smtp-auth + qmail-tls + forcetls patch for qmail

September 27, 2024 by Roberto Puzzanghera 105 comments

  • Browse patched qmail on github

Changelog

  • Sep 26, 2024
    - sources moved to github
    - solved (I think) all compilation errors/warnings against GCC 14.2
  • Jul 10, 2024
    - Bug fix in qmail-smtpd.c's smtp_auth function where the auth command with no argument or with an invalid one causes a segfault (commit)
  • Jan 15, 2024
    - TLS patch by F. Vermeulen upgraded to version 20231230 (more info at https://inoa.net/qmail-tls/ tx Greg Bell for the patch)
    * support to openssl 3.0.11
  • Mar 12, 2023
    - The mail headers will change from "ESMTPA" to "ESMTPSA" when the user is authenticated via starttls/smtps (tx Ali Erturk TURKER) diff here
  • Feb 16, 2022
    - fixed a TLS Renegotiation DoS vulnerability. Disabled all renegotiation in TLSv1.2 and earlier (only openssl-1.1). (diff here)

I have put into a package the latest version of the following patches for netqmail-1.06.

You may be interested to the combined patch I have put together here.

qmail-authentication

Provides cram-md5, login, plain authentication support.
Fixed an issue on wrong capabilities in the ehlo message (thanks to Florian and genconc): removed the "-" sign before the AUTH verb

-  if (smtpauth == 1 || smtpauth == 11) out("250-AUTH LOGIN PLAIN\r\n");
-  if (smtpauth == 3 || smtpauth == 13) out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n");
-  if (smtpauth == 2 || smtpauth == 12) out("250-AUTH CRAM-MD5\r\n");
+  if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n");
+  if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
+  if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");

remember to restore the "-" sign if you are going to append a new line to the ehlo message.

qmail-tls

Implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.

force-tls

Optionally gets qmail to require TLS before authentication to improve security.

Usage

Create users and groups:

groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails

Download and install:

git clone -b auth-tls-forcetls https://github.com/sagredo-dev/qmail.git
cd qmail
chown -R root:root . 
make setup check

Forcing STARTTLS

By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do

export FORCETLS=0

in your run file. Values different from 0 or no declaration at all will force the TLS before the auth.

Managing auth options

You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.

Be aware that you have to export SMTPAUTH in you run file.

Creating an SSL key file

To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs qmail-smtpd, in our case vpopmail.

> make cert
    
Generating a 1024 bit RSA private key
..................++++++
.......++++++
writing new private key to '/var/qmail/control/servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italy
Locality Name (eg, city) []:Cagliari
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:smtp.yourdomain.net
Email Address []:postmaster@yourdomain.net
    
> make tmprsadh
> chown vpopmail.vchkpw /var/qmail/control/*.pem

It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.

Now let’s create a cronjob to update the certificate every day:

> crontab -e
    
03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

I have written a page concerning the creation of a certificate of third party (letsencrypt) for qmail. More info here.

Comments

qmail-authentication-0.8.3 patch

I wanted to patch my qmail with SMTPAUTH but I couldn't download the qmail-authentication-0.8.3 patch from http://www.fehcom.de/qmail/smtpauth.html (the link is broken) and have tried to contact the owner but haven't had any response yet. I was wondering if you'd have a copy of that patch which you can share.

Reply |

qmail-authentication-0.8.3 patch

Perfect. Thank you!

Reply |

Need qmail-smtp with starttls

Hi,

I am using qmail just for incoming messages , i don't need to send anything out.

I have to run qmail with starttls

But when i am running ehlo google.com , it's not popping starttls. I am running with qmail-1.03 and aplied patch on it.

Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
ehlo google.com

250-PIPELINING
250 8BITMIME

Below is my qmail-smtpd/run file :

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

# sslserver certificates
export CERTFILE="/var/qmail/control/servercert.pem"
export KEYFILE=""
export DHFILE=""
SMTPS=1
export SMTPS

# qmail options
#ALLOW_INSECURE_AUTH="1"; export ALLOW_INSECURE_AUTH
#REQUIRE_AUTH="1"; export REQUIRE_AUTH
#SMTPAUTH="";
FORCETLS=1; export FORCETLS;
#export SMTPAUTH;

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 8000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 /var/qmail/bin/qmail-smtpd 2>&1

Reply |

Need qmail-smtp with starttls

Hi, which patch did you apply?

Reply |

Sending problem

Hi Roberto,
I installed "smtp-auth + qmail-tls + forcetls patch for qmail" under your indication on Alma Linux8.5.
Installed without pop before SMTP as :

nmap
25/smtp 110/pop3 465/smtps 587/submission 995/pop3s

/home/vpopmail/etc/tcp.smtp
127.:allow,RELAYCLIENT=""
(There is not open-smtp file)

/var/qmail/control/rcpthosts
serverhostname
mydomainname

after starting qmail and if I try to send email under using SMTP-AUTH, port 465 [SSL], occured "553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)".
I can receive email using port995 setting, pop3 and pop3s are stable. if I add domain name I want to send into rcpthosts, I can send it.
I can't understand what I made mistake.
There is no error log at /var/log/maillog and messagem if its failed.
Please give me some advices.

Best Regards.

Reply |

Sending problem

Hi,

I'm not sure that this patch can work with 465 port + auth. If you don't have a particular reason to do the auth on port 465, use submission service on 587 and it will work

Reply |

Sending problem 2

Hello, thank you for reply.
I change the port 465 to 587, but my mail client displays error "this server not correspond to STARTTLS, please check port setting of server".

after trying to send mail through sptps 465, /var/log/message is as below (not error):

Mar 20 04:01:16 mars smtpd[60972]: 1647716476.613492 tcpserver: pid 61265 from 126.79.158.149
Mar 20 04:01:16 mars smtpd[60972]: 1647716476.654468 tcpserver: ok 61265 mars.mydomain.net:153.126.184.121:465 :126.79.158.149::54136
Mar 20 04:01:16 mars smtpd[60972]: 1647716476.993819 tcpserver: end 61265 status 0

I guess some environment variables are not transmitted to "tcp-smtp", like open-smtp with pop before smtp option.
In my present condition, If I want to send email to Gmail address, I must write "gmail.com" in "rcpthosts" everytime, it's unconvinient.
My cert file is made by Let's Encrypt and conbined private key and cert key to one file.

My SMTPS starting scripit is below:

※tcpserver-ssl is patched NRG4U's ucspi-tcp-ssl-20050405.patch.gz
# SMTP OVER SSL[465 port]
/usr/local/bin/tcpserver-ssl -H -R -v -s -n /var/qmail/control/cert.pem -x /home/vpopmail/etc/tcp.smtp.cdb 0 465 /var/qmail/bin/qmail-smtpd `hostname` /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 | /var/qmail/bin/splogger smtpd 3 &

some file's status are

-rw-r--r-- 1 vpopmail vchkpw 33 Mar 20 04:28 tcp.smtp
-rwsr-xr-x 1 root root 127504 Mar 18 17:08 vchkpw
-rw-r--r-- 1 vpopmail vchkpw 7299 Mar 20 02:24 cert.pem

Reply |

Sending problem 2

Hi, I can't be of any help on the configuration of smtps on port 465, because I don't use it.

As far as port 587 is concerned, did you install ucspi-tcp6? if yes post your qmail-submission/run file, the entire smtp conversation via "telnet yourserver 587" and the log lines

Reply |

Sending problem 3

Hi Roberto,thank you for help me.
I re-installed ucspi-tcp6 as below:.

lrwxrwxrwx 1 root root 51 Mar 20 14:07 tcpcat -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcpcat
lrwxrwxrwx 1 root root 54 Mar 20 14:07 tcpclient -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcpclient
lrwxrwxrwx 1 root root 53 Mar 20 14:07 tcprules -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcprules
lrwxrwxrwx 1 root root 58 Mar 20 14:07 tcprulescheck -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcprulescheck
lrwxrwxrwx 1 root root 54 Mar 20 14:07 tcpserver -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcpserver
lrwxrwxrwx 1 root root 49 Mar 20 14:07 who@ -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/who@

and you show me latest patch link, I re-installed qmail-1.06 with your patch.

My submission starting scripts is as below:

/usr/local/bin/tcpserver -H -R -l0 -x \
/home/vpopmail/etc/tcp.smtp.cdb \
-u 1004 -g 1001 0 587 \
/var/qmail/bin/qmail-smtpd-submission qmail-smtpd `hostname` \
/home/vpopmail/bin/vchkpw /bin/true 2>&1 | /var/qmail/bin/splogger smtpd 3 &

[1004 and 1001 is qmaild's one ]

# nmap localhost
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
110/tcp open pop3
587/tcp open submission

I try to connect my server.

telnet 153.126.193.183 587
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.muserver.net
250-PIPELINING
250 8BITMIME
mail from:mailfrom@myserverdomain
250 ok
rcpt to:mailto@gmail.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
STARTTLS
454 TLS missing certificate: error:02001002:system library:fopen:No such file or directory (#4.3.0)

※myserverdomain is added to my server by vpopmail.

In this operation, there is no error in /var/log/message.

Mar 20 15:23:45 mars smtpd[6614]: 1647757425.010646 tcpserver: pid 6663 from 126.89.158.173
Mar 20 15:23:45 mars smtpd[6614]: 1647757425.010666 tcpserver: ok 6663 mars.myserver.net:153.126.193.183:25 :126.89.158.173::56600
Mar 20 15:25:22 mars smtpd[6614]: 1647757522.714034 tcpserver: end 6663 status 0

If I add "mailto@gmail.com" into "rcpthosts".

telnet 153.126.193.183 587
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.myserver.net
250-PIPELINING
250 8BITMIME
mail from:mailfrom@myserverdomain
250 ok
rcpt to:mailto@gmail.com
data
354 go ahead
subject TEST
TEST
.
250 ok 1647750603 qp 1822

I can send and receive email.

I installed vpopmail without pop before smtp, of course.
There is not open-smtp file in /vpopmail/etc directory.
I feel strange that NO Error of "SMTP-Auth".
If SMTP-Authentidication is enable, message "530 Sorry, please use SMTP-AUTH instead" should be displayed.
And does this "ucspi-tcp6" not support SSL ? I can not set 995 pop3s port, cause I get error.
I know I still haven't learned enough about mail system.
Sorry for the hassle.

Reply |

Sending problem 3

this line in your run file

/var/qmail/bin/qmail-smtpd-submission qmail-smtpd `hostname` \

points to a missing executable.

Please double check your configuration

Reply |

Sending problem 3

> My submission starting scripts is as below:

> /usr/local/bin/tcpserver -H -R -l0 -x  /home/vpopmail/etc/tcp.smtp.cdb \

first of all I suggest to use separate tcprules for smtp and submission. You can simply have

:allow

for tcp.submission.

Secondly, I reccomend to do these initial tests with an essential configutation, so I suggest to comment out this

 | /var/qmail/bin/splogger smtpd 3 &

in your run file.

Thirdly, can you confirm that this patch is not installed over other qmail patches?

Do you have

export SMTPAUTH="!"

in your run file?

It's always better if you post the entire run file here...

> I try to connect my server.

telnet 153.126.193.183 587
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.muserver.net
250-PIPELINING
250 8BITMIME
mail from:mailfrom@myserverdomain
250 ok
rcpt to:mailto@gmail.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
STARTTLS
454 TLS missing certificate: error:02001002:system library:fopen:No such file or directory (#4.3.0)

The 553 error is normal, as this is not an open relay. It will deny you from sending as long as you don't authenticate.

But you can't auth because the auth is advertised only after STARTTLS, and you have that 454 TLS missing certificate

You can do the auth without TLS if you turn off STARTTLS with this option in your run file 

FORCETLS=0

and restart qmail. But in this case you are sending your pwd in clear text over the internet.

Therefore you have to solve your certificate problems.

> And does this "ucspi-tcp6" not support SSL ? I can not set 995 pop3s port, cause I get error.

of course yes. Your problems are due to a missing TLS certificate.

How are you creating your certificate?

Reply |

Sending problem 3

Hi Roberto,thank you for support me.
I revised some files following your advises:

tcp.smtp >> :allow
export SMTPAUTH="!" << add run file

My cert.key is named "cert.pem" at /var/qmail/control, but I change it to "servercert.pem".

After reboot qmail, "clientcert.pem" file is made naturally (it's symlink to servercert.pem).

※my cert.key is made using Let's Encrypt, and I combined them to one file.

telnet test
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.myserver.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 SIZE 0
AUTH PLAIN YWxleEB0ZW1wdC5uZXQAanVrYWk1MzEwAA==
538 auth not available without TLS (#5.3.3)

but mail client result says "530 authentication required [5.7.1]".
it was "553 not allowed rcpthosts" before, and "STARTTLS" is enabled.

I can receive email, means authenticated, but sending by 587, got auth-error.
There still seems to be a mistake.

Although it is a supplementary explanation of my mail system, I make mail process under system, I regist it to system service.
I use "systemctl start|stop qmail" command.

system file /etc/systemd/system/qmail.service

[Unit]
Description=qmail/netqmail service
After=local-fs.target network.target

[Service]
Type=forking
ExecStart=/etc/qmail/exec_qmail start

[Install]
WantedBy=multi-user.target

run file /etc/qmail/exec_qmail

#!/bin/sh
#
# qmail: /var/qmail
# chkconfig: 2345 80 30
# description: qmail start/stop script

PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin

#simscan[ Temporarily stopped ]
#QMAILQUEUE="/var/qmail/bin/simscan"
#export QMAILQUEUE

export SMTPAUTH="!"

# Source function library.
#. /etc/rc.d/init.d/functions

[ -f /var/qmail/rc ] || exit 0

case "$1" in
start)
# Start daemons.
echo "Starting qmail."
csh -cf '/var/qmail/rc &'

# SMTP-AUTH NO-SSL[PortT 25]
/usr/local/bin/tcpserver -H -R -l `hostname` -v -x \
/home/vpopmail/etc/tcp.smtp.cdb \
-u 1010 -g 1003 0 smtp qmail-smtpd \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

# SMTP-AUTH + SMTP OVER SSL[Port 465]
#/usr/local/bin/tcpserver -H -R -v \
#/var/qmail/control/servercert.pem -x \
#/home/vpopmail/etc/tcp.smtp.cdb 0 465 \
#/var/qmail/bin/qmail-smtpd `hostname` \
#/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1


# SMTP OP25B Submission
/usr/local/bin/tcpserver -H -R -x \
/home/vpopmail/etc/tcp.smtp.cdb 0 587 submission \
/var/qmail/bin/qmail-smtpd `hostname` \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 \

# Vpop[Port 110]
/usr/local/bin/tcpserver -H -R -l `hostname` -v 0 pop3 \
/var/qmail/bin/qmail-popup `hostname` \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1

# POP3 OVER SSL[Port995]
#/usr/local/bin/tcpserver -H -R \
#/var/qmail/control/servercert.pem -l0 0 995 \
#/var/qmail/bin/qmail-popup `hostname` \
#/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1

echo
touch /var/lock/qmail
;;
stop)
# Stop daemons.
echo "Shutting down qmail2."
PID=`/bin/ps -aefw | grep qmail | awk '{print $2}'`
if [ ! -z "$PID" ] ; then
/bin/kill ${PID} 1> /dev/null 2>&1
fi
echo
rm -f /var/lock/qmail
;;
*)
echo "Usage: S99qmail {start|stop}"
exit 1
esac

exit 0

Reply |

Sending problem 3

as already said in my previous reply and as qmail's output says you can't authenticate without TLS

I see that your configuration is very personal. I've never seen all the run script in one single file. If you don't have a particular reason to do like this, I suggest to read and follow these pages at least until the "Testing qmail" one.

I don't want to sound rude to you, but maintaining this guide and patches is already very time consuming and I don't always have extra time to fix other broken configurations

Reply |

Problem Receiving mail from (only) gmail

Dear Roberto,

I've got something strange with qmail-tls, i used FreeBSD and I've install qmail (non-tls) and qmail-tls from freebsd ports in different time (caused FreeBSD ports can't install qmail & qmail-tls in the same time). when i installed qmail (non-tls) i've no problem when sending or receiving email from any commonly mail server such as, gmail, yahoo, outlook, even my company mail server. But when i installed qmail-tls, i still can send email to all of them, and i can received from all of them except from gmail. i've monitoring of logs for qmail-smtpd, qmail-send, qmail-pop3d, and qmail-queue with tail -f while send email from gmail, but nothing log was coming in. i have no idea about. do u have any suggestion for? is it caused that gmail using TLS1.3 while the others still using TLS-1.2? or something i've missed?

Thanks for your helping, before.

Reply |

Problem Receiving mail from (only) gmail

Dear bellfox ace,

if you don't see anything in the logs your server didn't receive anything...  are you sure that you don't even have a connection from an external IP, like the following?

@400000005fd6a2092e6d279c tcpserver: status: 1/20 
@400000005fd6a2092e70541c tcpserver: pid 19671 from 193.56.28.30
@400000005fd6a2092f0ef964 tcpserver: ok 19671 smtp.yourserver.com:10.0.0.4:25 :193.56.28.30::55795
@400000005fd6a21c0d4339bc tcpserver: end 19671 status 0

Reply |

Problem Receiving mail from (only) gmail

dear Roberto,

yes, you're right, there are logs at qmail-smtpd (current) came in. Beside, after a day gmail respons me with the message that i guest he takes from tls testing when he tries to send email to my domain, such as:

454 TLS missing certificate: error:0909006C:PEM routines:get_name:no start line (#4.3.0)

after telnet localhost 25, i do ehlo then starttls, i've got this error message what i guess gmail takes one.  I really confuse, because i can send email to gmail normally, and i forensic the original/plain message which the message i sent was encrypted (tls) completely. but otherwise, it was fail. Would u mind give me some sugestion, to solve this problem?

Thank you my friend.

note:

I thought gmail test smtp-tls clearly & completely before he send email while The other commonly email i told above keep sending email even though the error above still in there.

Reply |

Problem Receiving mail from (only) gmail

I think that your problem is that you misconfigured your certificate and in some way gmail is more strict than other providers... so I would try to inspect the certificate, not the server config.

Reply |

Problem Receiving mail from (only) gmail

Dear Roberto,

Thank you very much for emphasizing my problem, i focus at making cert .pem properly, then it solved.

You're the guy, keep health on my friend, and... Terima Kasih (bahasa).

Reply |

Cipher suite preference order

Hi Roberto,

I need help configuring a cipher suite preference order. Running diagnostics tools such as https://testssl.sh/ and https://www.hardenize.com/  they tell me that I must configure a cipher suite preference order:

Has server cipher order? no (NOT ok)

I have no idea how to do that. Reading the qmail-tls documentation inside the patch itself, it says:

- cipher selection:
            qmail-remote: 
              openssl cipher string (`man ciphers`) read from 
              /var/qmail/control/tlsclientciphers
            qmail-smtpd: 
              openssl cipher string read from TLSCIPHERS environment variable
              (can vary based on client IP address e.g.)
              or if that is not available /var/qmail/control/tlsserverciphers

I've configured both files with:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

But this didn't do the trick.

Have you figured this out? Have you tried running your own email server against these diagnostics tools?

Thank you in advance.

Cheers,

Gabriel.

Reply |

Cipher suite preference order

I have played with it long time ago, but you should set the cyphers separated by colon as patch documentation states. check mine for instance:

TLSCIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256"

cheers

delphus

Reply |

Cipher suite preference order

I'm sorry Gabriel, I've never played with this...

Reply |

configuration to work auth+tls

Hi Roberto,
I applied the roberto-netqmail-1.06_auth_tls_force-tls.patch-latest patch but I can't configure qmail with authentication and tls at the same time.

My file supervise/run is:

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl";
LOCAL=`head -1 /var/qmail/control/me`

# sslserver certificates
export CERTFILE="/var/qmail/control/servercert.pem"
export KEYFILE=""
export DHFILE=""
SMTPS=1
export SMTPS

# qmail options
ALLOW_INSECURE_AUTH="1"; export ALLOW_INSECURE_AUTH
REQUIRE_AUTH="1"; export REQUIRE_AUTH
SMTPAUTH="";
FORCETLS=1; export FORCETLS;
export SMTPAUTH;

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtp-ssl/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 1500000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 465 /var/qmail/bin/qmail-smtpd-ssl /bin/checkpassword 2>&1

I can send email with tls, but the server does not ask me for the password. I can send e-mails without authentication.

Where is my error?

Thanks

Michele

Reply |

configuration to work auth+tls

Michele, your setup refers to ucspi-ssl (port 465), while my patch is for submission port 587. Please refer to this page for details https://notes.sagredo.eu/en/qmail-notes-185/configuring-qmail-83.html

Reply |

TLS 1.1 enable

Hi!

How can I enable the old and obsolote TLS 1.1 with qmail? Some partners use TLS 1.1 :-(

thanks, mark

Reply |

TLS 1.1 enable

I think you have to reverse the qmail-tls patch and install v. 20110119 (look here), but it's affected by a well known vulnerability

Reply |

Broken Link

Hi Roberto,

The link is broken here as well:

Managing auth options

You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.

Be aware that you have to export SMTPAUTH in you run file.

Reply |

Broken Link

Thank you. Corrected.

Reply |

patch

hello,

i'm newbe to start install qmail. i try to patch but I got error like this:

[root@mta88 netqmail-1.06]# patch < ../roberto-netqmail-1.06_auth_tls_force-tls.patch-latest
patching file FILES.auth
patching file LICENSE.authentication
patching file Makefile
Hunk #1 succeeded at 140 with fuzz 2 (offset 4 lines).
Hunk #2 succeeded at 824 (offset 4 lines).
Hunk #3 succeeded at 1457 (offset 4 lines).
Hunk #4 FAILED at 1552.
Hunk #5 FAILED at 1569.
Hunk #6 succeeded at 1848 (offset 5 lines).
Hunk #7 succeeded at 2130 (offset 5 lines).
Hunk #8 succeeded at 2174 (offset 5 lines).
2 out of 8 hunks FAILED -- saving rejects to file Makefile.rej
patching file Makefile-cert.mk
The next patch would create the file README.auth,
which already exists! Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
patching file README.tls
patching file TARGETS
Hunk #4 succeeded at 326 (offset 1 line).
Hunk #5 succeeded at 392 (offset 1 line).
The next patch would create the file base64.c,
which already exists! Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
The next patch would create the file base64.h,
which already exists! Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
patching file case_startb.c
patching file conf-cc
patching file dns.c
patching file global.h
patching file hier.c
patching file hmac_md5.c
patching file hmac_md5.h
patching file ipalloc.h
patching file md5.h
patching file md5c.c
patching file qmail-control.9
patching file qmail-remote.8
patching file qmail-remote.c
patching file qmail-showctl.c
patching file qmail-smtpd.8
Hunk #1 succeeded at 19 (offset 5 lines).
Hunk #2 FAILED at 32.
Hunk #3 succeeded at 85 (offset 27 lines).
Hunk #4 succeeded at 125 (offset 27 lines).
Hunk #5 succeeded at 208 (offset 27 lines).
Hunk #6 succeeded at 239 (offset 27 lines).
1 out of 6 hunks FAILED -- saving rejects to file qmail-smtpd.8.rej
patching file qmail-smtpd.c
Hunk #1 FAILED at 23.
Hunk #2 succeeded at 52 (offset 3 lines).
Hunk #3 succeeded at 156 with fuzz 2 (offset 87 lines).
Hunk #4 FAILED at 97.
Hunk #5 FAILED at 112.
Hunk #6 FAILED at 130.
Hunk #7 FAILED at 143.
Hunk #8 FAILED at 234.
Hunk #9 succeeded at 310 (offset 20 lines).
Hunk #10 succeeded at 323 (offset 20 lines).
Hunk #11 succeeded at 427 (offset 20 lines).
Hunk #12 FAILED at 417.
7 out of 12 hunks FAILED -- saving rejects to file qmail-smtpd.c.rej
patching file ssl_timeoutio.c
patching file ssl_timeoutio.h
patching file tls.c
patching file tls.h
patching file update_tmprsadh.sh
[root@mta88 netqmail-1.06]#

need your advice, how to

Reply |

patch

patch like this:

patch -p1 < patchfile

Reply |

Can't compile port qmail-tls on FreeBSD 12, openssl 1.1.1

qmail-remote.c:272:24: error: incomplete definition of type 'struct ssl_st'
  int state = ssl ? ssl->state : SSL_ST_BEFORE;
                    ~~~^
/usr/include/openssl/ossl_typ.h:147:16: note: forward declaration of 'struct ssl_st'
typedef struct ssl_st SSL;
               ^
qmail-remote.c:272:34: error: use of undeclared identifier 'SSL_ST_BEFORE'; did you mean
      'TLS_ST_BEFORE'?
  int state = ssl ? ssl->state : SSL_ST_BEFORE;
                                 ^~~~~~~~~~~~~
                                 TLS_ST_BEFORE
/usr/include/openssl/ssl.h:979:5: note: 'TLS_ST_BEFORE' declared here
    TLS_ST_BEFORE,
    ^
qmail-remote.c:273:15: error: use of undeclared identifier 'SSL_ST_OK'; did you mean 'TLS_ST_OK'?
  if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
              ^~~~~~~~~
              TLS_ST_OK
/usr/include/openssl/ssl.h:980:5: note: 'TLS_ST_OK' declared here
    TLS_ST_OK,
    ^
qmail-remote.c:273:47: error: use of undeclared identifier 'SSL_ST_BEFORE'; did you mean
      'TLS_ST_BEFORE'?
  if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
                                              ^~~~~~~~~~~~~
                                              TLS_ST_BEFORE
/usr/include/openssl/ssl.h:979:5: note: 'TLS_ST_BEFORE' declared here
    TLS_ST_BEFORE,
    ^
qmail-remote.c:340:7: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
  out(s1); if (s2) { out(": "); out(s2); } TLS_QUIT;
      ^~
qmail-remote.c:340:37: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
  out(s1); if (s2) { out(": "); out(s2); } TLS_QUIT;
                                    ^~
qmail-remote.c:394:43: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
      out("ZNo TLS achieved while "); out(servercert);
                                          ^~~~~~~~~~
qmail-remote.c:456:11: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
      out(servercert); out(" exists"); TLS_QUIT;
          ^~~~~~~~~~
qmail-remote.c:493:29: warning: passing 'unsigned char *' to parameter of type 'const char *' converts
      between pointers to integer types with different sign [-Wpointer-sign]
          if (match_partner(gn->d.ia5->data, gn->d.ia5->length)){
                            ^~~~~~~~~~~~~~~
qmail-remote.c:344:31: note: passing argument to parameter 's' here
int match_partner(const char *s, int len)
                              ^
qmail-remote.c:508:60: error: incomplete definition of type 'struct X509_name_entry_st'
        const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

Reply |

Disable smtp auth and allow only delivery for rcpthosts domains

Hello,

Is there any way to disable smtp auth relay in port 25, and allow only for delivery to local domains?

I'd like enable smtp auth only in port 587.

Cheers

Joao

Reply |

Disable smtp auth and allow only delivery for rcpthosts domains

Yes, in your qmail-smtpd/run file just avoid to call  /home/vpopmail/bin/vchkpw after qmail-smtpd

Reply |

Disable smtp auth and allow only delivery for rcpthosts domains

Hello Roberto, thank you for replying.

Just another question about it. Maybe you can help me.

Is it possible disable smtp auth for many domains and enable just for another?
All domains will be in my rcpthosts, but I'd like to allow just some domains to send emails using smtp auth.

Sorry for my English. Did you understand?

Best
Joao

Reply |

Disable smtp auth and allow only delivery for rcpthosts domains

You can set up an "authsender" control file for the purpose. Take a look at the detailed info for the qmail-authentication patch here https://www.fehcom.de/qmail/smtpauth.html and inside the README file 

And also the eMPF functionality can be used to set up advanced policies for the users. Refer to its README file

Reply |

smtp-auth + qmail-tls + forcetls patch not compiling on debian9

Hello,

The smtp-auth + qmail-tls + forcetls patch is not compiling on debian 9. Here is the error:

qmail-remote.c: In function ‘quit’:
qmail-remote.c:286:24: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’
int state = ssl ? ssl->state : SSL_ST_BEFORE;
^~
qmail-remote.c:286:34: error: ‘SSL_ST_BEFORE’ undeclared (first use in this function)
int state = ssl ? ssl->state : SSL_ST_BEFORE;
^~~~~~~~~~~~~
qmail-remote.c:286:34: note: each undeclared identifier is reported only once for each function it appears in
qmail-remote.c:287:15: error: ‘SSL_ST_OK’ undeclared (first use in this function)
if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
^~~~~~~~~
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:522:60: error: dereferencing pointer to incomplete type ‘X509_NAME_ENTRY {aka struct X509_name_entry_st}’
const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
^~
qmail-remote.c: In function ‘mailfrom_cram’:
qmail-remote.c:658:3: warning: implicit declaration of function ‘hmac_md5’ [-Wimplicit-function-declaration]
hmac_md5(chal.s,chal.len,pass.s,pass.len,digest);
^~~~~~~~
qmail-remote.c: In function ‘main’:
qmail-remote.c:886:7: warning: implicit declaration of function ‘chdir’ [-Wimplicit-function-declaration]
if (chdir(auto_qmail) == -1) temp_chdir();
^~~~~
qmail-remote.c:971:21: warning: implicit declaration of function ‘getpid’ [-Wimplicit-function-declaration]
random = now() + (getpid() << 16);
^~~~~~
qmail-remote.c:1013:5: warning: implicit declaration of function ‘close’ [-Wimplicit-function-declaration]
close(smtpfd);
^~~~~

Any chance you can fix the patch?

Thanks

Nikola

Reply |

smtp-auth + qmail-tls + forcetls patch not compiling on debian9

Try to downgrade your openssl to v. 1.0

Reply |

smtp-auth + qmail-tls + forcetls patch not compiling on debian9

There must be some problem with gcc-6, as already reported here yesterday http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment971

unfortunately at the moment I've no gcc-6 machine to do tests with

Reply |

In which file store the certificate

Hi,  where should I store the certificate? Clientca.pem, clientcrl.pem or servercert.pem? Will the TLS working with a self signed certificate?

I get this error :

454 TLS connection failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (#4.3.0) after the auth login command.

What does it mean?

Reagrds. Marc

Reply |

Hi Marc,

Hi Marc,

I forgot to mention here how to create the certificate. Please take a look to the "Creating an SSL key file" section of the big patch page here http://notes.sagredo.eu/node/82

The certificate is stored in /var/qmail/control/servercert.pem, and in my configuration must be owned by vpopmail. And yes, self signed certs work

Reply |

Thanks.  I've now generated a

Thanks.  I've now generated a new self signed certificate and saved in the right file but I still get the same error message after the starttls command.

220 gj3.grisjaune.com ESMTP
ehlo
250-gj3.grisjaune.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 0
starttls
220 ready for tls
auth login
454 TLS connection failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (#4.3.0)

For information: I don't use vpopmail. I work with Zarafa (which give POP and IMAP but no SMTP AUTH) on debian. To apply your patch, I started with the netqmail-1.06 from Debian (and the debian patches). So it was necessary to adjust your patch. This is probably the cause of my non fonctional system. Even if I disable the forcetls (in the code), the authentification doesn't work...

Is there a way to get more log? I don't have anything in the qmail logs nor in syslog.

Thanks for help.

Regards, Marc

Reply |

so which port are you using

so which port are you using to do the auth? 

The tls patch embedded in my combined patch does not allow the SSL_23, because of the poodle vulnerability. You must connect using TLS

Reply |

Bug in qmail-auth (SMTP RSET also resetting authentication)

It looks like there is a bug in the qmail-auth patch. I have an Android client connecting to the server (using TLS), and the client is issuing a RSET command after successfully authenticating but before sending the actual email (for whatever reasons that I don't understand). This results in the actual sending of the message failing with an "Authentication required" message (I have SMTPAUTH='!') set). The issue seems to be that, according to the SMTP RFCs, a RSET must retain authentication, yet the patch resets it (in smtp_rset()):

void smtp_rset(arg) char *arg;
{
-  seenmail = 0;
+  seenmail = 0; seenauth = 0;
+  mailfrom.len = 0; rcptto.len = 0;
   out("250 flushed\r\n");
}

I have fixed this to comment the resetting of 'seenauth':

void smtp_rset(arg) char *arg;
{
-  seenmail = 0;
+  seenmail = 0; /* seenauth = 0; */
+  mailfrom.len = 0; rcptto.len = 0;
   out("250 flushed\r\n");
}

With this, the Android client is able to connect and send email successfully.

I will also forward that to the upstream maintainer of the qmail-authentication patch, but you may also want to fix that locally for the time being.

Andreas

 

Reply |

Fixed

This bug has been fixed on august 18, 2017 version of the patch. Of course the big patch was updated as well

Reply |

Andreas, I have noticed that

Andreas, I have noticed that e.h. has updated his s/qmail but he hasn't updated the qmail patch yet.. do you know if the modification he did was the same as you suggest here in your comment?

Reply |

I discussed this with him and

I discussed this with him and he had said that we would update his patch and include this modification. He may just want to wait until the next release for qmail-authentication patches. I looked at his most recent s/qmail code, and it looks like he did the same that I showed above in there.

Reply |

yes, he mentioned your hint

yes, he mentioned your hint in the s/qmail m/l

Reply |

thank you Andreas, I'll check

thank you Andreas, I'll check this issue as soon as possible. 

Reply |

How did you solved the problem ...

Hello,

I have the some issue :

220 xxxxa ESMTP
4000000055f84b69318515fc 30706 < EHLO xxxxx
4000000055f84b693186082c 30706 > 250-xxxx
4000000055f84b6931860c14 30706 > 250-STARTTLS
4000000055f84b6931860ffc 30706 > 250-PIPELINING
4000000055f84b6931860ffc 30706 > 250-8BITMIME
4000000055f84b6931862f3c 30706 > 250-AUTH LOGIN PLAIN
4000000055f84b6931863324 30706 > 250 SIZE 0
4000000055f84b69358ac3a4 30706 < AUTH LOGIN
4000000055f84b69358b2d1c 30706 > 503 auth not available (#5.3.3)

Im calling vchkpw from run file ... but still i can't authenticat ... would you please tell me how you solved this issue ?

Thank you

Reply |

post your run file

Hi, can you post your run file?

Reply |

my run file

Hello,

Here's is my run file 

#!/bin/sh

QMAILQUEUE="/var/qmail/bin/simscan" ; export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`*

export SMTPAUTH=''
export AUTH=1
export FORCETLS=0
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softl

Reply |

you are not calling vchkpw

but you are not calling vchkpw as you said.. I'm not familiar with checkvpw.. I guess that the problem is there..

Reply |

I do but ..

Yes, even if i replace the run file with /home/vpopmail/bin/vchkpw ... i always can't authenticate

ls -l /home/vpopmail/bin/vchkpw
-rwx--x--x 1 vpopmail vchkpw 123968 sept. 15 10:40 /home/vpopmail/bin/vchkpw

Reply |

using my combined patch?

are you using my combined patch?

Reply |

Yes i did

Yes, i used netqmail 1.06 with your combined patch ...

for information i had already vpopmail installed from the qmail 1.03 ... now i upgrated to netqmail with your scripts ...

But im still facing that problem ... i don't see what im doing wrong ... do you think this is a problem with the vchkpw already installed with vpopmail ?

thank you

Reply |

did you recompiled vpopmail?

did you recompiled vpopmail against the netqmail patched with my combined patch? If yes, what the smtp log says?

Reply |

Just did it

Hello,

I just recompiled vpopmail and then re-patch your netqmail with your comibned patch ... but the problem is still present ...

Any ideas ?

Thank you

Reply |

I didn't explain myself very well

Sorry, I didn't explain myself very well. Actually you have to recompile netqmail once you have installed vpopmail. If this is what you did you are ok. In the case feel free to post the smtp log

Reply |

Fixed

Hello,

I fixed the problem ... it was in my run file ...

this :

exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" XXX 2525 \
/usr/local/bin/recordio sh -c '/var/qmail/bin/qmail-smtpd' XXX \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

Should be like this :

exec /usr/local/bin/softlimit -m "30000000" \
    /usr/local/bin/tcpserver -v -H -R -l  "$LOCAL" \
    -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" XXX 2525 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Thank you

Reply |

No, i did'nt

Hello,

No i didn't recompiled vpopmail after make setup check for your netqmail patch comibined ... do i have to do it ?

Thank you

Reply |

250-STARTTLS sent twice in EHLO response

Roberto,

your combined patch also has another small issue with the SMTP server sending the "250-STARTTLS" capability back twice in response to an EHLO query.

The problem is in qmail-smtp.c. Your combined patch includes (in the smtp_ehlo() routine):

+#ifdef TLS
+ if (!ssl) out("\r\n250-STARTTLS");
+ if (!ssl && (stat("control/servercert.pem",&st) == 0))
+   out("\r\n250-STARTTLS");
+#endif

but this should be:

+#ifdef TLS
+ if (!ssl && (stat("control/servercert.pem",&st) == 0))
+ out("\r\n250-STARTTLS");
+#endif

I.e. there is one STARTTLS response too many.

This seems to be an issue with the qmail-tls patch (netqmail-1.06-tls-20141216.patch) not having been applied properly. (That patch is a bit weird, it patches qmail-smtp.c twice, first to add the line in question, then later to remove it again.)

Thanks for putting all of this together!

Andreas

Reply |

thank you. I'll fix it asap

thank you. I'll fix it asap

Edit: this bug has been fixed

Reply |

Combined patch and number of EHLOs

Hello Roberto,

I have a question about the combined smtp-auth + qmail-tls (starttls) + forcetls patch. We have a problem with one server which refuses to accept messages send by our MTA. While tracking down with network debugging tools I found that qmail sends the EHLO three times. These are refused by the remote mailserver and qmail finally gives up. If I understand the combined patch correctly there are actually 3 EHLOs sent. On if it's via SMTPS, then after tls_init once again. And a third time unconditinally. Is this correct? Well, normally there are no problems, but one mailserver doesn't accept our mails anymore.

+ if (code >= 500) quit("DConnected to "," but greeting failed");
+ if (code != 220) quit("ZConnected to "," but greeting failed");
+
+#ifdef EHLO
+# ifdef TLS
+ if (!smtps)
+# endif
+ code = ehlo();
+
+# ifdef TLS
+ if (tls_init())
+ /* RFC2487 says we should issue EHLO (even if we might not need
+  * extensions); at the same time, it does not prohibit a server
+  * to reject the EHLO and make us fallback to HELO */
+ code = ehlo();
+# endif
+
+ code = ehlo();
+
+ if (code == 250) {
+ /* add EHLO response checks here */
+
+ /* and if EHLO failed, use HELO */
+ } else {
+#endif
+
+ substdio_puts(&smtpto,"EHLO "); substdio_put(&smtpto,helohost.s,helohost.len); substdio_puts(&smtpto,"\r\n"); substdio_flush(&smtpto); - if (smtpcode() != 250) quit("ZConnected to "," but my name was rejected");

Reply |

Hi Christopher, in my

Hi Christoph,

in my telnet tests I always get only two EHLO. The portion of code that you report is actually suspect, but I have to admit that it's not clear to me what all those "if" imply. Anyway that portion of code is exactly the code of the tls Vermulen patch, as there were no modifications/customizations by me in qmail-remote.c

Let me know if you manage to solve

Reply |

Solved the problem

Sorry, I'm nearly spamming you ... ;-)

I've been able to create a patch. I finally understood what is there too mich in the combined patch, and this is the patch for qmail-remote.c We should perhaps really discuss this further via mail - you have my address.

root@flip-vm netqmail-1.06]# diff -u qmail-remote.c.pre.patch qmail-remote.c 

--- qmail-remote.c.pre.patch 2015-08-05 17:24:19.277513324 +0200 
+++ qmail-remote.c 2015-08-06 01:05:19.583864641 +0200

@@ -544,34 +544,23 @@
code = ehlo();
# endif 
- code = ehlo();
+ if (code == 250)
+ {
+ /* add EHLO response checks here */
- if (code == 250) {
- /* add EHLO response checks here */
- 
- /* and if EHLO failed, use HELO */
- } else {
+ /* and if EHLO failed, use HELO */
+ } else { 
#endif
-
-
- substdio_puts(&smtpto,"EHLO ");
- substdio_put(&smtpto,helohost.s,helohost.len);
- substdio_puts(&smtpto,"\r\n");
- substdio_flush(&smtpto);
-
- if (smtpcode() != 250) {
- substdio_puts(&smtpto,"HELO ");
- substdio_put(&smtpto,helohost.s,helohost.len);
- substdio_puts(&smtpto,"\r\n");
- substdio_flush(&smtpto); 
- code = smtpcode();
- // CGi
- // if (code >= 500) quit("DConnected to "," but my name was rejected");
- // if (code != 250) quit("ZConnected to "," but my name was rejected");
- }
+ substdio_puts(&smtpto,"HELO ");
+ substdio_put(&smtpto,helohost.s,helohost.len);
+ substdio_puts(&smtpto,"\r\n");
+ substdio_flush(&smtpto);
+ code = smtpcode();
+ if (code >= 500) quit("DConnected to "," but my name was rejected");
+ if (code != 250) quit("ZConnected to "," but my name was rejected");
#ifdef EHLO
- }
+ } 
#endif 
if (user.len && pass.len)

Reply |

They are not the same ... I just found out

Hi Roberto, Sorry. I lost oversight a little. I think the Vermeulen patch with POODLE attack changes is not exactly the same as part of your compiled patch. There a at least a few double lines in the combined patch. I think there's at least one line of 'code = ehlo()' too much. This gets too complicated via this blog - perhaps we should go on via mail? you have my address.

Reply |

Comparison with Vermulen Patch

Yes, they are the same. So I should perhaps ask Vermeulen himself about it? I have a recording of a network session, where there are actually three EHLOs sent, and after that a HELO. The remote server doesn't understand this and starts to refuse the 2nd, 3rd EHLO and the final HELO. I will tell you what I found out. Greetings

Reply |

CRAM-MD5 with FORCETLS=1

Thank you for gathering all these useful informations, patches and stuff regarding netqmail. I have found however a situation which might not be supported by these patches. I have set FORCTLS=1 for all clients coming from the outside (not our DMZ or LAN), because I want them to use encryption. On the other side a CRAM-MD5 authentication does offer a certain amount of safety (IMO). So i should allow the users to use this. but not LOGIN or PLAIN. But this is not possible? Am I right? Thank you.

Reply |

to allow *only* CRAM-MD5 just

to allow *only* CRAM-MD5 just use (README.auth for more info)

SMTPAUTH="!cram"

but IMHO a TLS connection is already secure with TLS v.1.2 (POODLE vulnerability was fixed in the latest patch version) and I think there's no need to force also CRAM-MD5, which turns to be useful just when you cannot force tls (on port 25 for instance) 

Reply |

Combined patch no update

Hi Roberto,

Please, you can update the combined patch with the last patch, combine patch version is 2015.04.11 right now.

Thank for you work!!

Reply |

Hi, the big patch 2015.04.11

Hi, the big patch 2015.04.11 already contains the latest auth-0.8.2 and tls-20141216 :-)

Reply |

export FORCETLS=0

Hi,

I had added  export FORCETLS=0 to my run file and still it requires TLS auth.

<-  250-STARTTLS
<-  250-PIPELINING
<-  250-8BITMIME
<-  250-AUTH LOGIN PLAIN CRAM-MD5
<-  250 SIZE 0
 -> AUTH LOGIN
<** 503 auth not available (#5.3.3)
*** No authentication type succeeded
 -> QUIT

What did i done wrong?

regards

nic

Reply |

Hi Nic, it's not

Hi Nic,

it's not complaining about a missing TLS connection, it's complaining about a missing AUTH. Are you sure that you are calling vchkpwd in your run file?

Reply |

Thanks Roberto. You spotted

Thanks Roberto. You spotted it correctly.

cheers!

Reply |

SMTPAUTH="-" doesn't seem to disable auth

Hi there, great work on your combiled patch..

I've been working to try and disable auth on port 25 and require auth on 587. So far, it it's going well..

on 587, SMTPAUTH="!"

on 25, SMTPAUTH="-"

However, I've noticed on port 25 it would advertise 250-AUTH PLAIN LOGIN, however if I submit an AUTH request, it will honor it.

I was tempted to create a patch to enforce this, when smtpauth=0 in qmail-smtpd, however that changes the way the patch works. Instead I was thinking of creating a new mode: SMTPAUTH="^" which disables auth altogether.

--- netqmail-1.06/qmail-smtpd.c 2015-01-21 02:20:52.947328493 +0000
+++ netqmail-1.06-cp/qmail-smtpd.c      2015-01-21 02:26:36.179831239 +0000
@@ -178,6 +178,7 @@
 }
 
 int smtpauth = 0;
+int smtpauthdisable = 0;
 int liphostok = 0;
 stralloc liphost = {0};
 int bmfok = 0;
@@ -249,7 +250,9 @@
   auth = env_get("SMTPAUTH");
   if (auth) {
     smtpauth = 1;
+    smtpauthdisable = 0;
     case_lowers(auth);
+    if (!case_diffs(auth,"^")) { smtpauth = 0 ; smtpauthdisable = 1 ; }
     if (!case_diffs(auth,"-")) smtpauth = 0;
     if (!case_diffs(auth,"!")) smtpauth = 11;
     if (case_starts(auth,"cram")) smtpauth = 2;
@@ -1055,6 +1058,9 @@
 void smtp_auth(arg)
 char *arg;
 {
+/* Really disable auth */
+  if (smtpauthdisable) { out("503 auth not available (#5.3.3)\r\n"); return; }
+
 
 /* forcetls patch */
 #ifdef TLS

 

Reply |

First of all, to disable auth

First of all, to disable auth on port 25, why don't you simply avoid to call vchkpw in your run file? In that way there's no need to declare SMTPAUTH anymore.

Concerning your suggestion, what the RFCs say? I don't have the time to check, but are you sure that you *can* declare the AUTH verb even if the auth is forbidden?

In any case I think it's better to stick with the original eh auth patch, just to simplify the future upgrades...

Thanks for the contribution :)

Reply |

disable auth patch

First of all, to disable auth on port 25, why don't you simply avoid to call vchkpw in your run file? In that way there's no need to declare SMTPAUTH anymore.

I can't make that change since it would be global. I actually need to be able to disable SMTP auth for some systems, not all so using environment variables and tcpserver is the way to do this rather than a global change to vchkpw

Concerning your suggestion, what the RFCs say? I don't have the time to check, but are you sure that you *can* declare the AUTH verb even if the auth is forbidden?

You're describing what I think is a bug. With your patch the server postively responds to AUTH even if AUTH is not advertised (and should be disabled SMTPAUTH="-" or SMTPAUTH unset)  Here's a walk through of the problem and how my patch works around it:


$ telnet localhost 25 # With SMTPAUTH unset or SMTPAUTH set to "-"
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 caretaker.intrepid.co.uk ESMTP
EHLO localhost
250-caretaker.intrepid.co.uk
250-STARTTLS
250-PIPELINING
250-8BITMIME   
250 SIZE 0

Ok, so far it hasn’t offered 250-AUTH

AUTH PLAIN
538 auth not available without TLS (#5.3.3)

That’s not right, it should say auth is unavailable fullstop!

Let’s try with openssl to support STARTTLS
$ openssl s_client -connect localhost:25 -starttls smtp
...
250 SIZE 0
AUTH PLAIN
334
mybase64creds
235 ok, go ahead (#2.0.0)

Even though AUTH was not advertised, and we explictly asked for it to
be disabled (SMTPAUTH="-") it still accepted the AUTH username and password

With my patch (SMTPAUTH="^") AUTH really is disabled:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 caretaker.intrepid.co.uk ESMTP
EHLO localhost
250-caretaker.intrepid.co.uk
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 SIZE 0

AUTH PLAIN
503 auth not available (#5.3.3)

I'm not sure my patch is the best way to solve this bug. It adds another feature (SMTPAUTH="^") which means it won't change existing behaviour (for people who rely on the hidden but available AUTH) However, if it were to follow the RFC, I believe that if AUTH is not advertised, AUTH requests should always be met with a 503

Reply |

I'm thinking again about

I'm thinking again about it... actually this is not a bug but an intentional behaviour of the auth patch. Infact it allows the auth if SMTPAUTH is not declared at all.

Please let me know if you can solve assigning the RELAYCLIENT to those IP and disabling vchkpw on the run file

Reply |

Why not assigning RELAYCLIENT?

I can't make that change since it would be global. I actually need to be able to disable SMTP auth for some systems, not all so using environment variables and tcpserver is the way to do this rather than a global change to vchkpw

Why not assigning to those systems the RELAYCLIENT variable?

Concerning the main purpose of your message, I understand now. In normal conection (not encrypted) it should not advertise the AUTH if it is not allowed. This should be fixed.

But I can't get the bug you showd in the encrypted connection. I have

AUTH PLAIN
503 auth not available (#5.3.3)

are you using my latest combined patch, with no modifications?

Edit: uh.. this is because I don't have vchkpkw.. So I think you are right. I will apply your patch. Thank you :)

Reply |

Forcetls Question

HI

I have question about forcetls patch:

telnet localhost 25
Trying 127.0.0.1...
Connected to box.
Escape character is '^]'.
220 domain.com ESMTP
ehlo box
250-domain.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 67108864
250 AUTH LOGIN PLAIN CRAM-MD5
auth login
538 auth not available without TLS (#5.3.3)
quit
221 domain.com
Connection closed by foreign host.

If forcetls is active, why not offer authentication server in an unencrypted connection?

swaks -t user@domain.com -f test@domain.com -s localhost -p25 -au test@domain.com -ap password
=== Trying localhost:25...
=== Connected to localhost.
<- 220 domain.com ESMTP
-> EHLO localhost.localdomain
<- 250-domain.com
<- 250-STARTTLS
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 AUTH LOGIN PLAIN CRAM-MD5
-> AUTH CRAM-MD5
<** 538 auth not available without TLS (#5.3.3)
-> AUTH LOGIN
<** 538 auth not available without TLS (#5.3.3)
-> AUTH PLAIN AHRlc3RAZG9tYWluLmNvbQBwYXNzd29yZA==
<** 538 auth not available without TLS (#5.3.3)
*** No authentication type succeeded
-> QUIT
<- 221 wampir7.pl
=== Connection closed with remote host

Auth TLS not available without a password, and so it was sent in clear text, when you try to AUTH PLAIN authentication.
Is this a correct and meaningful?

The correct solution - gmail.com:

telnet smtp.gmail.com 25
Trying 74.125.79.108...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 mx.google.com ESMTP a10sm4909715een.6
ehlo gmail.com
250-mx.google.com at your service, [83.230.14.219]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
auth login
530 5.7.0 Must issue a STARTTLS command first. a10sm4909715een.6
quit
221 2.0.0 closing connection a10sm4909715een.6
Connection closed by foreign host.

The server does not provide authorization for connection without encryption:

swaks -t user@domain.com -f test@gmail.com -s smtp.gmail.com -p25 -au test@gmail.com -ap password
=== Trying smtp.gmail.com:25...
=== Connected to smtp.gmail.com.
<- 220 mx.google.com ESMTP h3sm1449764eea.7
-> EHLO localhost.localdomain
<- 250-mx.google.com at your service, [83.230.14.219]
<- 250-SIZE 35882577
<- 250-8BITMIME
<- 250-STARTTLS
<- 250 ENHANCEDSTATUSCODES
*** Host did not advertise authentication
-> QUIT
<- 221 2.0.0 closing connection h3sm1449764eea.7
=== Connection closed with remote host.

No attempt was made AUTH PLAIN authentication, the password is safe.
Is such a solution is correct? Does it make sense?

In my opinion gmail has the correct solution to prevent sending an unencrypted password in the AUTH PLAIN.

Can you make a patch forcetls similar change in the future?

 

Cheers

Reply |

Patch update, fix wrong capabilities

Hello,

first of all this patch needs to be updated so that SSLv3 is switched off. I did this by adding the following line of code in qmail-smtpd.c and qmail-remote.c:

  if (!myssl) { tls_err("unable to initialize ssl"); return; }

  /* disable SSLv3 */
  SSL_set_options(myssl, SSL_OP_NO_SSLv3);

Then, more severe, the parsing of the capabilities in the HELO message causes Gmail to choke and refuse mail delivery TO a patched server. The CORRECT lines should be:

+#endif
+  out("\r\n250-PIPELINING\r\n250-8BITMIME\r\n");
+  if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n");
+  if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
+  if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");
   seenmail = 0; dohelo(arg);

NOTE the "-" sign at 8BITMIME and the REMOVED "-" sign at AUTH lines... this is necessary to not violate the ESMTP protocol!

BR Florian

Reply |

Florian, concerning the dash

Florian, concerning the dash "-" question, as you know it must be omitted just in case it will be the last command in the list. In my big patch I have:

250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 25000000

and this is why the dash is present.

I'm not sure it's worth to modify the patch in this page, as it will certainly be the base for other patches that need to be added, which may (or not) add a command in the list. A good practice could be to add an innocent command like BYEBYE without dash at the end, but I think that problems could arise also in this case.

Reply |

Size missing

Hello,

this is strange. After your patch I do not see "SIZE" in the output. This could be the reason then. I will investigate

Thanks so far BR

Reply |

The SIZE is due to the esmtp-size

The SIZE is due to the esmtp-size patch. I'm using this big patch http://notes.sagredo.eu/node/82#esmtp-size

Reply |

Wrong patch

Hello Roberto,

this explains it maybe: I did not use the big patch that you refer to in the link on the beginning, but only the smaller one from 11/2013. There is no size patch included, but the 250 headers are wrong. Maybe you should take this patch offline for reasons of clarity. I really overlooked that this is not the same file...

BR Florian

Reply |

that patch reflects the

that patch reflects the modifications to qmail-smtpd.c of the qmail-auth patch. But I think that you are right, so I'm going to adjust it

Reply |

updated patch

I'm embarassed to say how many hours I lost before properly comprehending this exchange about florian's edits. In short I was operating under the assumption that

http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest

contained those edits. In the  hope of saving time for other careless readers like me, I have editted your auth_tls_force-tls patch to incorporate the "250-8BITMIME" fix and Vermeulen's more recent qmail-tls patch (20141216) which disables SSLv3.

You can get the updated patch here.

Reply |

I corrected the patch

I corrected the patch accordingly and upgraded the qmail-authentication to 0.8.2 as well

Reply |

Hi gencoc, thanks for the

Hi gencoc, thanks for the contribution.

Concerning the "250-8BITMIME" fix, as said above, I'm not sure this is a fix. Anyway I'm going to write a clarification on the purpose as soon as possibile

Reply |

thanks for the advise

thanks for the advise. Actually I was aware of the first issue, but didn't have time to fix it by myself. I'll do an update as soon as possibile

Concerning the second problem, I will write a note to the author of the qmail-auth patch and eventually I'll correct it as well

Reply |

I have adjusted the force-tls

I have adjusted the force-tls patch accordingly. Now the program simply does an exit instead of a return if STARTTLS is not provided when required.

Reply |

Yes, I agree.

Yes, I agree. This is a point where the patch deserves some improvement. I'll fix it when I have some time.

Thanks a lot for the contribution.

Reply |

How to stop unauthenticated users from sending mails

Hello, I used your installations and now my server is used to relay unauthenticated users from outlook or thunderbird to send mails through my server ... they creates accounts with wrong username/password in outlook per example, only the domain is good. What can i do to stop this?

Reply |

open relay?

If I understand well, they are using your MTA to send unauthenticated mail? In that case you have an open relay and I suggest to take a look again to the page where the "qmail configuration" is explained, in particular the submission service setup on port  587.

If they are sending messages through another relay, I suggest to setup SPF, DKIM and a DMARC policy

Reply |

Re: Open Relay

Hello,

They are using outlook or any other agent to send mail without be authenticated ... per example they take one from my hosted domains and use fake email, after this they set it in outlook, and they start sending spams. i don't use the port 587.

I just tested my self by connecting with a fake account into my server using outlook, and im able to send mails.

Do you have any suggestions ?

thank you

Reply |

So you are not using my

So you are not using my installation properly. Double check your tcp.smtp file to be sure that you are not allowing the internet to send mail with your server. 

Reply |

tcp.smtp

Hello,

Here's my tcp.smtp file :

127.0.0.1:allow,RELAYCLIENT=""
:allow,SIMSCAN_DEBUG="2",QMAILQUEUE="/var/qmail/bin/simscan",CHKUSER_RCPTLIMIT="15",CHKUSER_WRONGRCPTLIMIT="3",CHKUSER_START="DOMAIN"

Any ideas ?

Thank you

Reply |

your tcp.smtp is correct, but

your tcp.smtp is correct, but the behaviour of your server seems not to follow its setup. Are you absolutely sure that you are actually usinig this file, and that you have rebuilt your tcp.cdb file?

Reply |

Log qmail-smtpd

Hello,

Here's the logs of a current user who send mail from outlook :

@4000000057960ad937de0a44 CHKUSER relaying rcpt: from <Barnett.66811@domain.ltd|remoteinfo/auth:|chkuser-identify:> remote <helo:PcName|remotehostname:unknown|remotehostip:IP> rcpt <xxx@gmail.com> : client allowed to relay

@4000000057960ad937de77a4 policy_check: local Barnett.66811@domain.ltd -> remote xxx@gmail.com (UNAUTHENTICATED SENDER)
@4000000057960ad937dec5c4 policy_check: policy allows transmission
@4000000057960add2084e1ec mail recv: pid 11216 from <Barnett.66811@domain.ltd> qp 11217
@4000000057960add2084e5d4 qmail-smtpd: message accepted: Barnett.66811@domain.ltd from IP to xxx@gmail.com helo PcName
@4000000057960ae006d3083c tcpserver: end 11216 status 0
@4000000057960ae006d30c24 tcpserver: status: 0/30

Barnett.66811 is the fake user in domain.ltd (domaine exist)

Reply |

can you contact me in a

can you contact me in a private message, so that we can investigate what's happening? (use the "contact" button above)

Reply |

Yes i did

Hello,

Yes im using qmailctl cdb every time i change this file.

I don't know what im missing ?

Reply |

can you show your rcpthosts?

can you show your rcpthosts? You should have only your local domains there

Reply |

rcpthosts

Yes i have only my hosted domains ... one per line

Reply |

Recent comments
See also...
Recent posts

RSS feeds