Mailing List Archive

Possible SSL Library upgrade, causing mismatch dynamics libs ? Sounds like TLS handoff issue, or client may have switched to SSL and is expecting SSL handshake and not getting it.

Check client is set to TLS (and not AUTO or SSL), use a TLS aware client or openssl s_client to test.

-michael

-----Original Message-----
From: jrd@jrd.org [mailto:jrd@jrd.org]
Sent: Friday, 4 October 2013 9:18 PM
To: qmail@list.cr.yp.to
Subject: Looking for help with qmail+auth

Hi all. I've been running qmail successfully for a while, and usually have been able to find what I need in the various docs, but this one has me stumped.

I'm running on a pretty up to date (< 1 month) gentoo server.

I fairly recently reconfigured one of my servers to use auth, so that a user could connect from outside to relay mail. I'm running the
netqmail-1.0.6-r2 ebuild, which includes netqmail-1.05-tls-smtpauth-20070417.patch.

I followed the instructions in
http://www.fehcom.de/qmail/smtpauth.html. Here's my run file:
--------------------------
#!/bin/bash
# Gentoo Startup script for qmail's SMTP daemon # $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/run-qmail-smtpd,v 1.1 2006/02/12 18:42:33 hansmi Exp $

# If you need to edit this file, please look at editing conf-smtpd and # conf-common first. If you still need to change this file, you should probably # file a bug on the bugzilla saying what you wanted to change so that # modifications can be made possible via the configuration files.

# hacked by jrd after reading http://www.fehcom.de/qmail/smtpauth.html

SERVICE=smtp
export SMTPAUTH=''
. /var/qmail/bin/qmail-config-system && \ exec /usr/bin/softlimit ${SOFTLIMIT_OPTS} \
${QMAIL_TCPSERVER_PRE} \
/usr/bin/tcpserver ${TCPSERVER_OPTS} -x ${TCPSERVER_RULESCDB} \
-c ${MAXCONN} -u ${QMAILDUID} -g ${NOFILESGID} \
${TCPSERVER_HOST} 587 \
${QMAIL_SMTP_PRE} /var/qmail/bin/qmail-${SERVICE}d /bin/checkpassword true ${QMAIL_SMTP_POST} \
2>&1
--------------------------

After a little bit of fooling around I got it working. My user could connect from outside, authenticate, and send mail.

But then yesterday, it broke. The symptom was that the mail client would try to connect, and hang.

I debugged a bit. checkpassword is correctly installed and working. I can do `printf "%s\0%s\0%s\0" user pass time | checkpassword id 3<&0` and have it do the right thing.

qmail-smtpd is working correctly for other traffic, ie I can send mail through when I connect to it on port 25.

When I watch the wire with wireshark, I see the client connect with SYN, SYN/ACK, ACK, then silence. This is true of multiple clients.
/var/log/qmail/qmail-smtp/current records no events. There is an instance of qmail-smtpd launched for every connect attempt. If I svc -d the service, they all exit and I get a bunch of RSTs.

I'm looking for hints. What would cause the server to start but hang?
Any help appreciated.

Thanks in advance...

Hi,

probably my SMTP Auth package is not the same as provided in your patch:

> netqmail-1.05-tls-smtpauth-20070417.patch.

Either you setup your server with the docs provided with this patch - or -

in case, you need both, TLS + Auth I recommend my Spamcontrol patch.

You find it here:

* http://www.fehcom.de/qmail/spamcontrol.html

Docs about the TLS implementation I've done, can be found here:

* http://www.fehcom.de/qmail/smtptls.html

However, this requires to install ucspi-ssl (> 0.8) as well:

* http://www.fehcom.de/ipnet/ucspi-ssl.html

If you prefer a IPv4/IPv6 classless address filter I recommend:

* http://www.fehcom.de/ipnet/ucspi-tcp6.html


Best regards.
--eh.


Am 04.10.2013 um 13:18 schrieb jrd@jrd.org:

> Hi all. I've been running qmail successfully for a while, and usually
> have been able to find what I need in the various docs, but this one
> has me stumped.
>
> I'm running on a pretty up to date (< 1 month) gentoo server.
>
> I fairly recently reconfigured one of my servers to use auth, so that
> a user could connect from outside to relay mail. I'm running the
> netqmail-1.0.6-r2 ebuild, which includes
>
>
> I followed the instructions in
> http://www.fehcom.de/qmail/smtpauth.html. Here's my run file:
> --------------------------
> #!/bin/bash
> # Gentoo Startup script for qmail's SMTP daemon
> # $Header: /var/cvsroot/gentoo-x86/mail-mta/netqmail/files/run-qmail-smtpd,v 1.1 2006/02/12 18:42:33 hansmi Exp $
>
> # If you need to edit this file, please look at editing conf-smtpd and
> # conf-common first. If you still need to change this file, you should probably
> # file a bug on the bugzilla saying what you wanted to change so that
> # modifications can be made possible via the configuration files.
>
> # hacked by jrd after reading http://www.fehcom.de/qmail/smtpauth.html
>
> SERVICE=smtp
> export SMTPAUTH=''
> . /var/qmail/bin/qmail-config-system && \
> exec /usr/bin/softlimit ${SOFTLIMIT_OPTS} \
> ${QMAIL_TCPSERVER_PRE} \
> /usr/bin/tcpserver ${TCPSERVER_OPTS} -x ${TCPSERVER_RULESCDB} \
> -c ${MAXCONN} -u ${QMAILDUID} -g ${NOFILESGID} \
> ${TCPSERVER_HOST} 587 \
> ${QMAIL_SMTP_PRE} /var/qmail/bin/qmail-${SERVICE}d /bin/checkpassword true ${QMAIL_SMTP_POST} \
> 2>&1
> --------------------------
>
> After a little bit of fooling around I got it working. My user could
> connect from outside, authenticate, and send mail.
>
> But then yesterday, it broke. The symptom was that the mail client
> would try to connect, and hang.
>
> I debugged a bit. checkpassword is correctly installed and working. I
> can do `printf "%s\0%s\0%s\0" user pass time | checkpassword id 3<&0`
> and have it do the right thing.
>
> qmail-smtpd is working correctly for other traffic, ie I can send mail
> through when I connect to it on port 25.
>
> When I watch the wire with wireshark, I see the client connect with
> SYN, SYN/ACK, ACK, then silence. This is true of multiple clients.
> /var/log/qmail/qmail-smtp/current records no events. There is an
> instance of qmail-smtpd launched for every connect attempt. If I svc
> -d the service, they all exit and I get a bunch of RSTs.
>
> I'm looking for hints. What would cause the server to start but hang?
> Any help appreciated.
>
> Thanks in advance...

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

In article <4F5970F981DA4242B0D18A2FA75F1B9003366A0426@thomas.mikeit.com.au> you write:
>Possible SSL Library upgrade, causing mismatch dynamics libs ? Sounds like TLS handoff issue, or client may have switched to SSL and is
>expecting SSL handshake and not getting it.
>
>Check client is set to TLS (and not AUTO or SSL), use a TLS aware client or openssl s_client to test.

I have a version of ofmipd with an openssl patch and something in
openssl changed recently so that there are phenomenally awful delays
doing the handshake.

I fixed it by switching to mailfront and its new-ish auth plugin,
using a gnutls plugin I wrote.

R's,
John

From: Erwin Hoffmann <feh@fehcom.de>
Date: Fri, 4 Oct 2013 14:30:06 +0200

Hi,

probably my SMTP Auth package is not the same as provided in your patch:

> netqmail-1.05-tls-smtpauth-20070417.patch.

Hmmm. The comment in the patch is

This patch for netqmail 1.05 is a composite of the latest versions of Frederik
Vermulen's TLS patch (20070408) and Erwin Hoffmann's SMTP-AUTH (0.5.8) update
to Eric M. Johnston's and Krzysztof Dabrowski's qmail-smtpd-auth-0.31 patch.

And it says to follow your instructions at
http://www.fehcom.de/qmail/smtpauth.html to configure. That's why I
figured it was the right thing to use :-)

Either you setup your server with the docs provided with this patch - or -

in case, you need both, TLS + Auth I recommend my Spamcontrol patch.

I'm actually only trying to do AUTH right now, though I grant you that
I really should be doing TLS. This is kind of a short-term thing so I
was trying to do it the less complex way.

You find it here:

* http://www.fehcom.de/qmail/spamcontrol.html

Docs about the TLS implementation I've done, can be found here:

* http://www.fehcom.de/qmail/smtptls.html

However, this requires to install ucspi-ssl (> 0.8) as well:

* http://www.fehcom.de/ipnet/ucspi-ssl.html

If you prefer a IPv4/IPv6 classless address filter I recommend:

* http://www.fehcom.de/ipnet/ucspi-tcp6.html


Best regards.
--eh.

Thanks for the bits.

From: "Michael J. Carmody" <michael@mikeit.com.au>
Date: Fri, 4 Oct 2013 12:28:37 +0000

Possible SSL Library upgrade, causing mismatch dynamics libs ? Sounds like TLS handoff issue, or client may have switched to SSL and is expecting SSL handshake and not getting it.

Check client is set to TLS (and not AUTO or SSL), use a TLS aware client or openssl s_client to test.

-michael

Per above, I don't beleive SSL is in the mix.

I think I need to go back to square one and build it up piece by piece
following the instructions carefully.

From: jrd@jrd.org
Date: Fri, 4 Oct 2013 11:04:59 -0400
[...]
I think I need to go back to square one and build it up piece by piece
following the instructions carefully.

FWIW, this turned out to be something unrelated to qmail. I rebooted
the server for other reasons, and it came back up working. The posted
instructions work fine.

Thanks again...