smtp-auth + qmail-tls + forcetls patch for qmail

I wanted to patch my qmail with SMTPAUTH but I couldn't download the qmail-authentication-0.8.3 patch from http://www.fehcom.de/qmail/smtpauth.html (the link is broken) and have tried to contact the owner but haven't had any response yet. I was wondering if you'd have a copy of that patch which you can share.

yes look here https://notes.sagredo.eu/files/qmail/patches/authentication/

Perfect. Thank you!

Hi,

I am using qmail just for incoming messages , i don't need to send anything out.

I have to run qmail with starttls

But when i am running ehlo google.com , it's not popping starttls. I am running with qmail-1.03 and aplied patch on it.

Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
ehlo google.com

250-PIPELINING
250 8BITMIME

Below is my qmail-smtpd/run file :

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

# sslserver certificates
export CERTFILE="/var/qmail/control/servercert.pem"
export KEYFILE=""
export DHFILE=""
SMTPS=1
export SMTPS

# qmail options
#ALLOW_INSECURE_AUTH="1"; export ALLOW_INSECURE_AUTH
#REQUIRE_AUTH="1"; export REQUIRE_AUTH
#SMTPAUTH="";
FORCETLS=1; export FORCETLS;
#export SMTPAUTH;

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 8000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 /var/qmail/bin/qmail-smtpd 2>&1

Hi, which patch did you apply?

Hi Roberto,
I installed "smtp-auth + qmail-tls + forcetls patch for qmail" under your indication on Alma Linux8.5.
Installed without pop before SMTP as :

nmap
25/smtp 110/pop3 465/smtps 587/submission 995/pop3s

/home/vpopmail/etc/tcp.smtp
127.:allow,RELAYCLIENT=""
(There is not open-smtp file)

/var/qmail/control/rcpthosts
serverhostname
mydomainname

after starting qmail and if I try to send email under using SMTP-AUTH, port 465 [SSL], occured "553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)".
I can receive email using port995 setting, pop3 and pop3s are stable. if I add domain name I want to send into rcpthosts, I can send it.
I can't understand what I made mistake.
There is no error log at /var/log/maillog and messagem if its failed.
Please give me some advices.

Best Regards.

Hi,

I'm not sure that this patch can work with 465 port + auth. If you don't have a particular reason to do the auth on port 465, use submission service on 587 and it will work

Hello, thank you for reply.
I change the port 465 to 587, but my mail client displays error "this server not correspond to STARTTLS, please check port setting of server".

after trying to send mail through sptps 465, /var/log/message is as below (not error):

Mar 20 04:01:16 mars smtpd[60972]: 1647716476.613492 tcpserver: pid 61265 from 126.79.158.149
Mar 20 04:01:16 mars smtpd[60972]: 1647716476.654468 tcpserver: ok 61265 mars.mydomain.net:153.126.184.121:465 :126.79.158.149::54136
Mar 20 04:01:16 mars smtpd[60972]: 1647716476.993819 tcpserver: end 61265 status 0

I guess some environment variables are not transmitted to "tcp-smtp", like open-smtp with pop before smtp option.
In my present condition, If I want to send email to Gmail address, I must write "gmail.com" in "rcpthosts" everytime, it's unconvinient.
My cert file is made by Let's Encrypt and conbined private key and cert key to one file.

My SMTPS starting scripit is below:

※tcpserver-ssl is patched NRG4U's ucspi-tcp-ssl-20050405.patch.gz
# SMTP OVER SSL[465 port]
/usr/local/bin/tcpserver-ssl -H -R -v -s -n /var/qmail/control/cert.pem -x /home/vpopmail/etc/tcp.smtp.cdb 0 465 /var/qmail/bin/qmail-smtpd `hostname` /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 | /var/qmail/bin/splogger smtpd 3 &

some file's status are

-rw-r--r-- 1 vpopmail vchkpw 33 Mar 20 04:28 tcp.smtp
-rwsr-xr-x 1 root root 127504 Mar 18 17:08 vchkpw
-rw-r--r-- 1 vpopmail vchkpw 7299 Mar 20 02:24 cert.pem

Hi, I can't be of any help on the configuration of smtps on port 465, because I don't use it.

As far as port 587 is concerned, did you install ucspi-tcp6? if yes post your qmail-submission/run file, the entire smtp conversation via "telnet yourserver 587" and the log lines

Hi Roberto,thank you for help me.
I re-installed ucspi-tcp6 as below:.

lrwxrwxrwx 1 root root 51 Mar 20 14:07 tcpcat -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcpcat
lrwxrwxrwx 1 root root 54 Mar 20 14:07 tcpclient -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcpclient
lrwxrwxrwx 1 root root 53 Mar 20 14:07 tcprules -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcprules
lrwxrwxrwx 1 root root 58 Mar 20 14:07 tcprulescheck -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcprulescheck
lrwxrwxrwx 1 root root 54 Mar 20 14:07 tcpserver -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/tcpserver
lrwxrwxrwx 1 root root 49 Mar 20 14:07 who@ -> /var/qmail/net/ucspi-tcp6/ucspi-tcp6/command/who@

and you show me latest patch link, I re-installed qmail-1.06 with your patch.

My submission starting scripts is as below:

/usr/local/bin/tcpserver -H -R -l0 -x \
/home/vpopmail/etc/tcp.smtp.cdb \
-u 1004 -g 1001 0 587 \
/var/qmail/bin/qmail-smtpd-submission qmail-smtpd `hostname` \
/home/vpopmail/bin/vchkpw /bin/true 2>&1 | /var/qmail/bin/splogger smtpd 3 &

[1004 and 1001 is qmaild's one ]

# nmap localhost
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
110/tcp open pop3
587/tcp open submission

I try to connect my server.

telnet 153.126.193.183 587
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.muserver.net
250-PIPELINING
250 8BITMIME
mail from:mailfrom@myserverdomain
250 ok
rcpt to:mailto@gmail.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
STARTTLS
454 TLS missing certificate: error:02001002:system library:fopen:No such file or directory (#4.3.0)

※myserverdomain is added to my server by vpopmail.

In this operation, there is no error in /var/log/message.

Mar 20 15:23:45 mars smtpd[6614]: 1647757425.010646 tcpserver: pid 6663 from 126.89.158.173
Mar 20 15:23:45 mars smtpd[6614]: 1647757425.010666 tcpserver: ok 6663 mars.myserver.net:153.126.193.183:25 :126.89.158.173::56600
Mar 20 15:25:22 mars smtpd[6614]: 1647757522.714034 tcpserver: end 6663 status 0

If I add "mailto@gmail.com" into "rcpthosts".

telnet 153.126.193.183 587
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.myserver.net
250-PIPELINING
250 8BITMIME
mail from:mailfrom@myserverdomain
250 ok
rcpt to:mailto@gmail.com
data
354 go ahead
subject TEST
TEST
.
250 ok 1647750603 qp 1822

I can send and receive email.

I installed vpopmail without pop before smtp, of course.
There is not open-smtp file in /vpopmail/etc directory.
I feel strange that NO Error of "SMTP-Auth".
If SMTP-Authentidication is enable, message "530 Sorry, please use SMTP-AUTH instead" should be displayed.
And does this "ucspi-tcp6" not support SSL ? I can not set 995 pop3s port, cause I get error.
I know I still haven't learned enough about mail system.
Sorry for the hassle.

this line in your run file

/var/qmail/bin/qmail-smtpd-submission qmail-smtpd `hostname` \

points to a missing executable.

Please double check your configuration

> My submission starting scripts is as below:

> /usr/local/bin/tcpserver -H -R -l0 -x  /home/vpopmail/etc/tcp.smtp.cdb \

first of all I suggest to use separate tcprules for smtp and submission. You can simply have

:allow

for tcp.submission.

Secondly, I reccomend to do these initial tests with an essential configutation, so I suggest to comment out this

 | /var/qmail/bin/splogger smtpd 3 &

in your run file.

Thirdly, can you confirm that this patch is not installed over other qmail patches?

Do you have

export SMTPAUTH="!"

in your run file?

It's always better if you post the entire run file here...

> I try to connect my server.

telnet 153.126.193.183 587
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.muserver.net
250-PIPELINING
250 8BITMIME
mail from:mailfrom@myserverdomain
250 ok
rcpt to:mailto@gmail.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
STARTTLS
454 TLS missing certificate: error:02001002:system library:fopen:No such file or directory (#4.3.0)

The 553 error is normal, as this is not an open relay. It will deny you from sending as long as you don't authenticate.

But you can't auth because the auth is advertised only after STARTTLS, and you have that 454 TLS missing certificate

You can do the auth without TLS if you turn off STARTTLS with this option in your run file 

FORCETLS=0

and restart qmail. But in this case you are sending your pwd in clear text over the internet.

Therefore you have to solve your certificate problems.

> And does this "ucspi-tcp6" not support SSL ? I can not set 995 pop3s port, cause I get error.

of course yes. Your problems are due to a missing TLS certificate.

How are you creating your certificate?

Hi Roberto,thank you for support me.
I revised some files following your advises:

tcp.smtp >> :allow
export SMTPAUTH="!" << add run file

My cert.key is named "cert.pem" at /var/qmail/control, but I change it to "servercert.pem".

After reboot qmail, "clientcert.pem" file is made naturally (it's symlink to servercert.pem).

※my cert.key is made using Let's Encrypt, and I combined them to one file.

telnet test
220 mars.myserver.net ESMTP
EHLO mars.myserver.net
250-mars.myserver.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 SIZE 0
AUTH PLAIN YWxleEB0ZW1wdC5uZXQAanVrYWk1MzEwAA==
538 auth not available without TLS (#5.3.3)

but mail client result says "530 authentication required [5.7.1]".
it was "553 not allowed rcpthosts" before, and "STARTTLS" is enabled.

I can receive email, means authenticated, but sending by 587, got auth-error.
There still seems to be a mistake.

Although it is a supplementary explanation of my mail system, I make mail process under system, I regist it to system service.
I use "systemctl start|stop qmail" command.

system file /etc/systemd/system/qmail.service

[Unit]
Description=qmail/netqmail service
After=local-fs.target network.target

[Service]
Type=forking
ExecStart=/etc/qmail/exec_qmail start

[Install]
WantedBy=multi-user.target

run file /etc/qmail/exec_qmail

#!/bin/sh
#
# qmail: /var/qmail
# chkconfig: 2345 80 30
# description: qmail start/stop script

PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin

#simscan[ Temporarily stopped ]
#QMAILQUEUE="/var/qmail/bin/simscan"
#export QMAILQUEUE

export SMTPAUTH="!"

# Source function library.
#. /etc/rc.d/init.d/functions

[ -f /var/qmail/rc ] || exit 0

case "$1" in
start)
# Start daemons.
echo "Starting qmail."
csh -cf '/var/qmail/rc &'

# SMTP-AUTH NO-SSL[PortT 25]
/usr/local/bin/tcpserver -H -R -l `hostname` -v -x \
/home/vpopmail/etc/tcp.smtp.cdb \
-u 1010 -g 1003 0 smtp qmail-smtpd \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

# SMTP-AUTH + SMTP OVER SSL[Port 465]
#/usr/local/bin/tcpserver -H -R -v \
#/var/qmail/control/servercert.pem -x \
#/home/vpopmail/etc/tcp.smtp.cdb 0 465 \
#/var/qmail/bin/qmail-smtpd `hostname` \
#/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1


# SMTP OP25B Submission
/usr/local/bin/tcpserver -H -R -x \
/home/vpopmail/etc/tcp.smtp.cdb 0 587 submission \
/var/qmail/bin/qmail-smtpd `hostname` \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 \

# Vpop[Port 110]
/usr/local/bin/tcpserver -H -R -l `hostname` -v 0 pop3 \
/var/qmail/bin/qmail-popup `hostname` \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1

# POP3 OVER SSL[Port995]
#/usr/local/bin/tcpserver -H -R \
#/var/qmail/control/servercert.pem -l0 0 995 \
#/var/qmail/bin/qmail-popup `hostname` \
#/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1

echo
touch /var/lock/qmail
;;
stop)
# Stop daemons.
echo "Shutting down qmail2."
PID=`/bin/ps -aefw | grep qmail | awk '{print $2}'`
if [ ! -z "$PID" ] ; then
/bin/kill ${PID} 1> /dev/null 2>&1
fi
echo
rm -f /var/lock/qmail
;;
*)
echo "Usage: S99qmail {start|stop}"
exit 1
esac

exit 0

as already said in my previous reply and as qmail's output says you can't authenticate without TLS

I see that your configuration is very personal. I've never seen all the run script in one single file. If you don't have a particular reason to do like this, I suggest to read and follow these pages at least until the "Testing qmail" one.

I don't want to sound rude to you, but maintaining this guide and patches is already very time consuming and I don't always have extra time to fix other broken configurations

Dear Roberto,

I've got something strange with qmail-tls, i used FreeBSD and I've install qmail (non-tls) and qmail-tls from freebsd ports in different time (caused FreeBSD ports can't install qmail & qmail-tls in the same time). when i installed qmail (non-tls) i've no problem when sending or receiving email from any commonly mail server such as, gmail, yahoo, outlook, even my company mail server. But when i installed qmail-tls, i still can send email to all of them, and i can received from all of them except from gmail. i've monitoring of logs for qmail-smtpd, qmail-send, qmail-pop3d, and qmail-queue with tail -f while send email from gmail, but nothing log was coming in. i have no idea about. do u have any suggestion for? is it caused that gmail using TLS1.3 while the others still using TLS-1.2? or something i've missed?

Thanks for your helping, before.

Dear bellfox ace,

if you don't see anything in the logs your server didn't receive anything...  are you sure that you don't even have a connection from an external IP, like the following?

@400000005fd6a2092e6d279c tcpserver: status: 1/20 
@400000005fd6a2092e70541c tcpserver: pid 19671 from 193.56.28.30
@400000005fd6a2092f0ef964 tcpserver: ok 19671 smtp.yourserver.com:10.0.0.4:25 :193.56.28.30::55795 
@400000005fd6a21c0d4339bc tcpserver: end 19671 status 0

dear Roberto,

yes, you're right, there are logs at qmail-smtpd (current) came in. Beside, after a day gmail respons me with the message that i guest he takes from tls testing when he tries to send email to my domain, such as:

454 TLS missing certificate: error:0909006C:PEM routines:get_name:no start line (#4.3.0)

after telnet localhost 25, i do ehlo then starttls, i've got this error message what i guess gmail takes one.  I really confuse, because i can send email to gmail normally, and i forensic the original/plain message which the message i sent was encrypted (tls) completely. but otherwise, it was fail. Would u mind give me some sugestion, to solve this problem?

Thank you my friend.

note:

I thought gmail test smtp-tls clearly & completely before he send email while The other commonly email i told above keep sending email even though the error above still in there.

I think that your problem is that you misconfigured your certificate and in some way gmail is more strict than other providers... so I would try to inspect the certificate, not the server config.

Dear Roberto,

Thank you very much for emphasizing my problem, i focus at making cert .pem properly, then it solved.

You're the guy, keep health on my friend, and... Terima Kasih (bahasa).

Hi Roberto,

I need help configuring a cipher suite preference order. Running diagnostics tools such as https://testssl.sh/ and https://www.hardenize.com/  they tell me that I must configure a cipher suite preference order:

Has server cipher order? no (NOT ok)

I have no idea how to do that. Reading the qmail-tls documentation inside the patch itself, it says:

- cipher selection:
            qmail-remote: 
              openssl cipher string (`man ciphers`) read from 
              /var/qmail/control/tlsclientciphers
            qmail-smtpd: 
              openssl cipher string read from TLSCIPHERS environment variable
              (can vary based on client IP address e.g.)
              or if that is not available /var/qmail/control/tlsserverciphers

I've configured both files with:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

But this didn't do the trick.

Have you figured this out? Have you tried running your own email server against these diagnostics tools?

Thank you in advance.

Cheers,

Gabriel.

I have played with it long time ago, but you should set the cyphers separated by colon as patch documentation states. check mine for instance:

TLSCIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256"

cheers

delphus

I'm sorry Gabriel, I've never played with this...

Hi Roberto,
I applied the roberto-netqmail-1.06_auth_tls_force-tls.patch-latest patch but I can't configure qmail with authentication and tls at the same time.

My file supervise/run is:

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl";
LOCAL=`head -1 /var/qmail/control/me`

# sslserver certificates
export CERTFILE="/var/qmail/control/servercert.pem"
export KEYFILE=""
export DHFILE=""
SMTPS=1
export SMTPS

# qmail options
ALLOW_INSECURE_AUTH="1"; export ALLOW_INSECURE_AUTH
REQUIRE_AUTH="1"; export REQUIRE_AUTH
SMTPAUTH="";
FORCETLS=1; export FORCETLS;
export SMTPAUTH;

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtp-ssl/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 1500000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 465 /var/qmail/bin/qmail-smtpd-ssl /bin/checkpassword 2>&1

I can send email with tls, but the server does not ask me for the password. I can send e-mails without authentication.

Where is my error?

Thanks

Michele

Michele, your setup refers to ucspi-ssl (port 465), while my patch is for submission port 587. Please refer to this page for details https://notes.sagredo.eu/en/qmail-notes-185/configuring-qmail-83.html

Hi!

How can I enable the old and obsolote TLS 1.1 with qmail? Some partners use TLS 1.1 :-(

thanks, mark

I think you have to reverse the qmail-tls patch and install v. 20110119 (look here), but it's affected by a well known vulnerability

Hi Roberto,

The link is broken here as well:

Managing auth options

You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.

Be aware that you have to export SMTPAUTH in you run file.

Thank you. Corrected.

hello,

i'm newbe to start install qmail. i try to patch but I got error like this:

[root@mta88 netqmail-1.06]# patch < ../roberto-netqmail-1.06_auth_tls_force-tls.patch-latest
patching file FILES.auth
patching file LICENSE.authentication
patching file Makefile
Hunk #1 succeeded at 140 with fuzz 2 (offset 4 lines).
Hunk #2 succeeded at 824 (offset 4 lines).
Hunk #3 succeeded at 1457 (offset 4 lines).
Hunk #4 FAILED at 1552.
Hunk #5 FAILED at 1569.
Hunk #6 succeeded at 1848 (offset 5 lines).
Hunk #7 succeeded at 2130 (offset 5 lines).
Hunk #8 succeeded at 2174 (offset 5 lines).
2 out of 8 hunks FAILED -- saving rejects to file Makefile.rej
patching file Makefile-cert.mk
The next patch would create the file README.auth,
which already exists! Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
patching file README.tls
patching file TARGETS
Hunk #4 succeeded at 326 (offset 1 line).
Hunk #5 succeeded at 392 (offset 1 line).
The next patch would create the file base64.c,
which already exists! Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
The next patch would create the file base64.h,
which already exists! Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
patching file case_startb.c
patching file conf-cc
patching file dns.c
patching file global.h
patching file hier.c
patching file hmac_md5.c
patching file hmac_md5.h
patching file ipalloc.h
patching file md5.h
patching file md5c.c
patching file qmail-control.9
patching file qmail-remote.8
patching file qmail-remote.c
patching file qmail-showctl.c
patching file qmail-smtpd.8
Hunk #1 succeeded at 19 (offset 5 lines).
Hunk #2 FAILED at 32.
Hunk #3 succeeded at 85 (offset 27 lines).
Hunk #4 succeeded at 125 (offset 27 lines).
Hunk #5 succeeded at 208 (offset 27 lines).
Hunk #6 succeeded at 239 (offset 27 lines).
1 out of 6 hunks FAILED -- saving rejects to file qmail-smtpd.8.rej
patching file qmail-smtpd.c
Hunk #1 FAILED at 23.
Hunk #2 succeeded at 52 (offset 3 lines).
Hunk #3 succeeded at 156 with fuzz 2 (offset 87 lines).
Hunk #4 FAILED at 97.
Hunk #5 FAILED at 112.
Hunk #6 FAILED at 130.
Hunk #7 FAILED at 143.
Hunk #8 FAILED at 234.
Hunk #9 succeeded at 310 (offset 20 lines).
Hunk #10 succeeded at 323 (offset 20 lines).
Hunk #11 succeeded at 427 (offset 20 lines).
Hunk #12 FAILED at 417.
7 out of 12 hunks FAILED -- saving rejects to file qmail-smtpd.c.rej
patching file ssl_timeoutio.c
patching file ssl_timeoutio.h
patching file tls.c
patching file tls.h
patching file update_tmprsadh.sh
[root@mta88 netqmail-1.06]#

need your advice, how to

patch like this:

patch -p1 < patchfile

qmail-remote.c:272:24: error: incomplete definition of type 'struct ssl_st'
  int state = ssl ? ssl->state : SSL_ST_BEFORE;
                    ~~~^
/usr/include/openssl/ossl_typ.h:147:16: note: forward declaration of 'struct ssl_st'
typedef struct ssl_st SSL;
               ^
qmail-remote.c:272:34: error: use of undeclared identifier 'SSL_ST_BEFORE'; did you mean
      'TLS_ST_BEFORE'?
  int state = ssl ? ssl->state : SSL_ST_BEFORE;
                                 ^~~~~~~~~~~~~
                                 TLS_ST_BEFORE
/usr/include/openssl/ssl.h:979:5: note: 'TLS_ST_BEFORE' declared here
    TLS_ST_BEFORE,
    ^
qmail-remote.c:273:15: error: use of undeclared identifier 'SSL_ST_OK'; did you mean 'TLS_ST_OK'?
  if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
              ^~~~~~~~~
              TLS_ST_OK
/usr/include/openssl/ssl.h:980:5: note: 'TLS_ST_OK' declared here
    TLS_ST_OK,
    ^
qmail-remote.c:273:47: error: use of undeclared identifier 'SSL_ST_BEFORE'; did you mean
      'TLS_ST_BEFORE'?
  if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
                                              ^~~~~~~~~~~~~
                                              TLS_ST_BEFORE
/usr/include/openssl/ssl.h:979:5: note: 'TLS_ST_BEFORE' declared here
    TLS_ST_BEFORE,
    ^
qmail-remote.c:340:7: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
  out(s1); if (s2) { out(": "); out(s2); } TLS_QUIT;
      ^~
qmail-remote.c:340:37: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
  out(s1); if (s2) { out(": "); out(s2); } TLS_QUIT;
                                    ^~
qmail-remote.c:394:43: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
      out("ZNo TLS achieved while "); out(servercert);
                                          ^~~~~~~~~~
qmail-remote.c:456:11: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers
      [-Wincompatible-pointer-types-discards-qualifiers]
      out(servercert); out(" exists"); TLS_QUIT;
          ^~~~~~~~~~
qmail-remote.c:493:29: warning: passing 'unsigned char *' to parameter of type 'const char *' converts
      between pointers to integer types with different sign [-Wpointer-sign]
          if (match_partner(gn->d.ia5->data, gn->d.ia5->length)){
                            ^~~~~~~~~~~~~~~
qmail-remote.c:344:31: note: passing argument to parameter 's' here
int match_partner(const char *s, int len)
                              ^
qmail-remote.c:508:60: error: incomplete definition of type 'struct X509_name_entry_st'
        const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

Take a look at this patch https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment1209

Hello,

Is there any way to disable smtp auth relay in port 25, and allow only for delivery to local domains?

I'd like enable smtp auth only in port 587.

Cheers

Joao

Yes, in your qmail-smtpd/run file just avoid to call  /home/vpopmail/bin/vchkpw after qmail-smtpd

Hello Roberto, thank you for replying.

Just another question about it. Maybe you can help me.

Is it possible disable smtp auth for many domains and enable just for another?
All domains will be in my rcpthosts, but I'd like to allow just some domains to send emails using smtp auth.

Sorry for my English. Did you understand?

Best
Joao

You can set up an "authsender" control file for the purpose. Take a look at the detailed info for the qmail-authentication patch here https://www.fehcom.de/qmail/smtpauth.html and inside the README file 

And also the eMPF functionality can be used to set up advanced policies for the users. Refer to its README file

Very thank you!

Cheers

Joao

Hello,

The smtp-auth + qmail-tls + forcetls patch is not compiling on debian 9. Here is the error:

qmail-remote.c: In function ‘quit’:
qmail-remote.c:286:24: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’
 int state = ssl ? ssl->state : SSL_ST_BEFORE;
 ^~
qmail-remote.c:286:34: error: ‘SSL_ST_BEFORE’ undeclared (first use in this function)
 int state = ssl ? ssl->state : SSL_ST_BEFORE;
 ^~~~~~~~~~~~~
qmail-remote.c:286:34: note: each undeclared identifier is reported only once for each function it appears in
qmail-remote.c:287:15: error: ‘SSL_ST_OK’ undeclared (first use in this function)
 if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
 ^~~~~~~~~
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:522:60: error: dereferencing pointer to incomplete type ‘X509_NAME_ENTRY {aka struct X509_name_entry_st}’
 const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
 ^~
qmail-remote.c: In function ‘mailfrom_cram’:
qmail-remote.c:658:3: warning: implicit declaration of function ‘hmac_md5’ [-Wimplicit-function-declaration]
 hmac_md5(chal.s,chal.len,pass.s,pass.len,digest);
 ^~~~~~~~
qmail-remote.c: In function ‘main’:
qmail-remote.c:886:7: warning: implicit declaration of function ‘chdir’ [-Wimplicit-function-declaration]
 if (chdir(auto_qmail) == -1) temp_chdir();
 ^~~~~
qmail-remote.c:971:21: warning: implicit declaration of function ‘getpid’ [-Wimplicit-function-declaration]
 random = now() + (getpid() << 16);
 ^~~~~~
qmail-remote.c:1013:5: warning: implicit declaration of function ‘close’ [-Wimplicit-function-declaration]
 close(smtpfd);
 ^~~~~

Any chance you can fix the patch?

Thanks

Nikola

Try to downgrade your openssl to v. 1.0

There must be some problem with gcc-6, as already reported here yesterday http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment971

unfortunately at the moment I've no gcc-6 machine to do tests with

Hi,  where should I store the certificate? Clientca.pem, clientcrl.pem or servercert.pem? Will the TLS working with a self signed certificate?

I get this error :

454 TLS connection failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (#4.3.0) after the auth login command.

What does it mean?

Reagrds. Marc

Hi Marc,

I forgot to mention here how to create the certificate. Please take a look to the "Creating an SSL key file" section of the big patch page here http://notes.sagredo.eu/node/82

The certificate is stored in /var/qmail/control/servercert.pem, and in my configuration must be owned by vpopmail. And yes, self signed certs work

Thanks.  I've now generated a new self signed certificate and saved in the right file but I still get the same error message after the starttls command.

220 gj3.grisjaune.com ESMTP
ehlo
250-gj3.grisjaune.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 0
starttls
220 ready for tls
auth login
454 TLS connection failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (#4.3.0)

For information: I don't use vpopmail. I work with Zarafa (which give POP and IMAP but no SMTP AUTH) on debian. To apply your patch, I started with the netqmail-1.06 from Debian (and the debian patches). So it was necessary to adjust your patch. This is probably the cause of my non fonctional system. Even if I disable the forcetls (in the code), the authentification doesn't work...

Is there a way to get more log? I don't have anything in the qmail logs nor in syslog.

Thanks for help.

Regards, Marc

so which port are you using to do the auth? 

The tls patch embedded in my combined patch does not allow the SSL_23, because of the poodle vulnerability. You must connect using TLS

It looks like there is a bug in the qmail-auth patch. I have an Android client connecting to the server (using TLS), and the client is issuing a RSET command after successfully authenticating but before sending the actual email (for whatever reasons that I don't understand). This results in the actual sending of the message failing with an "Authentication required" message (I have SMTPAUTH='!') set). The issue seems to be that, according to the SMTP RFCs, a RSET must retain authentication, yet the patch resets it (in smtp_rset()):

void smtp_rset(arg) char *arg;
{
-  seenmail = 0;
+  seenmail = 0; seenauth = 0;
+  mailfrom.len = 0; rcptto.len = 0;
   out("250 flushed\r\n");
}

I have fixed this to comment the resetting of 'seenauth':

void smtp_rset(arg) char *arg;
{
-  seenmail = 0;
+  seenmail = 0; /* seenauth = 0; */
+  mailfrom.len = 0; rcptto.len = 0;
   out("250 flushed\r\n");
}

With this, the Android client is able to connect and send email successfully.

I will also forward that to the upstream maintainer of the qmail-authentication patch, but you may also want to fix that locally for the time being.

Andreas

This bug has been fixed on august 18, 2017 version of the patch. Of course the big patch was updated as well

Andreas, I have noticed that e.h. has updated his s/qmail but he hasn't updated the qmail patch yet.. do you know if the modification he did was the same as you suggest here in your comment?

I discussed this with him and he had said that we would update his patch and include this modification. He may just want to wait until the next release for qmail-authentication patches. I looked at his most recent s/qmail code, and it looks like he did the same that I showed above in there.

yes, he mentioned your hint in the s/qmail m/l

thank you Andreas, I'll check this issue as soon as possible. 

Hello,

I have the some issue :

220 xxxxa ESMTP
4000000055f84b69318515fc 30706 < EHLO xxxxx
4000000055f84b693186082c 30706 > 250-xxxx
4000000055f84b6931860c14 30706 > 250-STARTTLS
4000000055f84b6931860ffc 30706 > 250-PIPELINING
4000000055f84b6931860ffc 30706 > 250-8BITMIME
4000000055f84b6931862f3c 30706 > 250-AUTH LOGIN PLAIN
4000000055f84b6931863324 30706 > 250 SIZE 0
4000000055f84b69358ac3a4 30706 < AUTH LOGIN
4000000055f84b69358b2d1c 30706 > 503 auth not available (#5.3.3)

Im calling vchkpw from run file ... but still i can't authenticat ... would you please tell me how you solved this issue ?

Thank you

Hi, can you post your run file?

Hello,

Here's is my run file 

#!/bin/sh

QMAILQUEUE="/var/qmail/bin/simscan" ; export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`*

export SMTPAUTH=''
export AUTH=1
export FORCETLS=0
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softl

but you are not calling vchkpw as you said.. I'm not familiar with checkvpw.. I guess that the problem is there..

Yes, even if i replace the run file with /home/vpopmail/bin/vchkpw ... i always can't authenticate

ls -l /home/vpopmail/bin/vchkpw
-rwx--x--x 1 vpopmail vchkpw 123968 sept. 15 10:40 /home/vpopmail/bin/vchkpw

are you using my combined patch?

Yes, i used netqmail 1.06 with your combined patch ...

for information i had already vpopmail installed from the qmail 1.03 ... now i upgrated to netqmail with your scripts ...

But im still facing that problem ... i don't see what im doing wrong ... do you think this is a problem with the vchkpw already installed with vpopmail ?

thank you

did you recompiled vpopmail against the netqmail patched with my combined patch? If yes, what the smtp log says?

Hello,

I just recompiled vpopmail and then re-patch your netqmail with your comibned patch ... but the problem is still present ...

Any ideas ?

Thank you

Sorry, I didn't explain myself very well. Actually you have to recompile netqmail once you have installed vpopmail. If this is what you did you are ok. In the case feel free to post the smtp log

Hello,

I fixed the problem ... it was in my run file ...

this :

exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" XXX 2525 \
/usr/local/bin/recordio sh -c '/var/qmail/bin/qmail-smtpd' XXX \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

Should be like this :

exec /usr/local/bin/softlimit -m "30000000" \
    /usr/local/bin/tcpserver -v -H -R -l  "$LOCAL" \
    -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" XXX 2525 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Thank you

Hello,

No i didn't recompiled vpopmail after make setup check for your netqmail patch comibined ... do i have to do it ?

Thank you

Roberto,

your combined patch also has another small issue with the SMTP server sending the "250-STARTTLS" capability back twice in response to an EHLO query.

The problem is in qmail-smtp.c. Your combined patch includes (in the smtp_ehlo() routine):

+#ifdef TLS
+ if (!ssl) out("\r\n250-STARTTLS");
+ if (!ssl && (stat("control/servercert.pem",&st) == 0))
+   out("\r\n250-STARTTLS");
+#endif

but this should be:

+#ifdef TLS
+ if (!ssl && (stat("control/servercert.pem",&st) == 0))
+ out("\r\n250-STARTTLS");
+#endif

I.e. there is one STARTTLS response too many.

This seems to be an issue with the qmail-tls patch (netqmail-1.06-tls-20141216.patch) not having been applied properly. (That patch is a bit weird, it patches qmail-smtp.c twice, first to add the line in question, then later to remove it again.)

Thanks for putting all of this together!

Andreas

thank you. I'll fix it asap

Edit: this bug has been fixed

Hello Roberto,

I have a question about the combined smtp-auth + qmail-tls (starttls) + forcetls patch. We have a problem with one server which refuses to accept messages send by our MTA. While tracking down with network debugging tools I found that qmail sends the EHLO three times. These are refused by the remote mailserver and qmail finally gives up. If I understand the combined patch correctly there are actually 3 EHLOs sent. On if it's via SMTPS, then after tls_init once again. And a third time unconditinally. Is this correct? Well, normally there are no problems, but one mailserver doesn't accept our mails anymore.

+ if (code >= 500) quit("DConnected to "," but greeting failed");
+ if (code != 220) quit("ZConnected to "," but greeting failed");
+
+#ifdef EHLO
+# ifdef TLS
+ if (!smtps)
+# endif
+ code = ehlo();
+
+# ifdef TLS
+ if (tls_init())
+ /* RFC2487 says we should issue EHLO (even if we might not need
+  * extensions); at the same time, it does not prohibit a server
+  * to reject the EHLO and make us fallback to HELO */
+ code = ehlo();
+# endif
+
+ code = ehlo();
+
+ if (code == 250) {
+ /* add EHLO response checks here */
+
+ /* and if EHLO failed, use HELO */
+ } else {
+#endif
+
+ substdio_puts(&smtpto,"EHLO "); substdio_put(&smtpto,helohost.s,helohost.len); substdio_puts(&smtpto,"\r\n"); substdio_flush(&smtpto); - if (smtpcode() != 250) quit("ZConnected to "," but my name was rejected");

Hi Christoph,

in my telnet tests I always get only two EHLO. The portion of code that you report is actually suspect, but I have to admit that it's not clear to me what all those "if" imply. Anyway that portion of code is exactly the code of the tls Vermulen patch, as there were no modifications/customizations by me in qmail-remote.c

Let me know if you manage to solve

Sorry, I'm nearly spamming you ... ;-)

I've been able to create a patch. I finally understood what is there too mich in the combined patch, and this is the patch for qmail-remote.c We should perhaps really discuss this further via mail - you have my address.

root@flip-vm netqmail-1.06]# diff -u qmail-remote.c.pre.patch qmail-remote.c 

--- qmail-remote.c.pre.patch 2015-08-05 17:24:19.277513324 +0200 
+++ qmail-remote.c 2015-08-06 01:05:19.583864641 +0200

@@ -544,34 +544,23 @@
code = ehlo();
# endif 
- code = ehlo();
+ if (code == 250)
+ {
+ /* add EHLO response checks here */
- if (code == 250) {
- /* add EHLO response checks here */
- 
- /* and if EHLO failed, use HELO */
- } else {
+ /* and if EHLO failed, use HELO */
+ } else { 
#endif
-
-
- substdio_puts(&smtpto,"EHLO ");
- substdio_put(&smtpto,helohost.s,helohost.len);
- substdio_puts(&smtpto,"\r\n");
- substdio_flush(&smtpto);
-
- if (smtpcode() != 250) {
- substdio_puts(&smtpto,"HELO ");
- substdio_put(&smtpto,helohost.s,helohost.len);
- substdio_puts(&smtpto,"\r\n");
- substdio_flush(&smtpto); 
- code = smtpcode();
- // CGi
- // if (code >= 500) quit("DConnected to "," but my name was rejected");
- // if (code != 250) quit("ZConnected to "," but my name was rejected");
- }
+ substdio_puts(&smtpto,"HELO ");
+ substdio_put(&smtpto,helohost.s,helohost.len);
+ substdio_puts(&smtpto,"\r\n");
+ substdio_flush(&smtpto);
+ code = smtpcode();
+ if (code >= 500) quit("DConnected to "," but my name was rejected");
+ if (code != 250) quit("ZConnected to "," but my name was rejected");
#ifdef EHLO
- }
+ } 
#endif 
if (user.len && pass.len)

to allow *only* CRAM-MD5 just use (README.auth for more info)

SMTPAUTH="!cram"

but IMHO a TLS connection is already secure with TLS v.1.2 (POODLE vulnerability was fixed in the latest patch version) and I think there's no need to force also CRAM-MD5, which turns to be useful just when you cannot force tls (on port 25 for instance) 

Hi Roberto,

Please, you can update the combined patch with the last patch, combine patch version is 2015.04.11 right now.

Thank for you work!!

Hi, the big patch 2015.04.11 already contains the latest auth-0.8.2 and tls-20141216 :-)

Hi,

I had added  export FORCETLS=0 to my run file and still it requires TLS auth.

<-  250-STARTTLS
<-  250-PIPELINING
<-  250-8BITMIME
<-  250-AUTH LOGIN PLAIN CRAM-MD5
<-  250 SIZE 0
 -> AUTH LOGIN
<** 503 auth not available (#5.3.3)
*** No authentication type succeeded
 -> QUIT

What did i done wrong?

regards

nic

Hi Nic,

it's not complaining about a missing TLS connection, it's complaining about a missing AUTH. Are you sure that you are calling vchkpwd in your run file?

Thanks Roberto. You spotted it correctly.

cheers!

Hi there, great work on your combiled patch..

I've been working to try and disable auth on port 25 and require auth on 587. So far, it it's going well..

on 587, SMTPAUTH="!"

on 25, SMTPAUTH="-"

However, I've noticed on port 25 it would advertise 250-AUTH PLAIN LOGIN, however if I submit an AUTH request, it will honor it.

I was tempted to create a patch to enforce this, when smtpauth=0 in qmail-smtpd, however that changes the way the patch works. Instead I was thinking of creating a new mode: SMTPAUTH="^" which disables auth altogether.

--- netqmail-1.06/qmail-smtpd.c 2015-01-21 02:20:52.947328493 +0000
+++ netqmail-1.06-cp/qmail-smtpd.c      2015-01-21 02:26:36.179831239 +0000
@@ -178,6 +178,7 @@
 }
 
 int smtpauth = 0;
+int smtpauthdisable = 0;
 int liphostok = 0;
 stralloc liphost = {0};
 int bmfok = 0;
@@ -249,7 +250,9 @@
   auth = env_get("SMTPAUTH");
   if (auth) {
     smtpauth = 1;
+    smtpauthdisable = 0;
     case_lowers(auth);
+    if (!case_diffs(auth,"^")) { smtpauth = 0 ; smtpauthdisable = 1 ; }
     if (!case_diffs(auth,"-")) smtpauth = 0;
     if (!case_diffs(auth,"!")) smtpauth = 11;
     if (case_starts(auth,"cram")) smtpauth = 2;
@@ -1055,6 +1058,9 @@
 void smtp_auth(arg)
 char *arg;
 {
+/* Really disable auth */
+  if (smtpauthdisable) { out("503 auth not available (#5.3.3)\r\n"); return; }
+
 
 /* forcetls patch */
 #ifdef TLS

First of all, to disable auth on port 25, why don't you simply avoid to call vchkpw in your run file? In that way there's no need to declare SMTPAUTH anymore.

Concerning your suggestion, what the RFCs say? I don't have the time to check, but are you sure that you *can* declare the AUTH verb even if the auth is forbidden?

In any case I think it's better to stick with the original eh auth patch, just to simplify the future upgrades...

Thanks for the contribution :)

First of all, to disable auth on port 25, why don't you simply avoid to call vchkpw in your run file? In that way there's no need to declare SMTPAUTH anymore.

I can't make that change since it would be global. I actually need to be able to disable SMTP auth for some systems, not all so using environment variables and tcpserver is the way to do this rather than a global change to vchkpw

Concerning your suggestion, what the RFCs say? I don't have the time to check, but are you sure that you *can* declare the AUTH verb even if the auth is forbidden?

You're describing what I think is a bug. With your patch the server postively responds to AUTH even if AUTH is not advertised (and should be disabled SMTPAUTH="-" or SMTPAUTH unset)  Here's a walk through of the problem and how my patch works around it:

$ telnet localhost 25 # With SMTPAUTH unset or SMTPAUTH set to "-"
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 caretaker.intrepid.co.uk ESMTP
EHLO localhost
250-caretaker.intrepid.co.uk
250-STARTTLS
250-PIPELINING
250-8BITMIME   
250 SIZE 0

Ok, so far it hasn’t offered 250-AUTH

AUTH PLAIN
538 auth not available without TLS (#5.3.3)

That’s not right, it should say auth is unavailable fullstop!

Let’s try with openssl to support STARTTLS
$ openssl s_client -connect localhost:25 -starttls smtp
...
250 SIZE 0
AUTH PLAIN
334
mybase64creds
235 ok, go ahead (#2.0.0)

Even though AUTH was not advertised, and we explictly asked for it to
be disabled (SMTPAUTH="-") it still accepted the AUTH username and password

With my patch (SMTPAUTH="^") AUTH really is disabled:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 caretaker.intrepid.co.uk ESMTP
EHLO localhost
250-caretaker.intrepid.co.uk
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 SIZE 0

AUTH PLAIN
503 auth not available (#5.3.3)

I'm not sure my patch is the best way to solve this bug. It adds another feature (SMTPAUTH="^") which means it won't change existing behaviour (for people who rely on the hidden but available AUTH) However, if it were to follow the RFC, I believe that if AUTH is not advertised, AUTH requests should always be met with a 503

I'm thinking again about it... actually this is not a bug but an intentional behaviour of the auth patch. Infact it allows the auth if SMTPAUTH is not declared at all.

Please let me know if you can solve assigning the RELAYCLIENT to those IP and disabling vchkpw on the run file

I can't make that change since it would be global. I actually need to be able to disable SMTP auth for some systems, not all so using environment variables and tcpserver is the way to do this rather than a global change to vchkpw

Why not assigning to those systems the RELAYCLIENT variable?

Concerning the main purpose of your message, I understand now. In normal conection (not encrypted) it should not advertise the AUTH if it is not allowed. This should be fixed.

But I can't get the bug you showd in the encrypted connection. I have

AUTH PLAIN
503 auth not available (#5.3.3)

are you using my latest combined patch, with no modifications?

Edit: uh.. this is because I don't have vchkpkw.. So I think you are right. I will apply your patch. Thank you :)

HI

I have question about forcetls patch:

telnet localhost 25
Trying 127.0.0.1...
Connected to box.
Escape character is '^]'.
220 domain.com ESMTP
ehlo box
250-domain.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 67108864
250 AUTH LOGIN PLAIN CRAM-MD5
auth login
538 auth not available without TLS (#5.3.3)
quit
221 domain.com
Connection closed by foreign host.

If forcetls is active, why not offer authentication server in an unencrypted connection?

swaks -t user@domain.com -f test@domain.com -s localhost -p25 -au test@domain.com -ap password
=== Trying localhost:25...
=== Connected to localhost.
<- 220 domain.com ESMTP
-> EHLO localhost.localdomain
<- 250-domain.com
<- 250-STARTTLS
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 AUTH LOGIN PLAIN CRAM-MD5
-> AUTH CRAM-MD5
<** 538 auth not available without TLS (#5.3.3)
-> AUTH LOGIN
<** 538 auth not available without TLS (#5.3.3)
-> AUTH PLAIN AHRlc3RAZG9tYWluLmNvbQBwYXNzd29yZA==
<** 538 auth not available without TLS (#5.3.3)
*** No authentication type succeeded
-> QUIT
<- 221 wampir7.pl
=== Connection closed with remote host

Auth TLS not available without a password, and so it was sent in clear text, when you try to AUTH PLAIN authentication.
Is this a correct and meaningful?

The correct solution - gmail.com:

telnet smtp.gmail.com 25
Trying 74.125.79.108...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 mx.google.com ESMTP a10sm4909715een.6
ehlo gmail.com
250-mx.google.com at your service, [83.230.14.219]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
auth login
530 5.7.0 Must issue a STARTTLS command first. a10sm4909715een.6
quit
221 2.0.0 closing connection a10sm4909715een.6
Connection closed by foreign host.

The server does not provide authorization for connection without encryption:

swaks -t user@domain.com -f test@gmail.com -s smtp.gmail.com -p25 -au test@gmail.com -ap password
=== Trying smtp.gmail.com:25...
=== Connected to smtp.gmail.com.
<- 220 mx.google.com ESMTP h3sm1449764eea.7
-> EHLO localhost.localdomain
<- 250-mx.google.com at your service, [83.230.14.219]
<- 250-SIZE 35882577
<- 250-8BITMIME
<- 250-STARTTLS
<- 250 ENHANCEDSTATUSCODES
*** Host did not advertise authentication
-> QUIT
<- 221 2.0.0 closing connection h3sm1449764eea.7
=== Connection closed with remote host.

No attempt was made AUTH PLAIN authentication, the password is safe.
Is such a solution is correct? Does it make sense?

In my opinion gmail has the correct solution to prevent sending an unencrypted password in the AUTH PLAIN.

Can you make a patch forcetls similar change in the future?

Cheers

Hello,

first of all this patch needs to be updated so that SSLv3 is switched off. I did this by adding the following line of code in qmail-smtpd.c and qmail-remote.c:

  if (!myssl) { tls_err("unable to initialize ssl"); return; }

  /* disable SSLv3 */
  SSL_set_options(myssl, SSL_OP_NO_SSLv3);

Then, more severe, the parsing of the capabilities in the HELO message causes Gmail to choke and refuse mail delivery TO a patched server. The CORRECT lines should be:

+#endif
+  out("\r\n250-PIPELINING\r\n250-8BITMIME\r\n");
+  if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n");
+  if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
+  if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");
   seenmail = 0; dohelo(arg);

NOTE the "-" sign at 8BITMIME and the REMOVED "-" sign at AUTH lines... this is necessary to not violate the ESMTP protocol!

BR Florian

Florian, concerning the dash "-" question, as you know it must be omitted just in case it will be the last command in the list. In my big patch I have:

250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 25000000

and this is why the dash is present.

I'm not sure it's worth to modify the patch in this page, as it will certainly be the base for other patches that need to be added, which may (or not) add a command in the list. A good practice could be to add an innocent command like BYEBYE without dash at the end, but I think that problems could arise also in this case.

Hello,

this is strange. After your patch I do not see "SIZE" in the output. This could be the reason then. I will investigate

Thanks so far BR

The SIZE is due to the esmtp-size patch. I'm using this big patch http://notes.sagredo.eu/node/82#esmtp-size

Hello Roberto,

this explains it maybe: I did not use the big patch that you refer to in the link on the beginning, but only the smaller one from 11/2013. There is no size patch included, but the 250 headers are wrong. Maybe you should take this patch offline for reasons of clarity. I really overlooked that this is not the same file...

BR Florian

that patch reflects the modifications to qmail-smtpd.c of the qmail-auth patch. But I think that you are right, so I'm going to adjust it

I'm embarassed to say how many hours I lost before properly comprehending this exchange about florian's edits. In short I was operating under the assumption that

http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest

contained those edits. In the  hope of saving time for other careless readers like me, I have editted your auth_tls_force-tls patch to incorporate the "250-8BITMIME" fix and Vermeulen's more recent qmail-tls patch (20141216) which disables SSLv3.

You can get the updated patch here.

I corrected the patch accordingly and upgraded the qmail-authentication to 0.8.2 as well

Hi gencoc, thanks for the contribution.

Concerning the "250-8BITMIME" fix, as said above, I'm not sure this is a fix. Anyway I'm going to write a clarification on the purpose as soon as possibile

thanks for the advise. Actually I was aware of the first issue, but didn't have time to fix it by myself. I'll do an update as soon as possibile

Concerning the second problem, I will write a note to the author of the qmail-auth patch and eventually I'll correct it as well

I have adjusted the force-tls patch accordingly. Now the program simply does an exit instead of a return if STARTTLS is not provided when required.

Yes, I agree. This is a point where the patch deserves some improvement. I'll fix it when I have some time.

Thanks a lot for the contribution.

Hello, I used your installations and now my server is used to relay unauthenticated users from outlook or thunderbird to send mails through my server ... they creates accounts with wrong username/password in outlook per example, only the domain is good. What can i do to stop this?

If I understand well, they are using your MTA to send unauthenticated mail? In that case you have an open relay and I suggest to take a look again to the page where the "qmail configuration" is explained, in particular the submission service setup on port  587.

If they are sending messages through another relay, I suggest to setup SPF, DKIM and a DMARC policy

Hello,

They are using outlook or any other agent to send mail without be authenticated ... per example they take one from my hosted domains and use fake email, after this they set it in outlook, and they start sending spams. i don't use the port 587.

I just tested my self by connecting with a fake account into my server using outlook, and im able to send mails.

Do you have any suggestions ?

thank you

So you are not using my installation properly. Double check your tcp.smtp file to be sure that you are not allowing the internet to send mail with your server. 

Hello,

Here's my tcp.smtp file :

127.0.0.1:allow,RELAYCLIENT=""
:allow,SIMSCAN_DEBUG="2",QMAILQUEUE="/var/qmail/bin/simscan",CHKUSER_RCPTLIMIT="15",CHKUSER_WRONGRCPTLIMIT="3",CHKUSER_START="DOMAIN"

Any ideas ?

Thank you

your tcp.smtp is correct, but the behaviour of your server seems not to follow its setup. Are you absolutely sure that you are actually usinig this file, and that you have rebuilt your tcp.cdb file?

Hello,

Here's the logs of a current user who send mail from outlook :

@4000000057960ad937de0a44 CHKUSER relaying rcpt: from <Barnett.66811@domain.ltd|remoteinfo/auth:|chkuser-identify:> remote <helo:PcName|remotehostname:unknown|remotehostip:IP> rcpt <xxx@gmail.com> : client allowed to relay

@4000000057960ad937de77a4 policy_check: local Barnett.66811@domain.ltd -> remote xxx@gmail.com (UNAUTHENTICATED SENDER)
@4000000057960ad937dec5c4 policy_check: policy allows transmission
@4000000057960add2084e1ec mail recv: pid 11216 from <Barnett.66811@domain.ltd> qp 11217
@4000000057960add2084e5d4 qmail-smtpd: message accepted: Barnett.66811@domain.ltd from IP to xxx@gmail.com helo PcName
@4000000057960ae006d3083c tcpserver: end 11216 status 0
@4000000057960ae006d30c24 tcpserver: status: 0/30

Barnett.66811 is the fake user in domain.ltd (domaine exist)

can you contact me in a private message, so that we can investigate what's happening? (use the "contact" button above)

Hello,

Yes im using qmailctl cdb every time i change this file.

I don't know what im missing ?

can you show your rcpthosts? You should have only your local domains there

Yes i have only my hosted domains ... one per line