1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
Frederik Vermeulen <qmail-tls akrul inoa.net> 20021228
http://inoa.net/qmail/qmail-1.03-tls.patch
This patch implements RFC2487 in qmail. This means you can
get SSL or TLS encrypted and authenticated SMTP between
the MTAs and from MUA to MTA.
The code is considered experimental (but has worked for
many since its first release on 1999-03-21).
Usage: - install OpenSSL-0.9.6g http://www.openssl.org/
(any 0.9.6 version is presumed to work)
- apply patch to qmail-1.03 http://www.qmail.org/
The patches to qmail-remote.c
and qmail-smtpd.c can be applied separately.
- provide a server certificate in /var/qmail/control/servercert.pem.
"make cert" makes a self-signed certificate.
"make cert-req" makes a certificate request.
Note: you can add the CA certificate and intermediate
certs to the end of servercert.pem.
- replace qmail-smtpd and/or qmail-remote binary
- verify operation (header information should show
something like
"Received [..] with DES-CBC3-SHA encrypted SMTP;")
If you don't have a server to test with, you can test
by sending mail to tag-ping@tbs-internet.com,
which will bounce your mail.
Optional: - when DEBUG is defined, some extra TLS info will be logged
- qmail-remote will authenticate with the certificate in
/var/qmail/control/clientcert.pem. By preference this is
the same as servercert.pem, where nsCertType should be
== server,client or be a generic certificate (no usage specified).
- when a 512 RSA key is provided in /var/qmail/control/rsa512.pem,
this key will be used instead of on-the-fly generation by
qmail-smtpd. Periodical replacement can be done by crontab:
01 01 * * * umask 0077; /usr/local/ssl/bin/openssl genrsa \
-out /var/qmail/control/rsa512.new 512 > /dev/null 2>&1 &&\
chown qmaild.qmail /var/qmail/control/rsa512.new && /bin/mv -f \
/var/qmail/control/rsa512.new /var/qmail/control/rsa512.pem
- server authentication:
qmail-remote requires authentication from servers for which
/var/qmail/control/tlshosts/host.dom.ain.pem exists.
The .pem file contains the validating CA certificates
(or self-signed server certificate).
CommonName has to match.
WARNING: this option may cause mail to be delayed, bounced,
doublebounced, and lost.
- client authentication:
when relay rules would reject an incoming mail,
qmail-smtpd can allow the mail based on a presented cert.
Certs are verified against a CA list in
/var/qmail/control/clientca.pem (eg. http://www.modssl.org/
source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.sslcfg/ca-bundle.crt)
and the cert email-address has to match a line in
/var/qmail/control/tlsclients. This email-address is logged
in the headers.
- cipher selection:
qmail-remote:
openssl cipher string (`man ciphers`) read from
/var/qmail/control/tlsclientciphers
qmail-smtpd:
openssl cipher string read from TLSCIPHERS environment variable
(can vary based on client IP address e.g.)
or if that is not available /var/qmail/control/tlsserverciphers
- smtps (deprecated SMTP over TLS via port 465):
qmail-remote: when connecting to port 465
qmail-smtpd: when SMTPS environment variable is not empty
Caveats: - do a `make clean` after patching
- binaries dynamically linked with current openssl versions need
recompilation when the shared openssl libs are upgraded.
- this patch could conflict with other patches (notably those
replacing \n with \r\n, which is a bad idea on encrypted links).
- some broken servers have a problem with TLSv1 compatibility.
Uncomment the line where we set the SSL_OP_NO_TLSv1 option.
- needs working /dev/urandom (or EGD for openssl versions >0.9.7)
for seeding random number generator.
- packagers should make sure that installing without a valid
servercert is impossible
- when applied in combination with AUTH patch, AUTH patch
should be applied first and first part of this patch
will fail. This error can be ignored. Packagers should
cut the first 12 lines of this patch to make a happy
patch
Copyright: GPL
Links with OpenSSL
Inspiration and code from examples in SSLeay (E. Young
<eay@cryptsoft.com> and T. Hudson <tjh@cryptsoft.com>),
stunnel (M. Trojnara <mtrojnar@ddc.daewoo.com.pl>),
Postfix/TLS (L. Jaenicke <Lutz.Jaenicke@aet.tu-cottbus.de>),
modssl (R. Engelschall <rse@engelschall.com>),
openssl examples of E. Rescorla <ekr@rtfm.com>.
Debug code, tlscipher selection, many feature suggestions,
French docs https://www.TBS-internet.com/ssl/qmail-tls.html
from Jean-Philippe Donnio <tag-ssl@tbs-internet.com>.
Openssl usage consulting from B. M"oller <bmoeller@acm.org>.
Bug report from A. Dustman <adustman@comstar.net>.
Ssl_timeoutio functions (non-blocking io, timeouts), smtps,
auth, qmtp, mxps patch compatibility, man pages, code cleanup,
improved error reporting, RFC2595 server identity check
from A. Meltzer <albertikm (a) hotmail.com>.
Bug report from Niall Richard Murphy, Tim Helton.
Bug reports: mailto:<jos-tls@kotnet.org>
|
GitWeb