store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Aug 17, 2019 12:57 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: PG qmail - no tls?
Unread postPosted: Sat Jan 09, 2016 10:30 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
On doing some tests, it appears that the version of qmail in PG doesn't support TLS

This is a result of trying to enable it and failing, then using spamdyke's config test which says:
"WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer TLS support."

Is this really the case, and if so is there any chance of getting TLS support enabled please?

spamdyke does allow you to use tls without qmail being patched for tls (using smtp-no-passthrough mode), but ideally it would be nice if qmail did it, I think.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Mon Jan 11, 2016 4:12 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
I'll have to poke around to see if anyone has made a patch for TLSv1+ on qmail. Presumably it exists, since I think plesk's qmail daemon does work with it.


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Tue Jan 12, 2016 7:48 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I'm actually failing to get spamdyke's native TLS to work. I think it is something to do with cyphers. I'm continuing to investigate :-(

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Tue Mar 08, 2016 11:20 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Just getting back to this ... it looks as though we are going to have to move some of our clients off our PG boxes due to lack of TLS.

Much to my surprise, one of the UK banks is refusing to send email to mailservers that don't support TLS, and a few of our clients bank with them. I guess this is a reasonable policy for a bank so I can't complain.

I will try again to get spamdyke to do the TLS, but that's going to take a while.

Obviously PG is not a commercial product and I'm grateful that you have put it together and allowed people like me to make use of your expertise, so don't think this is a complaint. It is just a plea for TLS support ASAP :-)

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Tue Mar 08, 2016 7:50 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
It is absurd for an MX not to support TLS. This forces all your messages to be shouted in clear text over the internet from server to server.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Tue Mar 08, 2016 10:36 pm 
Offline
Forum User
Forum User
User avatar

Joined: Mon Mar 18, 2013 6:26 pm
Posts: 63
Location: Earth
Quote:
It is absurd for an MX not to support TLS. This forces all your messages to be shouted in clear text over the internet from server to server.


qmail was written before tls even existed. is it any wonder it doesnt support it? of course you could ask for your money back lol

_________________
If everything was easy, then the world wouldn't need engineers.


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Wed Mar 09, 2016 7:51 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Well, I have to report that I've failed spectacularly to get spamdyke to handle tls for qmail (for receiving, obviously not for sending)

I've been trying all morning, and after sorting a few rookie errors with the perms on the certificate files, I am still stuck with:

Code:
unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0BB:lib(20):func(138):reason(187)


I'll see if anyone on the spamdyke mailing list has any suggestions.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Wed Mar 09, 2016 10:24 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
hostingg wrote:
Quote:
It is absurd for an MX not to support TLS. This forces all your messages to be shouted in clear text over the internet from server to server.


qmail was written before tls even existed. is it any wonder it doesnt support it? of course you could ask for your money back lol


I wasn't complaining about qmail, merely stating that it is irresponsible to provide an MX service without TLS.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: PG qmail - no tls?
Unread postPosted: Wed Mar 09, 2016 6:22 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Whew! Finally. I've figured out why spamdyke won't talk TLS. It is because of fixcrio in the tcpserver line, which breaks TLS

Revisiting these posts from a lifetime ago, it seems I was aware of this all the while:
viewtopic.php?t=3534&p=19890
https://talk.plesk.com/threads/hotmail- ... ail.94222/

The version of fixcrio on the PG boxes comes from the Atomic/PG repo ucspi-tcp-0.88-5.el6.art.

As it happens, someone wrote a patch for fixcrio that resolved this issue:
http://www.mail-archive.com/qmail@id.wu ... 48044.html

Code:
--- ucspi-tcp-0.88/fixcrio.c    Sat Mar 18 16:18:42 2000
+++ ucspi-tcp-0.88.new/fixcrio.c        Sat Jun  2 01:39:46 2001
@@ -23,6 +23,14 @@
 int rightpos;
 int rightflagcr = 0;
 
+#define NULL ((void *)0)
+int active = 1;
+int gotleft_tls = 0;
+static char left_tls[] = "STARTTLS";
+static char right_tls[] = "220";
+static char *left_p = NULL;
+static char *right_p = NULL;
+
 void doit(int fdleft,int fdright)
 {
   struct taia stamp;
@@ -83,9 +91,20 @@
        leftlen = 0;
        for (i = 0;i < r;++i) {
          ch = prebuf[i];
-         if (ch == '\n')
-           if (!leftflagcr)
-             leftbuf[leftlen++] = '\r';
+         if (active)
+           if (ch == '\n') {
+             if (!leftflagcr)
+               leftbuf[leftlen++] = '\r';
+             gotleft_tls = (left_p != NULL && *left_p == 0);
+             if (gotleft_tls)
+               right_p = right_tls;
+             left_p = left_tls;
+           } else if (left_p != NULL && *left_p != 0) {
+             if (ch == *left_p)
+               left_p++;
+             else
+               left_p = NULL;
+           }
          leftbuf[leftlen++] = ch;
          leftflagcr = (ch == '\r');
        }
@@ -107,9 +126,18 @@
       rightlen = 0;
       for (i = 0;i < r;++i) {
        ch = prebuf[i];
-       if (ch == '\n')
-         if (!rightflagcr)
-           rightbuf[rightlen++] = '\r';
+       if (active)
+         if (ch == '\n') {
+           if (!rightflagcr)
+             rightbuf[rightlen++] = '\r';
+           active = !(right_p != NULL && *right_p == 0);
+           right_p = NULL;
+         } else if (right_p != NULL && *right_p != 0) {
+           if (ch == *right_p)
+             right_p++;
+           else
+             right_p = NULL;
+         }
        rightbuf[rightlen++] = ch;
        rightflagcr = (ch == '\r');
       }


But I'm wondering - Scott, do we still need fixcrio? Was it only there to deal with broken clients? Or is it vital?


EDIT: For my own reference: After manually patching fixcrio.c, to successfully compile and save somewhere safe, you need to edit conf-home to save these somewhere other than /usr/local/bin and add the following to conf-cc at the end of the gcc line: "-include /usr/include/errno.h" (without the quotes). Then I suggest renaming the new fixcrio to fixcriotls and copying it to /usr/local/bin and modifying the tcpserver line to use that instead for testing.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group