Mailing List Archive

On 28 Jun 2022, at 16:27, Jeremy Kister wrote:

> I suppose it's since I don't support opportunistic tls on port 25.
> [...]
> Anyone have to deal with this? does ucpsi-ssl/sslserver solve this
> problem as a [mostly] drop-in replacement for tcpserver ?

If I understand the need correctly, yes, with a little help. The
"Incoming SMTP" section of https://schmonz.com/qmail/acceptutils/switch
describes how I'm currently handling this.

- Amitai

It appears that Jeremy Kister <qmail-09@jeremykister.com> said:
>On 6/24/2022 3:27 PM, Brian Reichert wrote:
> > This spring, Google decided to be dicks, and started rejecting my
> > email, with very uninformative messages in the bounces.
>
>Speaking of which, I have (and most might start seeing) a similar
>problem inbound.
>
>Google is offering the ability to require outbound TLS.
>
>see: https://support.google.com/a/answer/2520500
>
>When those folks try to send me mail, Google bounces it back to them --
>with the response "A policy required TLS transmission, but a TLS
>connection could not be established"
>
>I suppose it's since I don't support opportunistic tls on port 25.

Bad move. That's the only place SMTP supports TLS.

>I do have tls hooked on 465, but I dont see any connection attempt there
>- at least from a regular gmail.com account.

Port 465 is submission, not SMTP.

I gave up on qmail-smtpd a long time ago and use mailfront instead.
It's a lot better and is very easy to integrate with the rest of qmail.

Hi Jermey,

I suppose

- you have tcpserver listing on port 25 (feeding qmail-smtpd),
- stunnel (with some unkown setup) reading/writing TLS encrypted
connections on port 465 and providing the plaintext messages to qmail-
smtpd.



Am Dienstag, dem 28.06.2022 um 16:27 -0400 schrieb Jeremy Kister:
> On 6/24/2022 3:27 PM, Brian Reichert wrote:
>  > This spring, Google decided to be dicks, and started rejecting my
>  > email, with very uninformative messages in the bounces.
>
> Speaking of which, I have (and most might start seeing) a similar
> problem inbound.
>
> Google is offering the ability to require outbound TLS.
>
> see: https://support.google.com/a/answer/2520500
>
> When those folks try to send me mail, Google bounces it back to them
> --
> with the response "A policy required TLS transmission, but a TLS
> connection could not be established"
>
> I suppose it's since I don't support opportunistic tls on port 25.
>
> I do have tls hooked on 465, but I dont see any connection attempt
> there
> - at least from a regular gmail.com account.
>
>
> Anyone have to deal with this?  does ucpsi-ssl/sslserver solve this
> problem as a [mostly] drop-in replacement for tcpserver ?
>

I can't say much about Google's policy here.
But for sure, ucspi-ssl's sslserver can handle opportunistic TLS
connections using STARTTLS on port 25. Howver, your qmail-smtpd server
has been enabled to do so; because now we have a mixture of plaintext
and TLS encrypted traffic to handle.

There exist several patches (including my old Spamcontrol) making
qmail-smtpd able to speak STARTTLS (or handle TLS connections on their
own behalf; either TLS or STARTTLS).

However, I strongly recommend to use TLS 1.3 capable implementations.
The ones I provide, are able to do so.

Port 465 can't be reached via standard MX connections; it has been
defined (recently) to provide (strong) TLS Submission (Auth)
capabilities (only).

Regards.
--eh.

PS: Of course, my s/qmail can handle this; but other solutions exist as
well; in particular Manvendra's indimail. Your choice.

>


--
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 20FD6E671A94DC1E
PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E

On Thu, 30 Jun 2022 at 00:54, Erwin Hoffmann <feh@fehcom.de> wrote:
> PS: Of course, my s/qmail can handle this; but other solutions exist as
> well; in particular Manvendra's indimail. Your choice.
>
qmail-smtpd from indimail-mta supports native starttls. Apart from
that I wrote dotls which offers starttls for unpatched qmail-smtpd by
invoking qmail-smtpd like this

tcpserver 0 25 /usr/bin/dotls -n "" -s smtp /var/qmail/bin/qmail-smtpd

-n "" can be replaced with your own certificate path

The man page for dotls is
https://raw.githubusercontent.com/mbhangui/indimail-mta/master/ucspi-tcp-x/dotls.1

dotls is available as part of indimail-mta as well as a standalone
executable through a patch for ucspi-tcp-0.88

https://sourceforge.net/projects/indimail/files/netqmail-addons/ucspi-tcp/ucspi-tcp-0.88-tls-1.3.patch.gz

I may have to update the patch and sync it with the latest code from
indimail-mta where I had fixed few bugs

https://github.com/mbhangui/indimail-mta/blob/master/ucspi-tcp-x/dotls.c

dotls also offers STLS extension for qmail-pop3d

Examples of dotls usage
1. Add STARTTLS extension for qmail-smtpd
tcpserver 0 25 /usr/bin/dotls -n "" -s smtp /var/qmail/bin/qmail-smtpd
2. Provide SMTPS service on port 465 for qmail-smtpd
tcpserver 0 465 /usr/bin/dotls -n "" /var/qmail/bin/qmail-smtpd
3. Add STLS extension for qmail-pop3d
tcpserver 0 110 /usr/bin/dotls -n "" -s pop3 qmail-popup host \
checkpassword qmail-pop3d Maildir
4. Provide POP3S service on port 993 for qmail-pop3d
tcpserver 0 993 /usr/bin/dotls -n "" qmail-popup host checkpassword \
qmail-pop3d Maildir
5. Run a script under tcpclient that connects to a SSL server on port 5555
read from fd 0 reads from network & write to fd 1 writes to network
tcpclient 0 555 /usr/bin/dotls -n "" -C /usr/bin/myscript
6. Run a script under tcpclient that connects to a SSL server on port 5555
read from fd 6 reads from network & write to fd 7 writes to network
tcpclient 0 555 /usr/bin/dotls -n "" -CT /usr/bin/myscript
--
Regards Manvendra - http://www.indimail.org
GPG Pub Key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7CBC760014D250C

Hi Manvendra,

your solution seems to be usable for this particular case.

The scope of sslserver is different, though:

Supporting client authentication as well.

I now, this is not required here.

Interesting solution though ;-)

Regards.
--eh.



Am Donnerstag, dem 30.06.2022 um 02:06 +0530 schrieb Manvendra Bhangui:
> On Thu, 30 Jun 2022 at 00:54, Erwin Hoffmann <feh@fehcom.de> wrote:
> > PS: Of course, my s/qmail can handle this; but other solutions
> > exist as
> > well; in particular Manvendra's indimail. Your choice.
> >
> qmail-smtpd from indimail-mta supports native starttls. Apart from
> that I wrote dotls which offers starttls for unpatched qmail-smtpd by
> invoking qmail-smtpd like this
>
> tcpserver 0 25 /usr/bin/dotls -n "" -s smtp /var/qmail/bin/qmail-
> smtpd
>
> -n "" can be replaced with your own certificate path
>
> The man page for dotls is
> https://raw.githubusercontent.com/mbhangui/indimail-mta/master/ucspi-tcp-x/dotls.1
>
> dotls is available as part of indimail-mta as well as a standalone
> executable through a patch for ucspi-tcp-0.88
>
> https://sourceforge.net/projects/indimail/files/netqmail-addons/ucspi-tcp/ucspi-tcp-0.88-tls-1.3.patch.gz
>
> I may have to update the patch and sync it with the latest code from
> indimail-mta where I had fixed few bugs
>
> https://github.com/mbhangui/indimail-mta/blob/master/ucspi-tcp-x/dotls.c
>
> dotls also offers STLS extension for qmail-pop3d
>
> Examples of dotls usage
> 1. Add STARTTLS extension for qmail-smtpd
> tcpserver 0 25 /usr/bin/dotls -n "" -s smtp /var/qmail/bin/qmail-
> smtpd
> 2. Provide SMTPS service on port 465 for qmail-smtpd
> tcpserver 0 465 /usr/bin/dotls -n "" /var/qmail/bin/qmail-smtpd
> 3. Add STLS extension for qmail-pop3d
> tcpserver 0 110 /usr/bin/dotls -n "" -s pop3 qmail-popup host \
> checkpassword qmail-pop3d Maildir
> 4. Provide POP3S service on port 993 for qmail-pop3d
> tcpserver 0 993 /usr/bin/dotls -n "" qmail-popup host checkpassword \
> qmail-pop3d Maildir
> 5. Run a script under tcpclient that connects to a SSL server on port
> 5555
> read from fd 0 reads from network & write to fd 1 writes to network
> tcpclient 0 555 /usr/bin/dotls -n "" -C /usr/bin/myscript
> 6. Run a script under tcpclient that connects to a SSL server on port
> 5555
> read from fd 6 reads from network & write to fd 7 writes to network
> tcpclient 0 555 /usr/bin/dotls -n "" -CT /usr/bin/myscript

--
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 20FD6E671A94DC1E
PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E

On Thu, 30 Jun 2022 at 02:06, Manvendra Bhangui <mbhangui@gmail.com> wrote:
> dotls is available as part of indimail-mta as well as a standalone
> executable through a patch for ucspi-tcp-0.88
>
> https://sourceforge.net/projects/indimail/files/netqmail-addons/ucspi-tcp/ucspi-tcp-0.88-tls-1.3.patch.gz
>
> I may have to update the patch and sync it with the latest code from
> indimail-mta where I had fixed few bugs
>
I synced the ucspi-tcp patch with indimail-mta. Since the sync is
manual, I found that I made mistake at two lines
the line
if (capatext.len < HUGECAPATEXT)
had to be changed to
if (capatext.len >= HUGECAPATEXT)
at two places which would give a "line too long" error. The corrected
version is now

https://sourceforge.net/projects/indimail/files/netqmail-addons/ucspi-tcp/ucspi-tcp-0.88-tls-1.4.patch.gz

apologies for the inconvenience caused.