Bug 169591 - stabilize mail-mta/netqmail-1.05-r8 (was: mail-mta/netqmail-1.05 with ssl enabled doesn't work
|
Bug#:
169591
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: x86
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: mips@gentoo.org
|
Reported By: morelli@cerm.unifi.it
|
|
Component: Applications
|
|
|
URL:
|
|
Summary: stabilize mail-mta/netqmail-1.05-r8 (was: mail-mta/netqmail-1.05 with ssl enabled doesn't work
|
|
Keywords: STABLEREQ
|
|
Status Whiteboard:
|
|
Opened: 2007-03-06 10:39 0000
|
netqmail-1.05 doesn't send emails using ssl.
Trying to test the qmail server with:
openssl s_client -connect localhost:25 -starttls smtp
Using ssldumo I receive:
CONNECTED(00000003)
21702:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:596:
Reproducible: Always
Steps to Reproduce:
1.create certificate with /var/qmail/bin/mkservercert
2. start svscan
3.use "openssl s_client -connect localhost:25 -starttls smtp" to test the
installation
Actual Results:
Using ssldump:
CONNECTED(00000003)
21702:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:596:
The output of claws-mail protocol log window:
Connecting to SMTP server: localhost ...
[11:02:51] SMTP< 220 service2.cerm.unifi.it ESMTP
[11:02:51] ESMTP> EHLO service2.cerm.unifi.it
[11:02:51] ESMTP< 250-service2.cerm.unifi.it
[11:02:51] ESMTP< 250-STARTTLS
[11:02:51] ESMTP< 250-PIPELINING
[11:02:51] ESMTP< 250-8BITMIME
[11:02:51] ESMTP< 250-SIZE 0
[11:02:51] ESMTP< 250 AUTH LOGIN PLAIN CRAM-MD5
[11:02:51] ESMTP> STARTTLS
[11:02:51] ESMTP< 220 ready for tls
** couldn't start TLS session
*** Error occurred while sending the message.
Expected Results:
Sends email using a secure channel
To solve the problem I run the following commands:
openssl ciphers > /var/qmail/control/tlsclientciphers
openssl ciphers > /var/qmail/control/tlsserverciphers
Works for me. Please give more details on how to reproduce it. Because, when
done as supposed (and described when emerging), it works.
Portage 2.1.2-r13 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r0,
2.6.20-gentoo i686)
=================================================================
System uname: 2.6.20-gentoo i686 Intel(R) Core(TM)2 CPU T7200 @
2.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 02 Mar 2007 10:00:08 +0000
dev-java/java-config: 1.3.7, 2.0.31-r3
dev-lang/python: 2.4.4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.18.1
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.23b
virtual/os-headers: 2.6.20-r1
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
DISTDIR="/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.unina.it/pub/linux/distributions/gentoo
http://distfiles.gentoo.org
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LINGUAS="en it"
MAKEOPTS="-j3"
PKGDIR="/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="4kstacks X alsa apm avi bash-completion berkdb bitmap-fonts cairo cli
cracklib crypt cups dbus dri dvd dvdread encode exif flac foomaticdb fortran
gdbm gif glep gpg gphoto2 gpm gtk2 hal hpn iconv imap imlib inotify ipv6
isdnlog jpeg libg++ libwww mad midi mikmod mod motif mp3 mpeg mplayer ncurses
nls nptl nptlonly nsplugin oggvorbis opengl oss pam pcre pdf pdflib perl png
postgres ppds pppd python qt4 quicktime readline reflection scanner sdk sdl
session slang sndfile spell spl ssl svga tcpd tk truetype truetype-fonts
type1-fonts unicode usb x86 xml2 xorg xv zlib" ALSA_CARDS="hda-intel"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" CAMERAS="canon" ELIBC="glibc" INPUT_DEVICES="evdev keyboard
mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk
hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en it" USERLAND="GNU"
VIDEO_CARDS="nvidia"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS
- dev-libs/openssl 0.9.8e(15:44:16 03/02/07)(-bindist -emacs -sse2 -test zlib)
My steps:
1) emerge netqmail-1.05-r5
2) emerge --config =mail-mta/netqmail-1.05-r5
3) edited servercert.cnf
4) create the certificate
5) start services
6) configurated claws-mail to use localhost like mail server using auth
cram-md5 and startls
7) I'm unable to send email cause "** couldn't start TLS session" reported in
the log window of claws-mail
8) emerge ssldump
9) start "ssldump -i eth0"
10) execute "openssl s_client -connect localhost:25 -starttls smtp"
11) on the ssldump window I see "CONNECTED(00000003)
21702:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:596"
Please add the output of "emerge -pv mail-mta/netqmail".
(In reply to comment #3)
> Please add the output of "emerge -pv mail-mta/netqmail".
>
[ebuild R ] mail-mta/netqmail-1.05-r5 USE="ssl -gencertdaily -highvolume
-mailwrapper -noauthcram -qmail-spp -vanilla" 0 kB
(In reply to comment #4)
> [ebuild R ] mail-mta/netqmail-1.05-r5
Can you please try with -r4? There have been changes in between which might
affect SSL. You don't use QMAIL_PATCH_DIR, do you?
(In reply to comment #5)
> (In reply to comment #4)
> > [ebuild R ] mail-mta/netqmail-1.05-r5
>
> Can you please try with -r4? There have been changes in between which might
> affect SSL. You don't use QMAIL_PATCH_DIR, do you?
>
After the problems with -r5 I tried the -r4 with the same results.
I don't use QMAIL_PATCH_DIR.
Seems that the "bug" affect only my "~x86" system. On another machine "x86" the
netqmail-1.05-r4 works fine using all features.
(In reply to comment #7)
> Seems that the "bug" affect only my "~x86" system. On another machine "x86" the
> netqmail-1.05-r4 works fine using all features.
I was able to reproduce it on a ~ppc system. Installing openssl-0.9.8d helps.
It must have been a change between upstream's openssl-0.9.8d and 0.9.8e which
causes this bug.
This is just an update about the status, I don't have a fix yet.
I had a similar issue when I installed mail-mta/netqmail-1.05-r5 and
dev-libs/openssl-0.9.8e.
I had to create the file:
/var/qmail/control/tlsserverciphers
With that on 1 (!) line:
DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC-SHA:NULL-MD5:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:RC4-MD5:DHE-DSS-RC4-SHA:ADH-AES128-SHA:ADH-AES256-SHA:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:AES128-SHA
Of course I don't know which ciphers there are good and which are crap, but if
tls negotiation fails because of a bad cipher list, then the emails are never
going to be sent (talk about bad behaviour...)
hammer ~ # emerge -pv netqmail
[ebuild R ] mail-mta/netqmail-1.05-r5 USE="highvolume mailwrapper ssl
-gencertdaily -noauthcram -qmail-spp -vanilla" 0 kB
[ebuild R ] dev-libs/openssl-0.9.8e USE="(sse2) zlib -bindist -emacs
-test" 0 kB
This is on ~amd64 and similarly on ~x86
(In reply to comment #9)
> I had to create the file:
> /var/qmail/control/tlsserverciphers
>
> With that on 1 (!) line:
> DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC-SHA:NULL-MD5:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:RC4-MD5:DHE-DSS-RC4-SHA:ADH-AES128-SHA:ADH-AES256-SHA:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:AES128-SHA
I know this appears to "work", but I'm unsure whether it's the correct
solution. If you've any other idea, please tell me. Maybe I should write an
e-mail to the qmail list.
(In reply to comment #10)
> I know this appears to "work", but I'm unsure whether it's the correct
> solution. If you've any other idea, please tell me. Maybe I should write an
> e-mail to the qmail list.
>
Actually I've just noticed that at the very end of the first bug report there
is:
To solve the problem I run the following commands:
openssl ciphers > /var/qmail/control/tlsclientciphers
openssl ciphers > /var/qmail/control/tlsserverciphers
*** Bug 173296 has been marked as a duplicate of this bug. ***
Unfortunately, this issue was not fixed by the bumped SSL patch. I'll try to
write to the qmail mailing list. If someone else has a way to solve it
*without* writing config/tls{client,server}ciphers, please speak up.
I added a patch to -r7. As it seems, someone forgot to pass a parameter to
control_readfile. Please give me some feedback so I can send the patch to
upstream.
(In reply to comment #14)
> I added a patch to -r7. ...
seems doesn't honor -ssl flag. emerge -u netqmail failed:
* Applying 1.05-r7-sslfix.diff ...
* Failed Patch: 1.05-r7-sslfix.diff !
from
/var/tmp/portage/mail-mta/netqmail-1.05-r7/temp/1.05-r7-sslfix.diff-15627.out
Hunk #1 FAILED at 965.
(In reply to comment #15)
> seems doesn't honor -ssl flag. emerge -u netqmail failed:
Fixed in CVS.
(In reply to comment #14)
> Please give me some feedback so I can send the patch to upstream.
No response and upstream applied it. Closing.
*** Bug 177525 has been marked as a duplicate of this bug. ***
07 May 2007; Michael Hanselmann <hansmi@gentoo.org>
netqmail-1.05-r8.ebuild:
Stable on hppa, ppc, sparc, x86. Fixes problem with OpenSSL 0.9.8e
Arches: can you please mark netqmail-1.05-r8 stable?
Current keywords: ~alpha ~amd64 ~arm hppa ~ia64 ~m68k ~mips ppc ~ppc64 ~s390
~sh sparc x86
Target keywords: alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc
x86
