add the following to conf-cc at the end of the gcc line: "-include /usr/include/errno.h" (without the quotes). Then I suggest renaming the new fixcrio to fixcriotls and copying it to /usr/local/bin and modifying the tcpserver line to use that instead for testing.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply