TLS problem

[Martin Pittelkow]

Hi there,

I've got a problem with TLS. It worked for a long time, and it stopped
working suddenly. Take a look at this:

lalelu:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 lalelu.li ESMTP
EHLO
250-lalelu.li
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN CRAM-MD5
STARTTLS
454 TLS missing certificate: error:0906D06C:PEM
routines:PEM_read_bio:no start line (#4.3.0)

What do I have to do to fix the problem? I've read the old toaster
docs again and again and I've tried to google the problem, but I don't
find the solution,

Martin.

[Tren Blackburn]

Well, the error says that the TLS certificate is missingŠhave you checked
that?

[Martin Pittelkow]

Hi Trent,

thanks for your answer. I have - of course - checked if the
certificate is there before I posted my problem. It's located in /var/
qmail/control, the file is named servercert.pem, owned by
vpopmail:qmail, and although the file has been there, I have tried to
create a new servercert.pem - now the certificate is new, but nothing
changed.

Any hints?

Martin.

On 27 Jul., 20:32, Tren Blackburn <t...@eotnetworks.com> wrote:
> Well, the error says that the TLS certificate is missingŠhave you checked
> that?
>

[Shane Chrisp]

On 27/07/11 20:40, Martin Pittelkow wrote:
> Hi there,
>
> I've got a problem with TLS. It worked for a long time, and it stopped
> working suddenly. Take a look at this:
>
> lalelu:~# telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 lalelu.li ESMTP
> EHLO
> 250-lalelu.li
> 250-STARTTLS
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE 0
> 250 AUTH LOGIN PLAIN CRAM-MD5
> STARTTLS
> 454 TLS missing certificate: error:0906D06C:PEM
> routines:PEM_read_bio:no start line (#4.3.0)
>

Looks like you need to run c_rehash on the directory the cert is in.
Cant be certain, but worth a try.

Shane

[Martin Pittelkow]

Hi Shane,

I have started c_rehash in the directory the cert is in (/var/qmail/
control) and restarted qmail - unfortunately, this didn't solve the
problem.

Martin.

[Tarique Saleh Mahmud]

Dear All,

I followed Bill's Linux Qmail Toaster setup guide v. 0.9.4 and setup/running
one mail server, recently came to know that the TLS patch used in this
toaster had a security problem. Can anyone tell me how to update/fix this
TLS patch issue, appreciate very much if there is any step by step guide
available to follow to use on a running server.

Thanks,

Tarique

[Erki-Kiss Zsolt]

2011/7/28 Tarique Saleh Mahmud <tar...@gmgairlines.com>

You can patch manually a clean netqmail source with different updated patches. I use these:

• Qmail-authentication patch by Erwin Hoffmann v0.7.1, released on 2010-08-05,
  which updates the patches provided by Krysztof Dabrowski and Bjoern Kalkbrenner.
  It provides cram-md5, login, plain authentication support.
  http://www.fehcom.de/qmail/smtpauth.html##PATCHES
• Qmail-tls patch by Frederik Vermeulen v20110119
  Implements SSL or TLS encrypted and authenticated SMTP.
  http://inoa.net/qmail-tls/
• Oversize dns patch by Christopher K. Davis
  Gets qmail to handle large DNS packets.
  http://www.ckdhr.com/ckd/qmail-103.patch
• Reread-concurrency v2 patch by Jul
  Rereads concurrencylocal and concurrencyremote files when qmail-send receives
  a HUP signal.
  http://js.hu/package/qmail/index.html
• Big Concurrency patch by Johannes Erdfelt
  Sets the spawn limit above 255
  http://qmail.org/big-concurrency.patch
• Big Concurrency fix patch by Mihai Secasiu v1.0
  Fixes the breakdown of the compilation when setting the concurrency bigger
  than 509 inside conf-spawn.
  http://patchlog.com/linux/qmail-big-concurrency/
• Qmail-queue-custom-error patch by Flavio Curti
  Enables Simscan to return the appropriate message for each e-mail it refuses
  to deliver.
  https://no-way.org/uploads/qmail-error/
• Qmail-SPF rc5 patch by Christophe Saout
  Checks incoming mails inside the SMTP daemon, add Received-SPF lines
  and optionally block undesired transfers.
  http://www.saout.de/misc/spf/
• Chkuser patch by Antonio Nati v2.0.9
  Performs, among the other things, a check for the existence of recipients
  during the SMTP conversation, bouncing emails of fake senders.
  http://www.interazioni.it/opensource/chkuser/
• Qmail-bounce patch by Frank DENIS aka Jedi/Sector One
  Allows you to specify the limit for bounce messages
  in /var/qmail/control/bouncemaxbytes.
• Qregex 20060423 originally by Andrew St. Jean
  Adds pattern matching in the badhelo, badmailfrom, badmailfromnorelay,
  badmailto, and badmailtonorelay control files. Pattern matching is case
  insensitive and logs are generated when a match is found.
  http://www.arda.homeunix.net/store/qmail/
• Qmail TAP patch by Inter7 v1.1 (2005.06.06)
  Qmail provides the ability to make a copy of each email that flows through
  the system. This version allows for setting a different email address for
  each line in the taps control file.
  http://www.inter7.com/index.php?page=qmailtap

• Greylisting
  MySQL db based greylist filtering for Qmail.
  http://www.digitaleveryware.com/projects/greylisting/
  

--
ekzsolt

[Roberto Puzzanghera]

Hi Tarique,
I recently put together the latest versions of Hoffmann's smtp-auth and
Vermulen's qmail-tls patches here: http://notes.sagredo.eu/node/84. I
also have an up-to-date combined patch which should be compatible with
the Bill's toaster, provided that you rebuild the queue, as it includes
the big-todo patch: http://notes.sagredo.eu/node/82.
I hope it can be useful. Comments, suggestions, criticisms are always
welcome!

kind regards
Roberto Puzzanghera

[Roberto Puzzanghera]

Hi Tarique, hi all,
I have an up-to-date combined patch which should be compatible with

the Bill's toaster, provided that you rebuild the queue, as it

includes the big-todo patch: http://notes.sagredo.eu/node/82. It
includes the latest versions of Hoffmann's smtp-auth and Vermulen's
qmail-tls patches.
Or you may want to start with this one http://notes.sagredo.eu/node/84,
where smtp-auth and qmail-tls are merged, and add the patches you like
to it.

I hope it can be useful. Comments, suggestions, criticisms are always
welcome!

kind regards
Roberto Puzzanghera

On 28 Lug, 08:37, "Tarique Saleh Mahmud" <tari...@gmgairlines.com>
wrote:

[Tarique Saleh Mahmud]

Hi Roberto,

Thank you for your reply.

I will try your big-todo patch and let you know the status.

Thanks,

Tarique

[arwy...@gmail.com]

On Jul 27, 9:53 pm, Martin Pittelkow <pittel...@gmail.com> wrote:
> Hi Trent,
>
> thanks for your answer. I have - of course - checked if the
> certificate is there before I posted my problem. It's located in /var/
> qmail/control, the file is named servercert.pem, owned by
> vpopmail:qmail, and although the file has been there, I have tried to
> create a new servercert.pem - now the certificate is new, but nothing
> changed.
>
> Any hints?

FWIW, mine has ownership vpopmail:vchkpw and 640
It also has a symlink clientcert.pem